diff --git a/.github/workflows/ecdh.yml b/.github/workflows/ecdh.yml
index 438386e60..d2a3ca41c 100644
--- a/.github/workflows/ecdh.yml
+++ b/.github/workflows/ecdh.yml
@@ -47,7 +47,7 @@ jobs:
         if: ${{ matrix.bits == 64 }}
 
       - name: 🛠️ Setup Rust Nightly
-        run: rustup toolchain install nightly
+        run: rustup toolchain install nightly-2024-12-14
 
       - name: 🛠️ Setup Ubuntu x86
         if: ${{ matrix.bits == 32 &&  matrix.os == 'ubuntu-latest' }}
@@ -82,9 +82,10 @@ jobs:
       - name: 🔨 Build Release
         run: cargo build --verbose --release $RUST_TARGET_FLAG
 
+      # TODO: https://github.com/cryspen/libcrux/issues/717
       - name: 🏃🏻 Asan MacOS
         if: ${{ matrix.os == 'macos-latest' }}
-        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly test --release --target aarch64-apple-darwin
+        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly-2024-12-14 test --release --target aarch64-apple-darwin
 
       # - name: ⬆ Upload build
       #   uses: ./.github/actions/upload_artifacts
diff --git a/.github/workflows/kem.yml b/.github/workflows/kem.yml
index d4ada3cdf..a23ed54a5 100644
--- a/.github/workflows/kem.yml
+++ b/.github/workflows/kem.yml
@@ -47,7 +47,7 @@ jobs:
         if: ${{ matrix.bits == 64 }}
 
       - name: 🛠️ Setup Rust Nightly
-        run: rustup toolchain install nightly
+        run: rustup toolchain install nightly-2024-12-14
 
       - name: 🛠️ Setup Ubuntu x86
         if: ${{ matrix.bits == 32 &&  matrix.os == 'ubuntu-latest' }}
@@ -82,9 +82,10 @@ jobs:
       - name: 🔨 Build Release
         run: cargo build --verbose --release $RUST_TARGET_FLAG
 
+      # TODO: https://github.com/cryspen/libcrux/issues/717
       - name: 🏃🏻 Asan MacOS
         if: ${{ matrix.os == 'macos-latest' }}
-        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly test --release --target aarch64-apple-darwin
+        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly-2024-12-14 test --release --target aarch64-apple-darwin
 
       # - name: ⬆ Upload build
       #   uses: ./.github/actions/upload_artifacts
diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml
index 039a850f4..71401c8eb 100644
--- a/.github/workflows/mlkem.yml
+++ b/.github/workflows/mlkem.yml
@@ -85,14 +85,14 @@ jobs:
       - name: 🔨 Build
         run: |
           rustc --print=cfg
-          cargo build --verbose $RUST_TARGET_FLAG --features pre-verification
+          cargo build --verbose $RUST_TARGET_FLAG
 
       - name: 🔨 Build Release
-        run: cargo build --verbose --release $RUST_TARGET_FLAG --features pre-verification
+        run: cargo build --verbose --release $RUST_TARGET_FLAG
 
       - name: 🏃🏻 Asan MacOS
         if: ${{ matrix.os == 'macos-latest' }}
-        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly test --release --target aarch64-apple-darwin --features pre-verification
+        run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly test --release --target aarch64-apple-darwin
 
       # - name: ⬆ Upload build
       #   uses: ./.github/actions/upload_artifacts
@@ -135,27 +135,27 @@ jobs:
       - name: 🏃🏻‍♀️ Test
         run: |
           cargo clean
-          cargo test --verbose $RUST_TARGET_FLAG --features pre-verification
+          cargo test --verbose $RUST_TARGET_FLAG
 
       - name: 🏃🏻‍♀️ Test Release
         run: |
           cargo clean
-          cargo test --verbose --release $RUST_TARGET_FLAG --features pre-verification
+          cargo test --verbose --release $RUST_TARGET_FLAG
 
       - name: 🏃🏻‍♀️ Test Portable
         run: |
           cargo clean
-          LIBCRUX_DISABLE_SIMD128=1 LIBCRUX_DISABLE_SIMD256=1 cargo test --verbose $RUST_TARGET_FLAG --features pre-verification
+          LIBCRUX_DISABLE_SIMD128=1 LIBCRUX_DISABLE_SIMD256=1 cargo test --verbose $RUST_TARGET_FLAG
 
       - name: 🏃🏻‍♀️ Test Portable Release
         run: |
           cargo clean
-          LIBCRUX_DISABLE_SIMD128=1 LIBCRUX_DISABLE_SIMD256=1 cargo test --verbose --release $RUST_TARGET_FLAG --features pre-verification
+          LIBCRUX_DISABLE_SIMD128=1 LIBCRUX_DISABLE_SIMD256=1 cargo test --verbose --release $RUST_TARGET_FLAG
 
       - name: 🏃🏻‍♀️ Test Kyber
         run: |
           cargo clean
-          cargo test --features pre-verification,kyber --verbose $RUST_TARGET_FLAG
+          cargo test ,kyber --verbose $RUST_TARGET_FLAG
 
       - name: 🏃🏻‍♀️ Cargo Check Features
         if: ${{ matrix.bits == 64 }}
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 000000000..c18135e0e
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,2109 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "aead"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
+dependencies = [
+ "crypto-common",
+ "generic-array",
+]
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "anes"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
+
+[[package]]
+name = "anstream"
+version = "0.6.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+dependencies = [
+ "anstyle",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "arbitrary"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223"
+
+[[package]]
+name = "autocfg"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
+
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "benchmarks"
+version = "0.0.2-beta.2"
+dependencies = [
+ "chacha20poly1305",
+ "criterion",
+ "curve25519-dalek",
+ "lib25519",
+ "libcrux",
+ "libcrux-kem",
+ "libcrux-ml-kem",
+ "libjade-sys",
+ "openssl",
+ "p256",
+ "pqcrypto-kyber",
+ "rand",
+ "rand_core",
+ "ring",
+ "sha2",
+ "sha3",
+ "x25519-dalek",
+ "x25519-dalek-ng",
+]
+
+[[package]]
+name = "bindgen"
+version = "0.71.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f58bf3d7db68cfbac37cfc485a8d711e87e064c3d0fe0435b92f7a407f9d6b3"
+dependencies = [
+ "bitflags",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.12.1",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash",
+ "shlex",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "cast"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
+
+[[package]]
+name = "cavp"
+version = "0.0.2-beta.2"
+dependencies = [
+ "hex",
+ "log",
+ "pretty_env_logger",
+]
+
+[[package]]
+name = "cc"
+version = "1.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9157bbaa6b165880c27a4293a474c91cdcf265cc68cc829bf10be0964a391caf"
+dependencies = [
+ "jobserver",
+ "libc",
+ "shlex",
+]
+
+[[package]]
+name = "cexpr"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "chacha20"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures",
+]
+
+[[package]]
+name = "chacha20poly1305"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
+dependencies = [
+ "aead",
+ "chacha20",
+ "cipher",
+ "poly1305",
+ "zeroize",
+]
+
+[[package]]
+name = "ciborium"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e"
+dependencies = [
+ "ciborium-io",
+ "ciborium-ll",
+ "serde",
+]
+
+[[package]]
+name = "ciborium-io"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757"
+
+[[package]]
+name = "ciborium-ll"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
+dependencies = [
+ "ciborium-io",
+ "half",
+]
+
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+ "zeroize",
+]
+
+[[package]]
+name = "clang-sys"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
+
+[[package]]
+name = "clap"
+version = "4.5.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+
+[[package]]
+name = "classic-mceliece-rust"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45ce62f72a15a9071f83c5084bdf0af4e8cbf31431e79eb4a5509a2f7fe7fe5d"
+dependencies = [
+ "rand",
+ "sha3",
+ "zeroize",
+]
+
+[[package]]
+name = "colorchoice"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16b80225097f2e5ae4e7179dd2266824648f3e2f49d9134d584b76389d31c4c3"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "criterion"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f"
+dependencies = [
+ "anes",
+ "cast",
+ "ciborium",
+ "clap",
+ "criterion-plot",
+ "is-terminal",
+ "itertools 0.10.5",
+ "num-traits",
+ "once_cell",
+ "oorandom",
+ "plotters",
+ "rayon",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "tinytemplate",
+ "walkdir",
+]
+
+[[package]]
+name = "criterion-plot"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6b50826342786a51a89e2da3a28f1c32b06e387201bc2d19791f622c673706b1"
+dependencies = [
+ "cast",
+ "itertools 0.10.5",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613f8cc01fe9cf1a3eb3d7f488fd2fa8388403e97039e2f73692932e291a770d"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+
+[[package]]
+name = "crunchy"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
+
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "rand_core",
+ "typenum",
+]
+
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "curve25519-dalek-derive",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "curve25519-dalek-ng"
+version = "4.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c359b7249347e46fb28804470d071c921156ad62b3eef5d34e2ba867533dec8"
+dependencies = [
+ "byteorder",
+ "digest 0.9.0",
+ "rand_core",
+ "subtle-ng",
+ "zeroize",
+]
+
+[[package]]
+name = "data-encoding"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8566979429cf69b49a5c740c60791108e86440e8be149bbea4fe54d2c32d6e2"
+
+[[package]]
+name = "der"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
+
+[[package]]
+name = "digest"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest 0.10.7",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
+[[package]]
+name = "either"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
+
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest 0.10.7",
+ "ff",
+ "generic-array",
+ "group",
+ "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "env_logger"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a19187fea3ac7e84da7dacf48de0c45d63c6a76f9490dae389aead16c243fce3"
+dependencies = [
+ "log",
+ "regex",
+]
+
+[[package]]
+name = "env_logger"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd405aab171cb85d6735e5c8d9db038c17d3ca007a4d2c25f337935c3d90580"
+dependencies = [
+ "humantime",
+ "is-terminal",
+ "log",
+ "regex",
+ "termcolor",
+]
+
+[[package]]
+name = "ff"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+dependencies = [
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+ "zeroize",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "glob"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "half"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dd08c532ae367adf81c312a4580bc67f1d0fe8bc9c460520283f4c0ff277888"
+dependencies = [
+ "cfg-if",
+ "crunchy",
+]
+
+[[package]]
+name = "hax-lib"
+version = "0.1.0-rc.1"
+source = "git+https://github.com/hacspec/hax/#62f7bfabe31ac2dcdbda867e3879b49b080fd292"
+dependencies = [
+ "hax-lib-macros",
+ "num-bigint",
+ "num-traits",
+]
+
+[[package]]
+name = "hax-lib-macros"
+version = "0.1.0-rc.1"
+source = "git+https://github.com/hacspec/hax/#62f7bfabe31ac2dcdbda867e3879b49b080fd292"
+dependencies = [
+ "hax-lib-macros-types",
+ "paste",
+ "proc-macro-error",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "hax-lib-macros-types"
+version = "0.1.0-rc.1"
+source = "git+https://github.com/hacspec/hax/#62f7bfabe31ac2dcdbda867e3879b49b080fd292"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "uuid",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hermit-abi"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "hkdf"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+dependencies = [
+ "hmac",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest 0.10.7",
+]
+
+[[package]]
+name = "humantime"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+
+[[package]]
+name = "inout"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "is-terminal"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+
+[[package]]
+name = "itertools"
+version = "0.10.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
+
+[[package]]
+name = "jobserver"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "js-sys"
+version = "0.3.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "keccak"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+dependencies = [
+ "cpufeatures",
+]
+
+[[package]]
+name = "lib25519"
+version = "0.0.2-beta.2"
+dependencies = [
+ "bindgen",
+ "cc",
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.168"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
+
+[[package]]
+name = "libcrux"
+version = "0.0.2-beta.2"
+dependencies = [
+ "clap",
+ "getrandom",
+ "hax-lib",
+ "hex",
+ "libcrux",
+ "libcrux-ecdh",
+ "libcrux-ed25519",
+ "libcrux-hacl",
+ "libcrux-hacl-rs",
+ "libcrux-hkdf",
+ "libcrux-hmac",
+ "libcrux-kem",
+ "libcrux-ml-kem",
+ "libcrux-platform",
+ "libcrux-sha2",
+ "libcrux-traits",
+ "log",
+ "pretty_env_logger",
+ "quickcheck",
+ "quickcheck_macros",
+ "rand",
+ "rand_core",
+ "serde",
+ "serde_json",
+ "wasm-bindgen",
+ "wasm-bindgen-test",
+ "wycheproof",
+]
+
+[[package]]
+name = "libcrux-curve25519"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-hacl-rs",
+ "libcrux-macros",
+ "libcrux-sha2",
+]
+
+[[package]]
+name = "libcrux-ecdh"
+version = "0.0.2-beta.2"
+dependencies = [
+ "hex",
+ "libcrux-curve25519",
+ "libcrux-hacl",
+ "pretty_env_logger",
+ "rand",
+ "rand_core",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "libcrux-ed25519"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-hacl-rs",
+ "libcrux-macros",
+ "libcrux-sha2",
+]
+
+[[package]]
+name = "libcrux-fuzz"
+version = "0.0.0"
+dependencies = [
+ "libcrux",
+ "libfuzzer-sys",
+ "rand",
+]
+
+[[package]]
+name = "libcrux-hacl"
+version = "0.0.2-beta.2"
+dependencies = [
+ "bindgen",
+ "cc",
+ "hex",
+ "libcrux-platform",
+ "wasm-bindgen-test",
+]
+
+[[package]]
+name = "libcrux-hacl-rs"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-macros",
+]
+
+[[package]]
+name = "libcrux-hkdf"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-hacl-rs",
+ "libcrux-hmac",
+]
+
+[[package]]
+name = "libcrux-hmac"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-hacl-rs",
+ "libcrux-macros",
+ "libcrux-sha2",
+]
+
+[[package]]
+name = "libcrux-intrinsics"
+version = "0.0.2-beta.2"
+dependencies = [
+ "hax-lib",
+]
+
+[[package]]
+name = "libcrux-kem"
+version = "0.0.2-beta.2"
+dependencies = [
+ "hex",
+ "libcrux-ecdh",
+ "libcrux-kem",
+ "libcrux-ml-kem",
+ "libcrux-sha3",
+ "rand",
+]
+
+[[package]]
+name = "libcrux-macros"
+version = "0.0.2-beta.2"
+
+[[package]]
+name = "libcrux-ml-dsa"
+version = "0.0.2-beta.2"
+dependencies = [
+ "criterion",
+ "hax-lib",
+ "hex",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-sha3",
+ "pqcrypto-dilithium",
+ "rand",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "libcrux-ml-kem"
+version = "0.0.2-beta.2"
+dependencies = [
+ "criterion",
+ "hax-lib",
+ "hex",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-sha3",
+ "rand",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "libcrux-ml-kem-fuzz"
+version = "0.0.0"
+dependencies = [
+ "libcrux-ml-kem",
+ "libfuzzer-sys",
+]
+
+[[package]]
+name = "libcrux-platform"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "libcrux-pqclean"
+version = "0.0.2-beta.2"
+dependencies = [
+ "bindgen",
+ "cc",
+ "fs_extra",
+]
+
+[[package]]
+name = "libcrux-psq"
+version = "0.0.2-beta.2"
+dependencies = [
+ "classic-mceliece-rust",
+ "criterion",
+ "libcrux",
+ "libcrux-ecdh",
+ "libcrux-hkdf",
+ "libcrux-hmac",
+ "libcrux-kem",
+ "rand",
+]
+
+[[package]]
+name = "libcrux-sha2"
+version = "0.0.2-beta.2"
+dependencies = [
+ "libcrux-hacl-rs",
+ "libcrux-macros",
+ "libcrux-traits",
+]
+
+[[package]]
+name = "libcrux-sha3"
+version = "0.0.2-beta.2"
+dependencies = [
+ "cavp",
+ "criterion",
+ "hax-lib",
+ "hex",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "pretty_env_logger",
+ "rand",
+]
+
+[[package]]
+name = "libcrux-traits"
+version = "0.0.2-beta.2"
+
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b9569d2f74e257076d8c6bfa73fb505b46b851e51ddaecc825944aa3bed17fa"
+dependencies = [
+ "arbitrary",
+ "cc",
+]
+
+[[package]]
+name = "libjade-sys"
+version = "0.0.2-beta.2"
+dependencies = [
+ "bindgen",
+ "cc",
+ "libcrux-platform",
+ "pretty_env_logger",
+]
+
+[[package]]
+name = "libloading"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
+dependencies = [
+ "cfg-if",
+ "windows-targets",
+]
+
+[[package]]
+name = "log"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+
+[[package]]
+name = "memchr"
+version = "2.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+
+[[package]]
+name = "minicov"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f27fe9f1cc3c22e1687f9446c2083c4c5fc7f0bcf1c7a86bdbded14985895b4b"
+dependencies = [
+ "cc",
+ "walkdir",
+]
+
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+
+[[package]]
+name = "oorandom"
+version = "11.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"
+
+[[package]]
+name = "opaque-debug"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
+[[package]]
+name = "openssl"
+version = "0.10.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.104"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+
+[[package]]
+name = "plotters"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aeb6f403d7a4911efb1e33402027fc44f29b5bf6def3effcc22d7bb75f2b747"
+dependencies = [
+ "num-traits",
+ "plotters-backend",
+ "plotters-svg",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "plotters-backend"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df42e13c12958a16b3f7f4386b9ab1f3e7933914ecea48da7139435263a4172a"
+
+[[package]]
+name = "plotters-svg"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51bae2ac328883f7acdfea3d66a7c35751187f870bc81f94563733a154d7a670"
+dependencies = [
+ "plotters-backend",
+]
+
+[[package]]
+name = "poly1305"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
+dependencies = [
+ "cpufeatures",
+ "opaque-debug",
+ "universal-hash",
+]
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "pqcrypto-dilithium"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "685de0fa68c6786559d5fcdaa414f0cd68ef3f5d162f61823bd7424cd276726f"
+dependencies = [
+ "cc",
+ "glob",
+ "libc",
+ "pqcrypto-internals",
+ "pqcrypto-traits",
+]
+
+[[package]]
+name = "pqcrypto-internals"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62cd8ebf02b43967cda06e6a3f54d0bd9659459c3003d16aeedd07b44c6db06c"
+dependencies = [
+ "cc",
+ "dunce",
+ "getrandom",
+ "libc",
+]
+
+[[package]]
+name = "pqcrypto-kyber"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15c00293cf898859d0c771455388054fd69ab712263c73fdc7f287a39b1ba000"
+dependencies = [
+ "cc",
+ "glob",
+ "libc",
+ "pqcrypto-internals",
+ "pqcrypto-traits",
+]
+
+[[package]]
+name = "pqcrypto-traits"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94e851c7654eed9e68d7d27164c454961a616cf8c203d500607ef22c737b51bb"
+
+[[package]]
+name = "pretty_env_logger"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "865724d4dbe39d9f3dd3b52b88d859d66bcb2d6a0acfd5ea68a65fb66d4bdc1c"
+dependencies = [
+ "env_logger 0.10.2",
+ "log",
+]
+
+[[package]]
+name = "prettyplease"
+version = "0.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033"
+dependencies = [
+ "proc-macro2",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
+[[package]]
+name = "proc-macro-error"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+dependencies = [
+ "proc-macro-error-attr",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro-error-attr"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quickcheck"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6"
+dependencies = [
+ "env_logger 0.8.4",
+ "log",
+ "rand",
+]
+
+[[package]]
+name = "quickcheck_macros"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b22a693222d716a9587786f37ac3f6b4faedb5b80c23914e7303ff5a1d8016e9"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rayon"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "regex"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom",
+ "libc",
+ "spin",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7fb8039b3032c191086b10f11f319a6e99e1e82889c5cc6046f515c9db1d497"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "ryu"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "scoped-tls"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1cf6437eb19a8f4a6cc0f7dca544973b0b78843adbfeb3683d1a94a0024a294"
+
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba"
+
+[[package]]
+name = "serde"
+version = "1.0.216"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b9781016e935a97e8beecf0c933758c97a5520d32930e460142b4cd80c6338e"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.216"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.133"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377"
+dependencies = [
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.10.7",
+]
+
+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest 0.10.7",
+ "keccak",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest 0.10.7",
+ "rand_core",
+]
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "subtle-ng"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "734676eb262c623cec13c3155096e08d1f8f29adce39ba17948b18dad1e54142"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.90"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "termcolor"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "tinytemplate"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "typenum"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83"
+
+[[package]]
+name = "universal-hash"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
+dependencies = [
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "uuid"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38176d9b44ea84e9184eff0bc34cc167ed044f816accfe5922e54d84cf48eca2"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6"
+
+[[package]]
+name = "wasm-bindgen-test"
+version = "0.3.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d44563646eb934577f2772656c7ad5e9c90fac78aa8013d776fcdaf24625d"
+dependencies = [
+ "js-sys",
+ "minicov",
+ "scoped-tls",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-bindgen-test-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-test-macro"
+version = "0.3.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54171416ce73aa0b9c377b51cc3cb542becee1cd678204812e8392e5b0e4a031"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04dd7223427d52553d3702c004d3b2fe07c148165faa56313cb00211e31c12bc"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "winapi-util"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "wycheproof"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "efb3be19abfb206c6adcbdf2007b09b0e8ca1f6530db40c03b42ce8ed4719894"
+dependencies = [
+ "data-encoding",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "x25519-dalek"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
+dependencies = [
+ "curve25519-dalek",
+ "rand_core",
+ "serde",
+ "zeroize",
+]
+
+[[package]]
+name = "x25519-dalek-ng"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf7074de8999662970c3c4c8f7f30925028dd8f4ca31ad4c055efa9cdf2ec326"
+dependencies = [
+ "curve25519-dalek-ng",
+ "rand",
+ "rand_core",
+ "zeroize",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+dependencies = [
+ "byteorder",
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
diff --git a/Cargo.toml b/Cargo.toml
index 153cf07a2..750c788db 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -84,12 +84,7 @@ log = { version = "0.4", optional = true }
 # WASM API
 wasm-bindgen = { version = "0.2.87", optional = true }
 getrandom = { version = "0.2", features = ["js"], optional = true }
-
-# When using the hax toolchain, we have more dependencies.
-# This is only required when doing proofs.
-[target.'cfg(hax)'.dependencies]
-hax-lib-macros = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax", branch = "main" }
-hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/", branch = "main" }
+hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [dev-dependencies]
 libcrux = { path = ".", features = ["rand", "tests"] }
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst
new file mode 100644
index 000000000..5e21832c7
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst
@@ -0,0 +1,48 @@
+module BitVec.Equality
+
+open Core
+open Rust_primitives
+open FStar.Mul
+open FStar.FunctionalExtensionality
+
+private let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f
+
+let rec bv_equality'' #n (bv1 bv2: bit_vec n)
+  : r: bool {r <==> feq bv1 bv2}
+  = if n = 0 then true 
+    else let n' = n - 1 in
+         if bv1 n' = bv2 n'
+         then 
+           (
+           let bv1' = mk_bv (fun i -> bv1 i) in
+           let bv2' = mk_bv (fun i -> bv2 i) in
+           if bv_equality'' #n' bv1' bv2'
+           then (
+             assert (forall (x: nat{x < n'}). bv1' x == bv1 x);
+             assert (forall (x: nat{x < n'}). bv2' x == bv2 x);
+             true
+           )
+           else false
+           )
+         else false
+
+let bv_equality' #n (bv1 bv2: bit_vec n)
+  : r: bool {r <==> bv1 == bv2}
+  = extensionality _ _ bv1 bv2;
+    bv_equality'' bv1 bv2
+
+
+let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2
+
+let bv_equality_elim #n (bv1 bv2: bit_vec n)
+  : Lemma (requires bv_equality bv1 bv2)
+          (ensures  bv1 == bv2)
+  = ()
+let bv_equality_intro #n (bv1 bv2: bit_vec n)
+  : Lemma (requires bv1 == bv2)
+          (ensures  bv_equality bv1 bv2)
+  = ()
+
+let rewrite n (bv1: bit_vec n)
+  : Lemma (bv_equality #n bv1 bv1 == true)
+  = ()
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti
new file mode 100644
index 000000000..5340903b4
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti
@@ -0,0 +1,17 @@
+module BitVec.Equality
+
+open Core
+open Rust_primitives
+open FStar.Mul
+open FStar.FunctionalExtensionality
+
+val bv_equality #n (bv1 bv2: bit_vec n): bool
+val bv_equality_elim #n (bv1 bv2: bit_vec n)
+  : Lemma (requires bv_equality bv1 bv2)
+          (ensures  bv1 == bv2)
+val bv_equality_intro #n (bv1 bv2: bit_vec n)
+  : Lemma (requires bv1 == bv2)
+          (ensures  bv_equality bv1 bv2)
+val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true)
+
+
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst
new file mode 100644
index 000000000..9d2614842
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst
@@ -0,0 +1,264 @@
+module BitVec.Intrinsics.Constants
+
+open Core
+open Rust_primitives
+open FStar.Mul
+open FStar.FunctionalExtensionality
+open BitVec.Utils
+open BitVec.Equality
+
+let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16)
+  : bit_vec 256
+  = mk_bv (fun i ->
+      let offset = i % 16 in
+      match i / 16 with
+      |  0 -> get_bit x15 (sz offset)
+      |  1 -> get_bit x14 (sz offset)
+      |  2 -> get_bit x13 (sz offset)
+      |  3 -> get_bit x12 (sz offset)
+      |  4 -> get_bit x11 (sz offset)
+      |  5 -> get_bit x10 (sz offset)
+      |  6 -> get_bit x9 (sz offset)
+      |  7 -> get_bit x8 (sz offset)
+      |  8 -> get_bit x7 (sz offset)
+      |  9 -> get_bit x6 (sz offset)
+      | 10 -> get_bit x5 (sz offset)
+      | 11 -> get_bit x4 (sz offset)
+      | 12 -> get_bit x3 (sz offset)
+      | 13 -> get_bit x2 (sz offset)
+      | 14 -> get_bit x1 (sz offset)
+      | 15 -> get_bit x0 (sz offset)
+    )
+
+let madd_rhs (n: nat {n < 16}) = 
+  mm256_set_epi16 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16)
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+
+open FStar.Tactics.V2
+
+let _ = namedv_view
+
+irreducible let stupid (x: 'a): bit_vec 256 -> bit_vec 256 = admit ()
+
+open Tactics.Utils
+
+open FStar.Tactics
+
+(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are
+unification variables. This returns a list of terms to substitute `x1`
+... `xN` with.  *)
+let unify_app (t fn: term) norm_steps: Tac (option (list term))
+  = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in
+    let _fake_goal = 
+      (* create a goal `b1 -> ... -> bn -> squash True` *)
+      let trivial = pack_comp (C_Total (`squash True)) in
+      unshelve (fresh_uvar (Some (mk_arr bds trivial)))
+    in
+    (* get back the binders `b1`, ..., `bn` *)
+    let bds = intros () in
+    let args = map (fun (b: binder) -> b <: term) bds in
+    let norm_term = norm_term (hnf::norm_steps) in
+    let fn, t = norm_term (mk_e_app fn args), norm_term t in
+    let vars = map (fun b -> 
+      let b = inspect_binder b in
+      let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in
+      let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in
+      (FStar.Reflection.V2.pack_namedv nv, b.binder_sort)
+    ) bds in
+    let?# substs = fst (try_unify (cur_env ()) vars fn t) in
+    if List.Tot.length substs <> List.Tot.length bds
+    then fail "unify_app: inconsistent lengths";
+    (* solve the trivial goal introduced at the begining *)
+    trivial ();
+    Some (List.Tot.rev (map (fun (_, t) -> t) substs))
+
+irreducible let add (x y: int): int = x + y
+
+let f (a b c d: int): int = add (add (add a b) c) d
+
+// #push-options "--print_full_names --print_implicits --print_bound_var_types"
+let _ = assert true by (
+  let r = 
+    unify_app 
+      (quote (f 1 2 3 4))
+      (quote f)
+      [delta_only [`%f]]
+  in
+  let s = term_to_string (quote r)
+  in
+ print s
+  )
+
+let test x y (#[(
+    let n = fresh_namedv () in
+    let y = quote y in
+    let y' = `(madd_rhs (`#n)) in
+    let n = FStar.Reflection.V2.pack_namedv n in
+    let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with
+    | (Some [v, t'], _) -> 
+      `(stupid (`#t'))
+    | _ -> `(stupid (`#y)) in
+    exact t
+)]f: bit_vec 256 -> bit_vec 256) = f x
+
+let xx = fun x -> test x (madd_rhs 12)
+
+irreducible let vec256_to_i16s (bv: bit_vec 256)
+  : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+  & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+  = admit ()
+
+irreducible let rw_vec256_to_i16_ints
+  (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16)
+  : Lemma (
+    vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15)
+    == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15))
+  ) = admit ()
+
+let madd_rhs (n: nat {n < 16}) = 
+  mm256_set_epi16 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16)
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+
+#push-options "--z3rlimit 100"
+let to_madd_rhs (data: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+  & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16))
+  : option (n:nat{
+    n < 16 /\ (
+      let ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) = data in
+      madd_rhs n == mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15
+    )
+  })
+  = let ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) = data in
+    if   v x0 >= 1
+      && v x0 = v x2 && v x0 = v x4  && v x0 = v x6  && v x0 = v x8 
+                     && v x0 = v x10 && v x0 = v x12 && v x0 = v x14
+      && v x1 = 1    && v x3 = 1     && v x5 = 1     && v x7 = 1 
+                     && v x9 = 1    && v x11= 1     && v x13= 1     && v x15= 1
+    then match Tactics.Pow2.log2 (v x0 <: nat) with
+       | Some coef -> 
+         if coef < 16
+         then (
+           assert (v ((1s <<! Int32.int_to_t coef <: i16)) == v x0);
+           Some coef
+         ) else None
+       | _ -> None
+    else None
+#pop-options
+
+open FStar.Tactics.V2
+[@@FStar.Tactics.V2.postprocess_with (fun _ -> 
+  compute ();
+  Tactics.Seq.norm_index ();
+  compute ();
+  fail "x"
+)]
+let aa =
+  let n = 12 in
+  let tuple = (
+    ( (1s <<! Int32.int_to_t n <: i16) 
+    , 1s 
+    , (1s <<! Int32.int_to_t n <: i16) 
+    , 1s
+    , (1s <<! Int32.int_to_t n <: i16) 
+    , 1s 
+    , (1s <<! Int32.int_to_t n <: i16)
+    , 1s),
+    ( (1s <<! Int32.int_to_t n <: i16)
+    , 1s 
+    , (1s <<! Int32.int_to_t n <: i16) 
+    , 1s
+    , (1s <<! Int32.int_to_t n <: i16) 
+    , 1s 
+    , (1s <<! Int32.int_to_t n <: i16) 
+    , 1s)) in
+  let x: nat = match to_madd_rhs tuple with | Some n -> n | None -> 0 in
+  x
+
+open Tactics.Utils
+open FStar.Tactics.V2
+module Visit = FStar.Tactics.Visit
+
+let rec any (f: 'a -> bool) (l: list 'a): bool
+    = match l with
+    | [] -> false
+    | hd::tl -> if f hd
+              then true
+              else any f tl
+
+exception FoundFreeLocalVar
+let is_closed_term (x: term): Tac bool
+  = try
+      let _ = FStar.Tactics.Visit.visit_tm (
+        function 
+        | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar
+        | x -> x
+        ) x
+      in true
+    with | FoundFreeLocalVar -> false
+         | e -> raise e
+
+let rw_mm256_set_epi16 t = 
+  let?# (f, [arg,_]) = expect_app_n t 1 in
+  let?# _ = expect_free_var f (`%vec256_to_i16_ints) in
+  let?? _ = is_closed_term arg in
+  let?# (f, args) = expect_app_n arg 16 in
+  let?# _ = expect_free_var f (`%mm256_set_epi16) in
+  pointwise' (fun _ ->
+    let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in
+            Some (if any (fun (arg, _) -> term_eq lhs arg) args 
+                  then norm [primops; iota; delta; zeta_full]
+                  else ())
+    in trefl ()
+  );
+  Some ()
+
+let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16})
+  : result: option (n: nat {n < 16}) { match result with
+                                   | Some n -> bv == madd_rhs n
+                                   | _ -> True
+                                   }
+  = if bv_equality bv (madd_rhs n)
+    then ( bv_equality_elim bv (madd_rhs n);
+           Some n )
+    else if n = 0 then None
+         else expect_madd_rhs' bv (n - 1)
+
+irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16})
+  = expect_madd_rhs' bv 15
+
+// let rewrite_expect_madd_rhs
+//   (bv: bit_vec 256) (n: nat {n < 16})
+//   : Lemma (requires bv == madd_rhs n)
+//           (ensures  )
+//   = ()
+  
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst
new file mode 100644
index 000000000..0c60d6587
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst
@@ -0,0 +1,203 @@
+module BitVec.Intrinsics.TestShuffle
+
+open Rust_primitives
+open FStar.Mul
+open BitVec.Utils
+open BitVec.Intrinsics
+
+assume val stuck: #a:Type -> #b:Type -> a -> b
+
+let index64 l (i: nat {i < List.Tot.length l}) =
+  match l with
+  | [x0;x1;x2;x3] -> 
+    (match i with
+    | 0 -> x0   | 1 -> x1   | 2 -> x2   | 3 -> x3)
+  | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> 
+    (match i with
+    | 0 -> x0   | 1 -> x1   | 2 -> x2   | 3 -> x3   | 4 -> x4   | 5 -> x5   | 6 -> x6   | 7 -> x7   | 8 -> x8   | 9 -> x9   | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 
+    | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 
+    | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 
+    | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63)
+  | _ -> stuck "index"
+
+assume val nth: list bit -> nat -> bit
+
+let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n)
+  = mk_bv (fun i -> nth (index64 l (i / n)) (i % n))
+
+let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0]
+
+type result #t0 #t1 #t2 #t3 #t4 = {
+     vector: t0;
+     adjacent_2_combined: t1;
+     adjacent_8_combined: t2;
+     combined': t3;
+     combined: t4;
+  }
+
+// /// We view `x` as a sequence of pairs of 16 bits, of the shape
+// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero.
+// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`.
+// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 =
+//   mk_bv (fun i -> let j = i % 32 in
+//                // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`
+//                // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ`
+//                let is_zero = 
+//                  // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0`
+//                  j >= n * 2
+//                in
+//                if is_zero
+//                then 0
+//                else if j < n
+//                     then x i        // we want to produce the bit `aⱼ`
+//                     else 
+//                       // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`
+//                       x (i - n + 16)
+//          )
+
+// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 =
+//   mk_bv (fun i ->
+//      let j = i / 32 in
+//      let index = (List.Tot.index b (7 - j) % 8) * 32 in
+//      a (index + i % 32))
+
+let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_madd_epi16_specialized' vector 4
+    // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
+    //   (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+    //       (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+    //       (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+    //     <:
+    //     Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+          (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+          (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let combined':Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_permutevar8x32_epi32_i32 adjacent_8_combined (mk_list_8 0 0 0 0 0 0 4 0)
+    // Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined
+    //   (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+    //     <:
+    //     Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined'
+  in
+  {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined}
+
+let map256 (f: (i: nat {i < 256}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255]
+let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127]
+
+let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = 
+  let input = bv_of_list_list 4 [
+    a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z;
+    e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z;
+    i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z;
+    m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z;
+    
+    // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d;
+    // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h;
+    // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l;
+    // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p;
+  ] in
+  serialize_4_ input
+
+
+// let xx a b c d e f g h i j k l m n o p =
+//   Pervasives.norm [iota; primops; zeta_full; delta] (
+//     Pervasives.norm [iota; primops; zeta; delta] (
+//       let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in
+//       let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in
+//       let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in
+//       let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in
+//       let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in
+//       let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in
+//       // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx)
+//       {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined}
+//       // (vector, adjacent_2_combined)
+//     )
+//   )
+
+
+
+open FStar.Tactics.V2
+open Tactics.Utils
+
+
+open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128}
+// open BitVec.Intrinsics {
+  
+// }
+
+#push-options "--compat_pre_core 0"
+let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    BitVec.Intrinsics.mm256_madd_epi16 vector
+      (BitVec.Intrinsics.mm256_set_epi16 (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+          (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+          (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    BitVec.Intrinsics.mm256_shuffle_epi8 adjacent_2_combined
+      (BitVec.Intrinsics.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+          (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+          (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    // BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32 adjacent_8_combined (mk_list_8 0 0 0 0 0 0 4 0)
+    BitVec.Intrinsics.mm256_permutevar8x32_epi32 adjacent_8_combined
+      (BitVec.Intrinsics.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let combined:t_Vec128 =
+    BitVec.Intrinsics.mm256_castsi256_si128 combined
+  in
+  assume (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0));
+  assert (forall (i: nat {i < 64}).
+    // let local_i = i / 4 in
+    combined i == vector ((i / 4) * 16 + i % 4)
+  ) by (
+    // unfold wrappers
+    norm [primops; iota; zeta; delta_namespace [
+      `%BitVec.Intrinsics.mm256_shuffle_epi8;
+      `%BitVec.Intrinsics.mm256_permutevar8x32_epi32;
+      `%BitVec.Intrinsics.mm256_madd_epi16;
+      `%BitVec.Intrinsics.mm256_castsi256_si128;
+      "BitVec.Utils";
+    ]];
+    Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ ->
+      let reduce t =
+        norm [primops; iota; zeta_full; delta_namespace [
+          "FStar.FunctionalExtensionality";
+          t;
+          `%BitVec.Utils.mk_bv;
+          `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % )
+        ]];
+        norm [primops; iota; zeta_full; delta_namespace [
+          "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % )
+        ]]
+      in
+      reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32);
+      reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8);
+      reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized);
+      grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true);
+      flip (); smt ();
+      reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized');
+      // focus (fun _ -> dump' "Goal!!");
+      trivial ()
+    ))
+  );
+  combined
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti
new file mode 100644
index 000000000..a101013a6
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti
@@ -0,0 +1,425 @@
+module BitVec.Intrinsics
+
+open Core
+open Rust_primitives
+open FStar.Mul
+open BitVec.Utils
+open BitVec.Equality
+open Tactics.Utils
+
+(*** The intrinsics *)
+let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256
+  = mk_bv (fun i -> let nth_bit = i % 16 in
+                 if nth_bit >= v shift then vec (i - v shift) else 0)
+
+let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256
+  = mk_bv (fun i -> let nth_bit = i % 16 in
+                 if nth_bit < 16 - v shift then vec (i + v shift) else 0)
+
+let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256
+  = mk_bv (fun i -> let nth_bit = i % 64 in
+                 if nth_bit < 64 - v shift then vec (i + v shift) else 0)
+
+let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128
+  = mk_bv (fun i -> vec i)
+let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128
+  = mk_bv (fun i -> vec (i + 128))
+
+let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256
+  = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128))
+
+let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128
+  = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8)))
+
+let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32)
+  : bit_vec 256
+  = mk_bv (fun i ->
+      let h (x: i32) = get_bit x (sz (i % 32)) in
+      match i / 32 with
+      |  0 -> h x7 |  1 -> h x6 |  2 -> h x5 |  3 -> h x4
+      |  4 -> h x3 |  5 -> h x2 |  6 -> h x1  |  7 -> h x0)
+
+let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16)
+  : bit_vec 256
+  = mk_bv (fun i ->
+      let h (x: i16) = get_bit x (sz (i % 16)) in
+      match i / 16 with
+      |  0 -> h x15 |  1 -> h x14 |  2 -> h x13 |  3 -> h x12
+      |  4 -> h x11 |  5 -> h x10 |  6 -> h x9  |  7 -> h x8
+      |  8 -> h x7  |  9 -> h x6  | 10 -> h x5  | 11 -> h x4
+      | 12 -> h x3  | 13 -> h x2  | 14 -> h x1  | 15 -> h x0
+    )
+
+let mm_set_epi8
+  (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8)
+  : bit_vec 128
+  = mk_bv (fun i ->
+      let h (x: u8) = get_bit x (sz (i % 8)) in
+      match i / 8 with
+      |  0 -> h x15 |  1 -> h x14 |  2 -> h x13 |  3 -> h x12
+      |  4 -> h x11 |  5 -> h x10 |  6 -> h x9  |  7 -> h x8
+      |  8 -> h x7  |  9 -> h x6  | 10 -> h x5  | 11 -> h x4
+      | 12 -> h x3  | 13 -> h x2  | 14 -> h x1  | 15 -> h x0
+    )
+
+let mm256_set_epi8
+  (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8)
+  : bit_vec 256
+  = mk_bv (fun i ->
+      let h (x: i8) = get_bit x (sz (i % 8)) in
+      match i / 8 with
+      | 0  -> h x31 | 1  -> h x30 | 2  -> h x29 | 3  -> h x28
+      | 4  -> h x27 | 5  -> h x26 | 6  -> h x25 | 7  -> h x24
+      | 8  -> h x23 | 9  -> h x22 | 10 -> h x21 | 11 -> h x20
+      | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16
+      | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12
+      | 20 -> h x11 | 21 -> h x10 | 22 -> h x9  | 23 -> h x8
+      | 24 -> h x7  | 25 -> h x6  | 26 -> h x5  | 27 -> h x4
+      | 28 -> h x3  | 29 -> h x2  | 30 -> h x1  | 31 -> h x0
+    )
+
+val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256
+let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256
+  = mk_bv (fun i -> if i % 16 < n then 1 else 0)
+
+let mm256_and_si256 (x y: bit_vec 256): bit_vec 256
+  = mk_bv (fun i -> if y i = 0 then 0 else x i)
+  
+let mm256_set1_epi16 (constant: i16)
+  (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s <<! Int32.int_to_t n <: i16) -! 1s <: i16))) [] with
+     | Some [x] -> `(mm256_set1_epi16_pow2_minus_one (`#x))
+     | _ -> (quote (mm256_set1_epi16_no_semantics constant))
+  )]result: bit_vec 256)
+  : bit_vec 256 = result
+
+private let saturate8 (v: bit_vec 16): bit_vec 8
+  = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) 
+        = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 
+    in
+    let any1 = on_upper_bits ( ||  ) (fun i -> v i = 1) in
+    let all1 = on_upper_bits ( && ) (fun i -> v i = 1) in
+    let negative = v 15 = 1 in
+    mk_bv (fun i ->
+      let last_bit = i = 7 in
+      if negative
+      then if last_bit 
+           then 1
+           else if all1
+                then v i
+                else 0
+      else if any1
+           then if last_bit
+                then 0
+                else 1
+           else v i
+    )
+
+let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128
+  = mk_bv (fun j ->
+             if j < 16
+             then a ((j * 8) + 7)
+             else 0
+          )
+
+let mm_movemask_epi8 (a: bit_vec 128): i32
+  = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i))
+
+let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128
+  = mk_bv (fun i ->
+      let nth_block = i / 8 in
+      let offset8 = nth_block * 8 in
+      let offset16' = nth_block * 16 in
+      let offset16 = offset16' % 128 in
+      let vec: bit_vec 128 = if offset16' < 128 then a else b in
+      saturate8 (mk_bv (fun j -> vec (offset16 + j))) (i - offset8)
+    )
+
+
+
+// This is a very specialized version of mm256_mullo_epi16
+let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 =
+  mk_bv (fun i -> 
+    let nth_bit = i % 16 in
+    let nth_i16 = i / 16 in
+    let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in
+    if nth_bit >= shift then a (i - shift) else 0
+  )
+
+// This is a very specialized version of mm256_mullo_epi16
+let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 =
+  mk_bv (fun i -> 
+    let nth_bit = i % 16 in
+    let nth_i16 = i / 16 in
+    let shift = if nth_i16 % 2 = 0 then 4 else 0 in
+    if nth_bit >= shift then a (i - shift) else 0
+  )
+
+// This is a very specialized version of mm256_mullo_epi16
+let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 =
+  mk_bv (fun i -> 
+    let nth_bit = i % 16 in
+    let nth_i16 = i / 16 in
+    let shift = 6 - (nth_i16 % 4) * 2 in
+    if nth_bit >= shift then a (i - shift) else 0
+  )
+
+// This term will be stuck, we don't know anything about it
+val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256
+
+open FStar.Tactics.V2
+
+
+
+let mm256_mullo_epi16
+    (a count: bit_vec 256) 
+    (#[(
+      if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s <<! 8l <: i16) (x <<! 9l <: i16)
+                                                               (1s <<! 10l <: i16) (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16)
+                                                               (1s <<! 14l <: i16) (-32768s) (1s <<! 8l <: i16) (1s <<! 9l <: i16) (1s <<! 10l <: i16)
+                                                               (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16) (1s <<! 14l <: i16) (-32768s))) [] with
+         | Some [x] -> unquote x = 1s
+         | _ -> false
+      then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a))
+      else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s <<! 0l <: i16) (x <<! 4l <: i16)
+                                                               (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16)
+                                                               (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+                                                               (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16))) [] with
+              | Some [x] -> unquote x = 1s
+              | _ -> false
+           then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a))
+           else 
+             if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s <<! 0l <: i16) (x <<! 2l <: i16)
+                                                               (1s <<! 4l <: i16) (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16)
+                                                               (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16) (1s <<! 6l <: i16)
+                                                               (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16) (1s <<! 6l <: i16))) [] with
+                | Some [x] -> unquote x = 1s
+                | _ -> false
+             then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a))
+             else 
+               Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count))
+    )]result: bit_vec 256): bit_vec 256 = result
+
+let madd_rhs (n: nat {n < 16}) = 
+  mm256_set_epi16 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16)
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s 
+    (1s <<! Int32.int_to_t n <: i16) 
+    1s
+
+val mm256_madd_epi16_no_semantic: bit_vec 256 -> bit_vec 256 -> bit_vec 256
+
+let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool)
+  : r:bool {r <==> (forall i. f i)}
+  = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = 
+        match n with
+        | 0 -> true
+        | _ -> f (n - 1) && h (n - 1)
+    in h max
+
+/// We view `x` as a sequence of pairs of 16 bits, of the shape
+/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero.
+/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`.
+let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 =
+  mk_bv (fun i -> let j = i % 32 in
+               // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`
+               // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ`
+               let is_zero = 
+                 // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0`
+                 j >= n * 2
+               in
+               if is_zero
+               then 0
+               else if j < n
+                    then x i        // we want to produce the bit `aⱼ`
+                    else 
+                      // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`
+                      x (i - n + 16)
+         )
+
+let mm256_concat_pairs_n 
+  (n: u8 {v n < 16})
+  (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) =
+  mm256_madd_epi16_specialized' x (v n)
+
+let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) =
+  if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0)
+  then mm256_madd_epi16_specialized' x n
+  else mm256_madd_epi16_no_semantic x (madd_rhs n)
+
+val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128
+let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 =
+  mk_bv (fun i -> 
+     let nth = i / 8 in
+     let index = List.Tot.index b (15 - nth) in
+     if index < 0 then 0
+                  else let index = index % 16 in
+                       a (index * 8 + i % 8 + i / 128 * 128))
+
+let mm_shuffle_epi8
+  (x y: bit_vec 128) 
+  (#[(
+    let t = match unify_app (quote y) 
+      (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> 
+        mm_set_epi8
+          (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 )
+          (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with
+    | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] ->
+      `(mm_shuffle_epi8_u8 (`@x)
+                              (mk_list_16
+                                 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 )
+                                 (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15)))
+    | _ -> quote (mm_shuffle_epi8_no_semantics x y) in
+    exact t
+  )]result: bit_vec 128)
+  : bit_vec 128 
+  = result
+
+val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256
+let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 =
+  mk_bv (fun i -> 
+     let nth = i / 8 in
+     let index = List.Tot.index b (31 - nth) in
+     if index < 0 then 0
+                  else let index = index % 16 in
+                       a (index * 8 + i % 8 + i / 128 * 128))
+
+let mm256_shuffle_epi8
+  (x y: bit_vec 256) 
+  (#[(
+    let t = match unify_app (quote y) 
+      (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> 
+        mm256_set_epi8
+          (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 )
+          (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15)
+          (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23)
+          (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with
+    | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] ->
+      `(mm256_shuffle_epi8_i8 (`@x)
+                              (mk_list_32
+                                 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 )
+                                 (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15)
+                                 (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) 
+                                 (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31)))
+    | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in
+    exact t
+  )]result: bit_vec 256)
+  : bit_vec 256 
+  = result
+
+val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256
+let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 =
+  mk_bv (fun i ->
+     let j = i / 32 in
+     let index = (List.Tot.index b (7 - j) % 8) * 32 in
+     a (index + i % 32))
+
+let mm256_permutevar8x32_epi32
+  (x y: bit_vec 256) 
+  (#[(
+    let t = match unify_app (quote y) 
+      (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> 
+        mm256_set_epi32
+          (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) 
+          (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with
+    | Some [x0;x1;x2;x3;x4;x5;x6;x7] ->
+      `(mm256_permutevar8x32_epi32_i32 (`@x)
+                              (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 )))
+    | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in
+    exact t
+  )]result: bit_vec 256)
+  : bit_vec 256 
+  = result
+
+val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256
+let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256
+  = mk_bv (fun i -> let nth_bit = i % 32 in
+                 let shift = List.Tot.index counts (7 - i / 32) in
+                 if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0)
+
+let mm256_sllv_epi32
+  (x y: bit_vec 256) 
+  (#[(
+    let t = match unify_app (quote y) 
+      (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> 
+        mm256_set_epi32
+          (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) 
+          (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with
+    | Some [x0;x1;x2;x3;x4;x5;x6;x7] ->
+      `(mm256_sllv_epi32_i32 (`@x)
+                              (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 )))
+    | _ -> quote (mm256_sllv_epi32_no_semantics x y) in
+    exact t
+  )]result: bit_vec 256)
+  : bit_vec 256 
+  = result
+
+
+let mm256_madd_epi16
+  (x y: bit_vec 256)
+  (#[(
+    let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with
+    | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n))
+    | _ -> quote (mm256_madd_epi16_no_semantic x y) in
+    exact t
+  )]result: bit_vec 256)
+  : bit_vec 256
+  = result
+
+val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128)
+  // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))}
+  : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i}
+
+open FStar.Stubs.Tactics.V2.Builtins
+open FStar.Stubs.Tactics.V2
+open FStar.Tactics.V2.Derived
+open FStar.Tactics.V2
+
+let rec bv_to_string #len (bv: bit_vec len): string
+  = if len = 0 then ""
+               else string_of_int (bv (len - 1)) 
+                  ^ bv_to_string #(len - 1) (mk_bv (fun i -> bv i))
+
+let bv_of_string #len (s: string): Tac (bit_vec len)
+  = let l = FStar.String.list_of_string s 
+          |> filter (function ' ' | '\n' -> false | _ -> true)
+          |> map #_ #bit (function '1' -> 1 <: bit | '0' -> 0 | c -> fail ("expected 0 or 1, got [" ^ String.string_of_char c ^ "]")) in
+    if FStar.List.Tot.length l = len
+    then mk_bv (fun (i: nat {i < len}) -> List.Tot.index l i)
+    else fail ("expected a bv of length " ^ string_of_int len ^ ", got a bv of length " ^ string_of_int (FStar.List.Tot.length l))
+
+let call_native_intrinsic' #ilen name raw_args (bitvecs: list (bit_vec ilen)) : Tac string =
+  let bitvecs = List.Tot.map bv_to_string bitvecs in
+  let args = List.Tot.append raw_args bitvecs in
+  let result = launch_process "bash" ("/tmp/run.sh"::name::args) "" in
+  print ("process stdout is [" ^ result ^ "]");
+  FStar.String.list_of_string result
+    |> filter (function ' ' | '\n' -> false | _ -> true)
+    |> String.string_of_list
+
+let call_native_intrinsic #ilen olen name raw_args (bitvecs: list (bit_vec ilen)) : Tac (bit_vec olen) =
+  bv_of_string (call_native_intrinsic' #ilen name raw_args bitvecs)
+
+let random_bv len: Tac (bit_vec len) 
+  = call_native_intrinsic #1 _ "rand" [string_of_int len] []
+
+let tassert (x: bool): Tac unit
+  = if x then () else fail "tassert"
+
+
+private let example: bit_vec 256 = mk_bv (fun i -> if i % 16 = 15 then 1 else 0)
+
+private let x = bv_to_string example
+private let y = bv_to_string (mm256_srli_epi16 15l example)
+
diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst
new file mode 100644
index 000000000..3d2d19c98
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst
@@ -0,0 +1,67 @@
+module BitVec.Utils
+
+open Core
+open FStar.FunctionalExtensionality
+open BitVec.Equality
+open Rust_primitives.BitVectors
+
+let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f
+
+let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a)
+  : (l:list a {List.Tot.length l == 32})
+  = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in
+    assert_norm (List.Tot.length l == 32);
+    l
+
+let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a)
+  : (l:list a {List.Tot.length l == 16})
+  = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in
+    assert_norm (List.Tot.length l == 16);
+    l
+
+let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a)
+  : (l:list a {List.Tot.length l == 8})
+  = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in
+    assert_norm (List.Tot.length l == 8);
+    l
+
+let rw_get_bit_cast #t #u
+  (x: int_t t) (nth: usize)
+  : Lemma (requires v nth < bits u /\ v nth < bits u)
+          (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0))
+          [SMTPat (get_bit (cast_mod #t #u x) nth)]
+  = ()
+
+let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t})
+  : Lemma (requires v y >= 0 /\ v y < bits t)
+          (ensures eq2 #bit (get_bit (x >>! y) i )
+                (if v i < bits t - v y
+                    then get_bit x (mk_int (v i + v y))
+                    else if signed t
+                         then get_bit x (mk_int (bits t - 1))
+                         else 0))
+  = ()
+
+unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool)
+                              -> r: bool {r <==> (forall i. pred i)}
+
+let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3
+                                  && pred 4 && pred 5 && pred 6 && pred 7
+
+#push-options "--z3rlimit 400"
+let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8))
+let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16))
+let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32))
+let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64))
+let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128))
+#pop-options
+
+let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true)
+
+let bit_vec_to_int_t_lemma
+    #t (d: num_bits t) (bv: bit_vec d)
+    i
+  : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i)
+          [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))]
+  = bit_vec_to_int_t_lemma d bv i
+
diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fst b/fstar-helpers/fstar-bitvec/BitVecEq.fst
new file mode 100644
index 000000000..c89f2fe35
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVecEq.fst
@@ -0,0 +1,12 @@
+module BitVecEq
+
+open Core
+open FStar.Mul
+open FStar.FunctionalExtensionality
+
+let bit_vec_equal #n bv1 bv2 = forall i. bv1 i == bv2 i
+
+let bit_vec_equal_intro bv1 bv2 = ()
+let bit_vec_equal_elim bv1 bv2 = assert (feq bv1 bv2)
+
+
diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti
new file mode 100644
index 000000000..6792f2b29
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/BitVecEq.fsti
@@ -0,0 +1,293 @@
+module BitVecEq
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+open MkSeq
+open FStar.FunctionalExtensionality
+
+val bit_vec_equal (#n: nat) (bv1 bv2: bit_vec n): Type0
+val bit_vec_equal_intro (#n: nat) (bv1 bv2: bit_vec n)
+  : Lemma (requires forall i. bv1 i == bv2 i)
+          (ensures bit_vec_equal bv1 bv2)
+val bit_vec_equal_elim (#n: nat) (bv1 bv2: bit_vec n)
+  : Lemma (requires bit_vec_equal #n bv1 bv2)
+          (ensures bv1 == bv2)
+          [SMTPat (bit_vec_equal #n bv1 bv2)]
+
+let bit_vec_equal_intro_principle ()
+  : Lemma (forall n (bv1 bv2: bit_vec n). (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2)
+  = introduce forall n (bv1 bv2: bit_vec n). _
+    with introduce (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2
+         with _. bit_vec_equal_intro #n bv1 bv2
+  
+let bit_vec_equal_elim_principle ()
+  : Lemma (forall n (bv1 bv2: bit_vec n). bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i))
+  = introduce forall n (bv1 bv2: bit_vec n). _
+    with introduce bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i)
+         with _. bit_vec_equal_elim #n bv1 bv2
+
+let bit_vec_equal_trivial (bv1 bv2: bit_vec 0): Lemma (bv1 == bv2) 
+    [SMTPat (eq2 #(bit_vec 0) bv1 bv2)]
+  = bit_vec_equal_intro bv1 bv2
+
+let bit_vec_sub #n (bv: bit_vec n) (start: nat) (len: nat {start + len <= n})
+  : bit_vec len
+  = on (i: nat {i < len})
+       (fun i -> bv (start + i))
+
+let bit_vec_equal_trivial_sub_smtpat (bv1: bit_vec 'n)
+  : Lemma (forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2)
+    [SMTPat (bit_vec_sub bv1 0 0)]
+  = introduce forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2
+    with bit_vec_equal_trivial (bit_vec_sub bv1 0 0) bv2
+
+unfold let retype #a #b (#_:unit{a == b})
+  (x: a): b
+  = x
+
+let bit_vec_sub_all_lemma #n (bv: bit_vec n)
+  : Lemma (bit_vec_sub bv 0 n == bv)
+          [SMTPat (bit_vec_sub bv 0 n)]
+  = bit_vec_equal_intro (bit_vec_sub bv 0 n) bv
+
+let int_t_array_bitwise_eq'
+       #t1 #t2 #n1 #n2
+       (arr1: t_Array (int_t t1) n1) (d1: num_bits t1)
+       (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+     = bit_vec_equal (bit_vec_of_int_t_array arr1 d1)
+                     (retype (bit_vec_of_int_t_array arr2 d2))
+
+let int_t_array_bitwise_eq
+       #t1 #t2 #n1 #n2
+       (arr1: t_Array (int_t t1) n1) (d1: num_bits t1)
+       (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+     = bit_vec_of_int_t_array arr1 d1 == bit_vec_of_int_t_array arr2 d2
+
+// let get_bit_intro ()
+//   : Lemma (forall (#n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). 
+//              get_bit #n x nth == (  if v x >= 0 then get_bit_nat (v x) (v nth)
+//                                 else get_bit_nat (pow2 (bits n) + v x) (v nth)))
+//   = introduce forall (n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). 
+//              get_bit #n x nth == (  if v x >= 0 then get_bit_nat (v x) (v nth)
+//                                 else get_bit_nat (pow2 (bits n) + v x) (v nth))
+//     with get_bit_intro #n x nth
+
+#push-options "--fuel 0 --ifuel 0 --z3rlimit 150"
+/// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...`
+let int_t_seq_slice_to_bv_sub_lemma #t #n 
+  (arr: t_Array (int_t t) n)
+  (start: nat) (len: usize {start + v len <= v n})
+  (d: num_bits t) 
+  : Lemma ( bit_vec_of_int_t_array (Seq.slice arr start (start + v len) <: t_Array _ len) d
+     `bit_vec_equal` bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))
+   [SMTPat (bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))]
+  = let bv1 = bit_vec_of_int_t_array #_ #len (Seq.slice arr start (start + v len)) d in
+    let bv2 = bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d) in
+    introduce forall i. bv1 i == bv2 i 
+    with ( Seq.lemma_index_slice arr start (start + v len) (i / d);
+           Math.Lemmas.lemma_div_plus i start d;
+           Math.Lemmas.lemma_mod_plus i start d);
+    bit_vec_equal_intro bv1 bv2
+
+#push-options "--split_queries always"
+let int_t_eq_seq_slice_bv_sub_lemma #t #n1 #n2
+  (arr1: t_Array (int_t t) n1) (arr2: t_Array (int_t t) n2)  (d: num_bits t)
+  (start1 start2: nat) (len: nat {start1 + len <= v n1 /\ start2 + len <= v n2})
+  : Lemma (requires Seq.slice arr1 start1 (start1 + len) == Seq.slice arr2 start2 (start2 + len))
+          (ensures  bit_vec_equal
+                       (bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d))
+                       (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))
+          [SMTPat ((bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) ==
+                       (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))]
+  = let len = sz len in
+    int_t_seq_slice_to_bv_sub_lemma arr1 start1 len d;
+    int_t_seq_slice_to_bv_sub_lemma arr2 start2 len d;
+    // bit_vec_equal_elim_principle ();
+    bit_vec_equal_intro_principle ()
+#pop-options
+
+let bit_vec_equal_extend #n1 #n2
+  (bv1: bit_vec n1) (bv2: bit_vec n2) (start1 start2: nat)
+  (len1: nat)
+  (len2: nat { start1 + len1 + len2 <= n1 /\ start2 + len1 + len2 <= n2})
+  : Lemma 
+    (requires 
+       bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1
+     /\ bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)
+    (ensures bit_vec_sub bv1 start1 (len1+len2) == bit_vec_sub bv2 start2 (len1+len2))
+    // [SMTPat (bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1);
+    //  SMTPat ()
+    // ]
+     // SMTPat (bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)]
+  = let left1 = bit_vec_sub bv1 start1 len1 in
+    let left2 = bit_vec_sub bv2 start2 len1 in
+    let right1 = bit_vec_sub bv1 (start1 + len1) len2 in
+    let right2 = bit_vec_sub bv2 (start2 + len1) len2 in
+    // ()
+    // bit_vec_equal_elim left1  left2 ;
+    // bit_vec_equal_elim right1 right2;
+    let entire1 = bit_vec_sub bv1 start1 (len1 + len2) in
+    let entire2 = bit_vec_sub bv2 start2 (len1 + len2) in
+    assert (forall (i:nat). i < len1 ==> left1 i == left2 i);
+    assert (forall (i:nat). i < len2 ==> right1 i == right2 i);
+    introduce forall (i:nat). i < len1 + len2 ==> entire1 i == entire2 i
+    with introduce i < len1 + len2 ==> entire1 i == entire2 i
+         with _. if i < len1 then assert (left1 i == left2 i)
+                             else assert (entire1 i == right1 (i - len1));
+    bit_vec_equal_intro entire1 entire2
+#pop-options
+
+// let bit_vec_equal_trans (#n: nat) (bv1 bv2 bv3: bit_vec n)
+//   : Lemma (requires bv1 `bit_vec_equal` bv2 /\ bv2 `bit_vec_equal` bv3)
+//           (ensures  bv1 `bit_vec_equal` bv3)
+//   = bit_vec_equal_elim_principle ();
+//     bit_vec_equal_intro_principle ()
+
+(*
+let int_arr_bitwise_eq_range
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement2 x}) n2)
+       (d2: num_bits t2)
+       (offset1 offset2: nat)
+       (bits: nat {
+           offset1 + bits <= v n1 * d1
+         /\ offset2 + bits <= v n2 * d2
+       })
+     = bit_vec_equal #bits (fun i -> bit_vec_of_int_t_array arr1 d1 (i + offset1))
+     = forall (k: nat). k < bits ==>
+          bit_vec_of_int_t_array arr1 d1 (offset1 + k) 
+       == bit_vec_of_int_t_array arr2 d2 (offset2 + k)
+
+let int_arr_bitwise_eq_range_comm
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement2 x}) n2)
+       (d2: num_bits t2)
+       (offset1 offset2: nat)
+       (bits: nat {
+           offset1 + bits <= v n1 * d1
+         /\ offset2 + bits <= v n2 * d2
+       })
+    : Lemma (requires int_arr_bitwise_eq_range arr1 d1 arr2 d2 offset1 offset2 bits)
+            (ensures int_arr_bitwise_eq_range arr2 d2 arr1 d1 offset2 offset1 bits)
+    = ()
+
+// kill that function in favor of range
+let int_arr_bitwise_eq_up_to
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement x}) n2)
+       (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+       (max: nat {max <= v n1 * d1})
+     
+     = forall i. i < max
+       ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i
+
+let int_arr_bitwise_eq_
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement x}) n2)
+       (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+     = int_arr_bitwise_eq_up_to arr1 d1 arr2 d2 (v n1 * d1)
+
+// move to fsti
+let bit_vec_equal #n (bv1 bv2: bit_vec n)
+  = forall i. i < n ==> bv1 i == bv2 i
+
+let int_arr_bitwise_eq
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement x}) n2)
+       (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+     = forall i. i < v n1 * d1
+       ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i
+
+let int_arr_bitwise_eq_range_transitivity
+       #t1 #t2 #t3 #n1 #n2 #n3
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement2 x}) n2)
+       (d2: num_bits t2)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement3: int_t t3 -> Type0)
+       (arr3: t_Array (x: int_t t3 {refinement3 x}) n3)
+       (d3: num_bits t3)
+       (offset1 offset2 offset3: nat)
+       (bits: nat {
+           offset1 + bits <= v n1 * d1
+         /\ offset2 + bits <= v n2 * d2
+         /\ offset3 + bits <= v n3 * d3
+       })
+   : Lemma 
+     (requires int_arr_bitwise_eq_range #t1 #t2 #n1 #n2 arr1 d1 arr2 d2 offset1 offset2 bits
+             /\ int_arr_bitwise_eq_range #t2 #t3 #n2 #n3 arr2 d2 arr3 d3 offset2 offset3 bits)
+     (ensures  int_arr_bitwise_eq_range #t1 #t3 #n1 #n3 arr1 d1 arr3 d3 offset1 offset3 bits)
+   = ()
+
+
+let int_arr_bitwise_eq_range_intro
+       #t1 #t2 #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0)
+       (arr1: t_Array (x: int_t t1 {refinement1 x}) n1)
+       (d1: num_bits t1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0)
+       (arr2: t_Array (x: int_t t2 {refinement x}) n2)
+       (d2: num_bits t2 {v n1 * d1 == v n2 * d2})
+   : Lemma 
+     (requires int_arr_bitwise_eq arr1 d1 arr2 d2)
+     (ensures int_arr_bitwise_eq_range arr1 d1 arr2 d2 0 0 (v n1 * d1))
+   = admit ()
+
+let int_arr_bitwise_eq_range_intro_eq_slice
+       #t #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t -> Type0)
+       (arr1: t_Array (x: int_t t {refinement x}) n1)
+       (arr2: t_Array (x: int_t t {refinement x}) n2)
+       (d: num_bits t)
+       (offset1 offset2: nat)
+       (n: nat {offset1 + n < v n1 /\ offset2 + n < v n2})
+       (bits: nat {
+           offset1 + bits <= v n1 * d
+         /\ offset2 + bits <= v n2 * d
+         /\ bits <= n * d
+       })
+   : Lemma (requires Seq.slice arr1 offset1 (offset1 + n) == Seq.slice arr2 offset2 (offset2 + n))
+           (ensures int_arr_bitwise_eq_range arr1 d arr2 d offset1 offset2 bits)
+ = admit ()
+ 
+let int_arr_bitwise_eq_range_intro_eq
+       #t #n1 #n2
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t -> Type0)
+       (arr1: t_Array (x: int_t t {refinement1 x}) n1)
+       (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t -> Type0)
+       (arr2: t_Array (x: int_t t {refinement2 x}) n2)
+       (d: num_bits t)
+       (n_offset1 n_offset2: nat)
+       (n: nat {n_offset1 + n <= v n1 /\ n_offset2 + n <= v n2})
+       // (offset1 offset2: nat)
+       (bits: nat {
+           n_offset1 * d + bits <= v n1 * d
+         /\ n_offset2 * d + bits <= v n2 * d
+         /\ bits <= n * d
+       })
+   : Lemma (requires forall (i: nat). i < n ==> Seq.index arr1 (i + n_offset1) == Seq.index arr2 (i + n_offset2))
+           (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits)
+ = admit ()
+*)
diff --git a/fstar-helpers/fstar-bitvec/Makefile b/fstar-helpers/fstar-bitvec/Makefile
new file mode 100644
index 000000000..b4ce70a38
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Makefile
@@ -0,0 +1 @@
+include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base
diff --git a/fstar-helpers/fstar-bitvec/MkSeq.fst b/fstar-helpers/fstar-bitvec/MkSeq.fst
new file mode 100644
index 000000000..89c8e0216
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/MkSeq.fst
@@ -0,0 +1,59 @@
+module MkSeq
+open Core
+
+open FStar.Tactics.V2
+
+private let init (len: nat) (f: (i:nat{i < len}) -> Tac 'a): Tac (list 'a)
+  = let rec h (i: nat {i <= len}): Tac (list 'a)
+     = if i = len then [] else f i :: h (i + 1)
+    in h 0
+
+private let tuple_proj (n: nat) (i: nat): Tac term
+  = if n = 1 then `(id) else
+    let name = "__proj__Mktuple" ^ string_of_int n ^ "__item___" ^ string_of_int (i + 1) in
+    Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name])
+
+private let tuple_type (n: nat): Tac term
+  = if n = 1 then `(id) else
+    let name = "tuple" ^ string_of_int n in
+    Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name])
+
+open Rust_primitives.Integers
+
+private let create_gen_tac (n: nat): Tac sigelt
+  = let typ_bd = {fresh_binder_named "t" (`Type0) with qual = FStar.Reflection.V2.Q_Implicit} in
+    let typ = binder_to_term typ_bd in
+    let input_typ = mk_e_app (tuple_type n) (init n (fun _ -> typ)) in
+    let input_bd = fresh_binder_named "tup" input_typ in
+    let output_type = `t_Array (`#typ) (sz (`@n)) in
+    let nth i = `((`#(tuple_proj n i)) (`#input_bd)) in
+    let mk_and: term -> term -> Tac term = fun t u -> `(`#t /\ `#u) in
+    let post =
+      let mk_inv s i = `(Seq.index (`#s) (`@i) == (`#(tuple_proj n i)) (`#input_bd)) in
+      let invs s = Tactics.fold_left mk_and (`(Seq.length (`#s) == (`@n))) (init n (mk_inv s)) in
+      let bd = fresh_binder_named "s" output_type in
+      mk_abs [bd] (invs bd)
+    in
+    let comp = C_Eff [] ["Prims"; "Pure"]
+      (`t_Array (`#typ) (sz (`@n)))
+      [ (`(requires True), Q_Explicit); (post, Q_Explicit)] []
+    in
+    let args = [typ_bd; input_bd] in
+    let l = Tactics.fold_right (fun hd tl -> `((`#hd)::(`#tl))) (init n nth) (`[]) in
+    let indexes =
+      let f i = `((`#(nth i)) == List.Tot.index (`#l) (`@i)) in
+      Tactics.fold_left mk_and (`True) (init n f)
+    in
+    let lb_def = mk_abs args (`(
+      let l = `#l in
+      let s = Seq.createL l <: t_Array (`#typ) (sz (`@n)) in
+      FStar.Classical.forall_intro (Seq.lemma_index_is_nth s);
+      assert (`#indexes) by (Tactics.norm [primops; iota; delta; zeta]);
+      s
+    )) in
+    let lb_typ = mk_arr args (pack_comp comp) in
+    let open FStar.List.Tot in
+    let lb_fv = pack_fv (cur_module () @ ["create" ^ string_of_int n]) in
+    Sg_Let { isrec = false; lbs = [{ lb_fv; lb_us = []; lb_typ; lb_def }] }
+
+%splice[] (init 13 (fun i -> create_gen_tac (i + 1)))
diff --git a/fstar-helpers/fstar-bitvec/RwLemmas.fst b/fstar-helpers/fstar-bitvec/RwLemmas.fst
new file mode 100644
index 000000000..1fc1e00de
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/RwLemmas.fst
@@ -0,0 +1,71 @@
+module RwLemmas
+
+open Core
+module L = FStar.List.Tot
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Mul
+open FStar.Option
+
+open Tactics.Utils
+open Tactics.Pow2
+
+open BitVecEq {}
+
+let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term)
+
+#push-options "--z3rlimit 40"
+let deserialize_10_int (bytes: t_Array u8 (sz 10)) =
+  let r0:i16 =
+    (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <<! 8l <: i16) |.
+    ((cast (bytes.[ sz 0 ] <: u8) <: i16) &. 255s <: i16)
+  in
+  let r1:i16 =
+    (((cast (bytes.[ sz 2 ] <: u8) <: i16) &. 15s <: i16) <<! 6l <: i16) |.
+    ((cast (bytes.[ sz 1 ] <: u8) <: i16) >>! 2l <: i16)
+  in
+  let r2:i16 =
+    (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <<! 4l <: i16) |.
+    ((cast (bytes.[ sz 2 ] <: u8) <: i16) >>! 4l <: i16)
+  in
+  let r3:i16 =
+    ((cast (bytes.[ sz 4 ] <: u8) <: i16) <<! 2l <: i16) |.
+    ((cast (bytes.[ sz 3 ] <: u8) <: i16) >>! 6l <: i16)
+  in
+  let r4:i16 =
+    (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <<! 8l <: i16) |.
+    ((cast (bytes.[ sz 5 ] <: u8) <: i16) &. 255s <: i16)
+  in
+  let r5:i16 =
+    (((cast (bytes.[ sz 7 ] <: u8) <: i16) &. 15s <: i16) <<! 6l <: i16) |.
+    ((cast (bytes.[ sz 6 ] <: u8) <: i16) >>! 2l <: i16)
+  in
+  let r6:i16 =
+    (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <<! 4l <: i16) |.
+    ((cast (bytes.[ sz 7 ] <: u8) <: i16) >>! 4l <: i16)
+  in
+  let r7:i16 =
+    ((cast (bytes.[ sz 9 ] <: u8) <: i16) <<! 2l <: i16) |.
+    ((cast (bytes.[ sz 8 ] <: u8) <: i16) >>! 6l <: i16)
+  in
+  let result:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+  in
+  result
+#pop-options
+
+let deserialize_10_int' (bytes: t_Array u8 (sz 10)): t_Array i16 (sz 8)
+    = MkSeq.create8 (deserialize_10_int bytes)
+  
+#push-options "--compat_pre_core 0"
+#push-options "--z3rlimit 80"
+let fff_ (bytes: t_Array u8 (sz 10)) x: unit = 
+    let bv1 = bit_vec_of_int_t_array bytes 8 in
+    let out = deserialize_10_int' bytes in
+    let bv2 = bit_vec_of_int_t_array out 10 in
+    assert (forall (i: nat { i < 80 }). bv1 i == bv2 i) by (
+      Tactics.GetBit.prove_bit_vector_equality ()
+    )
+#pop-options
+
diff --git a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst
new file mode 100644
index 000000000..c5ead30b0
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst
@@ -0,0 +1,82 @@
+module Tactics.Folds
+
+open Core
+module L = FStar.List.Tot
+module S = FStar.Seq.Base
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Mul
+open FStar.Option
+
+open Rust_primitives.Hax.Folds
+
+open Tactics.Utils
+
+// let unfold_fold_range
+//   (#acc_t: Type0) (#u: Lib.IntTypes.inttype)
+//   (start_: int_t u)
+//   (end_: int_t u)
+//   (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0)
+//   (init: acc_t {inv init start_})
+//   (f: (acc:acc_t -> i:int_t u  {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i}
+//                  -> acc':acc_t {(inv acc' (mk_int (v i + 1)))}))
+//    = if v start_ < v end_
+//      then fold_range (start_ +! mk_int 1) end_ inv (f init start_) f
+//      else init
+
+
+// #push-options "--z3rlimit 100"
+// let unfold_fold_range
+//   (#acc_t: Type0) (#u: Lib.IntTypes.inttype)
+//   (start_: int_t u)
+//   (end_: int_t u)
+//   (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0)
+//   (init: acc_t {inv init start_})
+//   (f: (acc:acc_t -> i:int_t u  {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i}
+//                  -> acc':acc_t {(inv acc' (mk_int (v i + 1)))}))
+//   : Lemma (  fold_range start_ end_ inv init f 
+//           == ( if v start_ < v end_
+//                then 
+//                  fold_range (start_ +! mk_int 1) end_ inv (f init start_) f
+//                else init )
+//     )
+//   = admit ()
+// #pop-options
+
+// let expect_fold_range t
+//   = let?# (fr, [acc_t,_;u,_;start_,_;end_,_;inv,_;init,_;f,_]) = expect_app_n t 7 in
+//     let _ = expect_free_var fr (`%fold_range) in
+//     Some (acc_t, u, start_, end_, inv, init, f)
+
+// let make_fold_range_lemma (start_: nat) (end_: nat): Tac _ = 
+//   let _ = tcut (quote (squash (forall acc_t u inv init f. 
+//        fold_range #acc_t #u start_ end_ inv init f
+//     == fold_range #acc_t #u start_ end_ inv init f
+//   ))) in
+//   flip ();
+//   let acc_t = forall_intro () in
+//   let u = forall_intro () in
+//   let inv = forall_intro () in
+//   let init = forall_intro () in
+//   let f = forall_intro () in
+//   fail "xx";
+//   let _ = rewrite_rhs () in
+//   flip ();
+//   focus (fun _ ->
+//     fail "xx";
+//     apply_lemma_rw (`unfold_fold_range)
+//   );
+//   ()
+//   // rewrite_lhs
+// //   let aux start_ =
+
+// jlet _ = 
+//   assert true by (make_fold_range_lemma 1 10)
+
+//   in
+  
+
+// let tactic_fold_range t
+//   = let?# expect_fold_range _ = 
+
diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst
new file mode 100644
index 000000000..abec9b4fe
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst
@@ -0,0 +1,66 @@
+/// Provides tactics around `get_bit _ _ == get_bit _ _` goals
+module Tactics.GetBit
+
+open Core
+module L = FStar.List.Tot
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Mul
+open FStar.Option
+
+open Tactics.Utils
+open Tactics.Pow2
+
+open BitVecEq
+open Tactics.Seq
+
+
+let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term)
+
+/// Does one round of computation
+let compute_one_round (): Tac _ =
+   norm [ iota; zeta; reify_
+          ; delta_namespace [
+              "FStar"
+            ; "BitVecEq"
+            ; implode_qn (cur_module ())
+            ; "MkSeq"
+            ; `%Rust_primitives.Hax.array_of_list
+            ; `%Libcrux_ml_kem.Vector.Portable.Vector_type.__proj__Mkt_PortableVector__item__f_elements
+          ]
+        ; primops; unmeta];
+   trace "compute_one_round: norm_pow2"        norm_pow2;
+   trace "compute_one_round: norm_machine_int" norm_machine_int;
+   trace "compute_one_round: norm_index"       norm_index
+
+/// Normalizes up to `get_bit`
+let compute': unit -> Tac unit = goal_fixpoint compute_one_round
+
+/// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal)
+let prove_bit_vector_equality'' (): Tac unit =
+  norm [
+    iota;
+    primops;
+    delta_only [`%bit_vec_of_int_t_array; `%FunctionalExtensionality.on];
+    delta_namespace [
+      implode_qn (cur_module ());
+      "Libcrux_intrinsics.Avx2_extract";
+      "BitVec.Intrinsics";
+      "BitVecEq";
+    ];
+  ];
+  compute_one_round ();
+  prove_forall_nat_pointwise (print_time "SMT solved the goal in " (fun _ -> 
+    Tactics.Seq.norm_index_minimal ();
+    l_to_r [`bit_vec_to_int_t_lemma];
+    print ("Ask SMT: " ^ term_to_string (cur_goal ()));
+    focus smt_sync
+  ))
+let prove_bit_vector_equality' (): Tac unit =
+  if lax_on ()
+  then iterAll tadmit
+  else prove_bit_vector_equality'' ()
+let prove_bit_vector_equality (): Tac unit = 
+  set_rlimit 100;
+  with_compat_pre_core 0 prove_bit_vector_equality'
diff --git a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst
new file mode 100644
index 000000000..85bb0bb78
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst
@@ -0,0 +1,273 @@
+/// This module interprets machine integers terms that comes from
+/// `FStar.[U]Int*` modules or from `Rust_primtiives.Integers` module.
+/// It can then convert from and back those two representation,
+/// normalize them, etc.
+module Tactics.MachineInts
+
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Option
+
+open Tactics.Utils
+module RI = Rust_primitives.Integers
+
+/// The size of a machine int
+type size = 
+  | PtrSize
+  | Size of n:nat {match n with | 8 | 16 | 32 | 64 | 128 -> true | _ -> false}
+/// The signedness of a machine int
+type signedness = | Signed | Unsigned
+
+/// The operations we recognize on machine ints
+type machine_int_op = | MkInt | V
+
+/// The AST of a machine int expression
+noeq type machine_int_term =
+  /// Operations `mk_int` (aka `FStar.[U]Int*.[u]int_to_t`) and `v`
+  | Op { /// Which operation is it?
+         op: machine_int_op
+         /// Is that a generic (Rust_primitives.Integers) operation or a native one (FStar.[U]Int*)?
+       ; native: bool
+       ; size: size
+       ; signedness: signedness
+       ; contents: machine_int_term }
+  /// A (math) integer literal
+  | Lit of int
+  /// An arbitrary term
+  | Term of term
+
+/// Expect `n` to be a definition in a machine int namespace
+let expect_native_machine_int_ns (n: string): (option (signedness & size & string))
+  = match explode_qn n with
+  | "FStar"::int_module::[def_name] ->
+    let? (sign, size) = match int_module with
+    | "Int8"  -> Some (Signed, Size 8)
+    | "Int16" -> Some (Signed, Size 16)
+    | "Int32" -> Some (Signed, Size 32)
+    | "Int64" -> Some (Signed, Size 64)
+    | "Int128" -> Some (Signed, Size 128)
+    | "UInt8"  -> Some (Unsigned, Size 8)
+    | "UInt16" -> Some (Unsigned, Size 16)
+    | "UInt32" -> Some (Unsigned, Size 32)
+    | "UInt64" -> Some (Unsigned, Size 64)
+    | "UInt18" -> Some (Unsigned, Size 128)
+    | _ -> None
+    in Some (sign, size, def_name)
+  | _ -> None
+
+/// Given a sign and a size, produces the correct namespace `FStar.[U]Int*`
+let mk_native_machine_int_ns (sign: signedness) (size: size): option (list string)
+  = let sign = match sign with | Signed -> "" | Unsigned -> "U" in
+    let? size = match size with | PtrSize -> None | Size n -> Some (string_of_int n) in
+    Some ["FStar"; sign ^ "Int" ^ size]
+
+/// Interpret HACL*'s `inttype`s
+let expect_inttype t: Tac (option (signedness & size))
+  = let t = norm_term [iota; reify_; delta_namespace ["Rust_primitives.Integers"; "Lib.IntTypes"]; primops; unmeta] t in
+    let?# t = expect_fvar t in
+    match t with
+    | `%RI.i8_inttype   | `%Lib.IntTypes.S8   -> Some (  Signed, Size 8)
+    | `%RI.i16_inttype  | `%Lib.IntTypes.S16  -> Some (  Signed, Size 16)
+    | `%RI.i32_inttype  | `%Lib.IntTypes.S32  -> Some (  Signed, Size 32)
+    | `%RI.i64_inttype  | `%Lib.IntTypes.S64  -> Some (  Signed, Size 64)
+    | `%RI.i128_inttype | `%Lib.IntTypes.S128 -> Some (  Signed, Size 128)
+    | `%RI.u8_inttype   | `%Lib.IntTypes.U8   -> Some (Unsigned, Size 8)
+    | `%RI.u16_inttype  | `%Lib.IntTypes.U16  -> Some (Unsigned, Size 16)
+    | `%RI.u32_inttype  | `%Lib.IntTypes.U32  -> Some (Unsigned, Size 32)
+    | `%RI.u64_inttype  | `%Lib.IntTypes.U64  -> Some (Unsigned, Size 64)
+    | `%RI.u128_inttype | `%Lib.IntTypes.U128 -> Some (Unsigned, Size 128)
+    | `%RI.isize_inttype -> Some (Signed, PtrSize)
+    | `%RI.usize_inttype -> Some (Unsigned, PtrSize)
+    | _ -> None
+
+/// Given a signedness and a size, creates a name `[ui]*_inttype`
+let mk_inttype_name (sign: signedness) (size: size): name =
+  let sign = match sign with | Signed -> "i" | Unsigned -> "u" in
+  let size = match size with | PtrSize -> "size" | Size n -> string_of_int n in
+  ["Rust_primitives"; "Integers"; sign ^ size ^ "_inttype"]
+
+/// Given a signedness and a size, creates a term `[ui]*_inttype`
+let mk_inttype (sign: signedness) (size: size): Tac term =
+  pack (Tv_FVar (pack_fv (mk_inttype_name sign size)))
+
+/// Interprets a term as a machine int. This function always returns
+/// something: when `t` is not a machine int expression we recognize,
+/// it returns `Term t`. Below, `term_to_machine_int_term` returns an
+/// option.
+let rec term_to_machine_int_term' (t: term): Tac machine_int_term =
+  match term_to_machine_int_term'' t with | Some t -> t | None -> Term t
+and term_to_machine_int_term'' (t: term): Tac (option machine_int_term) =
+  let t = norm_term [delta_only [(`%RI.sz); (`%RI.isz)]] t in
+  match t with
+  | Tv_Const (C_Int n) -> Some (Lit n)
+  | _ ->
+    let?# (hd, args) = collect_app_hd t in
+    match expect_native_machine_int_ns hd, args with
+    | (Some (signedness, size, def_name), [arg, _]) -> begin
+      let native = true in
+      let contents = term_to_machine_int_term' arg in
+      let?# op = match def_name with
+      | "__uint_to_t" | "__int_to_t" | "uint_to_t" | "int_to_t" -> Some MkInt
+      | "v" -> Some V | _   -> None in
+      Some (Op {op; native; size; signedness; contents})
+      end
+    | (None, [inttype, _; contents, _]) -> begin
+      let?# (signedness, size) = expect_inttype inttype in
+      let contents = term_to_machine_int_term' contents in
+      let?# op = match hd with | `%RI.mk_int -> Some MkInt
+                               | `%RI.v      -> Some V
+                               | _ -> None in
+      Some (Op {op; native = false; size; signedness; contents})
+      end
+    | _ -> None
+
+/// Tries to interpret a term as a machine int
+let term_to_machine_int_term (t: term): Tac (option (t: machine_int_term {~(Term? t)}))
+  = match term_to_machine_int_term' t with
+  | Term _ -> None | t -> Some t
+
+/// Transform a machine int AST into a term. Note that this doesn't
+/// support native usize/isize (aka `FStar.SizeT`), whence the option.
+let rec machine_int_term_to_term (t: machine_int_term): Tac (option term) =
+  match t with
+  | Term t -> Some t
+  | Op {native = false; op; size; signedness; contents} -> 
+    let inttype = mk_inttype signedness size in
+    let?# contents = machine_int_term_to_term contents in
+    let op = match op with | V -> `RI.v
+                           | MkInt -> `RI.mk_int in
+    Some (`((`#op) #(`#inttype) (`#contents)))
+  | Op {native = true; op; size; signedness; contents} -> 
+    let?# ns = mk_native_machine_int_ns signedness size in
+    let f = FStar.List.Tot.append ns [
+      match op with
+      | MkInt -> (match signedness with | Signed -> "" | Unsigned -> "u") ^ "int_to_t"
+      | V     -> "v"
+    ] in
+    let f = pack (Tv_FVar (pack_fv f)) in
+    let?# contents = machine_int_term_to_term contents in
+    Some (mk_e_app f [contents])
+  | Lit n -> Some (pack (Tv_Const (C_Int n)))
+
+/// An operation on a machine_int_term
+type operation = machine_int_term -> option machine_int_term
+
+/// Removes `mk_int (v ...)` or `v (mk_int ...)` when it's the same type
+let rec flatten_machine_int_term: operation = function
+  | Op x -> begin match x.contents with
+           | Op y -> if x.op <> y.op && x.size = y.size && x.signedness = y.signedness 
+                    then Some (match flatten_machine_int_term y.contents with
+                       | Some result -> result
+                       | None        -> y.contents)
+                    else let? y = flatten_machine_int_term (Op y) in
+                         Some (Op {x with contents = y})
+           | _ -> None
+           end
+  | _ -> None
+
+/// Makes a machine int native or not
+let rec change_native_machine_int_term (native: bool): operation = function
+  | Op x -> let contents = change_native_machine_int_term native x.contents in
+           if x.native = native
+           then None
+           else Some (Op { x with native
+                                ; contents = match contents with
+                                           | Some contents ->   contents
+                                           | None          -> x.contents})
+  | _ -> None
+
+/// Combines two operation together
+let combine: operation -> operation -> operation =
+  fun f g t -> match f t with 
+          | Some t -> (match g t with | Some t -> Some t | None -> Some t)
+          | None   -> g t
+
+/// We call `x` a normal machine integer if `x` has no `mk_int (v
+/// ...)` or `v (mk_int ...)` sequence and if all `mk_int` and `v` are
+/// native (aka `FStar.[U]Int*.*`, not
+/// `Rust_primitives.Integer.*`). Note `usize` is an exception,
+/// `mk_int` and `v` alone one usizes (and isizes) cannot be reduced
+/// further.
+let norm_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term true)
+
+/// We call `x` a normal generic machine integer if `x` has no
+/// `FStar.[U]Int*.[u]int_to_t/v`, and no `mk_int (v ...)` or `v
+/// (mk_int ...)`.
+let norm_generic_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term false)
+
+/// Unfolds `mk_int` using `mk_int_equiv_lemma`
+let norm_mk_int () =
+  let?# (lhs, _) = expect_lhs_eq_uvar () in
+  let lhs' = term_to_machine_int_term lhs in
+  match?# lhs' with
+  | Op {op = MkInt; native = false; size; signedness; contents} -> 
+     let inttype = mk_inttype signedness size in
+     let lemma = `(RI.mk_int_equiv_lemma #(`#inttype)) in
+     let lemma = norm_term [primops; iota; delta; zeta] lemma in
+     focus (fun _ -> 
+       apply_lemma_rw lemma
+     );
+     Some ()
+  | _ -> None
+
+/// Lemmas to deal with the special case of usize
+let rw_v_mk_int_usize x
+  : Lemma (eq2 (RI.v #RI.usize_inttype (RI.mk_int #RI.usize_inttype x)) x) = ()
+let rw_mk_int_v_usize x
+  : Lemma (eq2 (RI.mk_int #RI.usize_inttype (RI.v #RI.usize_inttype x)) x) = ()
+
+/// Rewrites `goal_lhs` into `machine_int`. This function expects the
+/// goal to be of the shape `<goal_lhs> == (?...)`, where `<goal_lhs>`
+/// is a machine int. Do not call this function directly.
+let _rewrite_to (goal_lhs: term) (eq_type: typ) (machine_int: machine_int_term): Tac (option unit)
+  = let?# t_term = machine_int_term_to_term machine_int in
+    Some (focus (fun _ ->
+      let rw = tcut (`squash (eq2 #(`#eq_type) (`#goal_lhs) (`#t_term))) in
+      // This tcut will generate simple verification conditions, we
+      // discharge them right away
+      // iterAllSMT (fun () -> smt_sync `or_else` (fun _ -> dump "norm_mk_int: Could not solve SMT here"));
+      flip ();
+      pointwise' (fun () -> match norm_mk_int () with 
+                      | Some _ -> ()
+                      | None   -> // special case for usize
+                        (fun () ->           (fun () -> apply_lemma_rw (`rw_v_mk_int_usize))
+                                `or_else` (fun () -> apply_lemma_rw (`rw_mk_int_v_usize)))
+                        `or_else` trefl
+                );
+      compute ();
+      trefl ();
+      apply_lemma_rw rw
+    ))
+
+/// Rewrites a goal deeply, replacing every machine integer expression
+/// `x` by `f x` (when it is `Some _`).
+let transform (f: machine_int_term -> option machine_int_term): Tac unit
+  = pointwise' (fun _ ->
+      match revert_if_none (fun _ -> 
+              let?# (lhs, eq_type) = expect_lhs_eq_uvar () in
+              let?# machine_int = term_to_machine_int_term lhs in
+              let?# machine_int' = f machine_int in
+              let?# _ = _rewrite_to lhs eq_type machine_int' in
+              Some ()
+            )
+      with
+      | None -> trefl ()
+      | _ -> ()
+    )
+
+open Rust_primitives.Integers
+let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) 
+                by (transform norm_machine_int_term; trefl ())
+let _ =       assert (mk_int #u8_inttype 3 == 3uy) 
+                by (transform norm_machine_int_term; trefl ())
+let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x)
+                by (transform norm_machine_int_term)
+let _ = assert (v (mk_int #usize_inttype 3) == 3) 
+                by (transform norm_machine_int_term; trefl ())
+let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) 
+                by (transform norm_machine_int_term; trefl ())
+let _ =       assert (mk_int #u8_inttype 3 == 3uy)
+                by (transform norm_generic_machine_int_term; trefl ())
+let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x)
+                by (transform norm_generic_machine_int_term; trefl ())
diff --git a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst
new file mode 100644
index 000000000..9f6ee1f0f
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst
@@ -0,0 +1,58 @@
+/// Provides tools to normalize `pow2`
+module Tactics.Pow2
+
+open Core
+open Tactics.Utils
+open FStar.Tactics.V2
+
+/// Expects `t` to be of the shape `pow2 n`, with `n` a literal, returns n
+let expect_pow2_literal t: Tac (option int)
+    = let?# (f, [x, _]) = expect_app_n t 1 in
+      let?# () = expect_free_var f (`%pow2) in
+      expect_int_literal x
+
+/// Expects `t` to be of the shape `pow2 n - 1`, with `n` a literal, returns n
+let expect_pow2_minus_one_literal t: Tac (option int)
+    = let?# (f, [x, _; y, _]) = expect_app_n t 2 in
+      let?# () = expect_free_var f (`%op_Subtraction) in
+      let?# y = expect_int_literal y in
+      let?? () = y = 1 in
+      expect_pow2_literal x
+
+/// Fully normalize a term of the shape `pow2 n`, where `n` is a literal
+let norm_pow2 (): Tac unit =
+  pointwise (fun () -> 
+    let _ = let?# (t, _) = expect_lhs_eq_uvar () in
+            let?# n = expect_pow2_literal t in
+            debug ("Normalized `pow2 " ^ string_of_int n ^ "`");
+            Some (norm [iota; zeta_full; reify_; delta; primops; unmeta]) in
+    trefl ())
+
+/// Inverse of `pow2`
+let rec log2 (n: nat): Tot (option (m: nat {pow2 m == n})) (decreases n)
+    = if n = 0 then None
+      else if n = 1 then Some 0
+      else if n % 2 <> 0 then None
+           else match log2 (n / 2) with
+                | Some n -> Some (1 + n)
+                | None   -> None
+
+/// Rewrite integers in the goal into `pow2 _ - 1` whenever possible
+let rewrite_pow2_minus_one () =
+   pointwise (fun () -> 
+    match let?# (t, _) = expect_lhs_eq_uvar () in
+          let?# n = expect_int_literal t in
+          if n >= 0 then
+            match log2 (n + 1) with
+            | Some e -> 
+              let rw_lemma (): Lemma (n == pow2 e - 1) = () in
+              apply_lemma_rw (quote rw_lemma);
+              Some ()
+            | _ -> None
+         else None
+    with None -> trefl () | _ -> ()
+   )
+
+// Test
+let _ = fun (i: nat) -> assert (pow2 (i + 3) + pow2 10 == pow2 (i + 3) + 1024)
+                       by (norm_pow2 (); trefl ())
diff --git a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst
new file mode 100644
index 000000000..0a7015968
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst
@@ -0,0 +1,123 @@
+module Tactics.Seq
+
+open Core
+module L = FStar.List.Tot
+module S = FStar.Seq
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Mul
+open FStar.Option
+
+open Tactics.Utils
+open Tactics.Pow2
+
+(*** Rewrite lemmas *)
+private let rw_seq_index_list #t (l: list t) i
+    : Lemma (S.index (S.seq_of_list l) i == FStar.List.Tot.index l i) 
+    = ()
+private let rw_index_slice #typ (s: S.seq typ) i j n: Lemma (S.index (S.slice s i j) n == S.index s (normalize_term (i + n)))
+  = ()
+private let rw_index_upd s n v i
+  : Lemma (S.index (S.upd s n v) i  == (if n = i then v else S.index s i))
+  = ()
+
+/// A version of `L.index` to mark specific instances we want to normalize.
+let rec index_to_normalize #a (l: list a) (i:nat{i < L.length l}): Tot a 
+  = let hd::tl = l in
+    if i = 0 then hd else index_to_normalize tl (i - 1)
+
+private let rec rw_index_to_index_to_normalize #a (l: list a) (i:nat{i < L.length l})
+  : Lemma (L.index #a l i == index_to_normalize #a l i)
+  = if i = 0 then () else rw_index_to_index_to_normalize (L.tl l) (i - 1)
+  
+
+(*** Tactics that apply those lemmas only if needed *)
+let tactic_list_index ()
+  = let?# (t, _) = expect_lhs_eq_uvar () in
+    let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in
+    let?# () = expect_free_var f (`%FStar.List.Tot.index) in
+    let?# n = expect_int_literal index in
+    apply_lemma_rw (`rw_index_to_index_to_normalize);
+    Some ()
+
+/// Expects `t` to be of the shape `seq_of_list #_ _`
+let expect_seq_of_list (t: term): Tac (option (term & term))
+  = let?# (f, [t,_; index,_]) = expect_app_n t 2 in
+    let?# _ = expect_free_var f (`%S.seq_of_list) in
+    Some (t, index)
+    
+/// Expects `t` to be of the shape `index #_ _`
+let expect_seq_index (t: term): Tac (option (term & term & term))
+  = let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in
+    let?# () = expect_free_var f (`%S.index) in
+    Some (typ, l, index)
+
+/// Expects `t` to be of the shape `slice #_ _`
+let expect_seq_slice (t: term): Tac (option (term & term & term & term))
+  = let?# (f, [typ, _; s, _; i, _; j, _]) = expect_app_n t 4 in
+    let?# () = expect_free_var f (`%S.slice) in
+    Some (typ, s, i, j)
+    
+/// Expects `t` to be of the shape `upd #_ _`
+let expect_seq_upd (t: term): Tac (option (term & term & term & term))
+  = let?# (f, [typ, _; s, _; i, _; v, _]) = expect_app_n t 4 in
+    let?# () = expect_free_var f (`%S.upd) in
+    Some (typ, s, i, v)
+
+let tactic_seq_index_of_list ()
+  = let?# (t, _) = expect_lhs_eq_uvar () in
+    let?# (_, l, _) = expect_seq_index t in
+    let?# _ = expect_seq_of_list l in
+    apply_lemma_rw (`rw_seq_index_list);
+    Some ()
+
+let tactic_rw_index_slice ()
+  = let?# (t, _) = expect_lhs_eq_uvar () in
+    let?# (typ, s, index) = expect_seq_index t in
+    let?# (_, s, i, j) = expect_seq_slice s in
+    apply_lemma_rw (`rw_index_slice #(`#typ) (`#s) (`#i) (`#j));
+    Some ()
+
+let tactic_rw_index_upd ()
+  = let?# (t, _) = expect_lhs_eq_uvar () in
+    let?# (typ, s, index) = expect_seq_index t in
+    let?# (_, s, i, v) = expect_seq_upd s in
+    apply_lemma_rw (`rw_index_upd #(`#typ) (`#s) (`#i) (`#v));
+    Some ()
+
+(*** Final tactics *)
+let norm_zeta_full_list_index (): Tac unit
+  = norm [iota; primops; zeta_full; delta_only [`%index_to_normalize]]
+
+
+let norm_index_minimal (): Tac unit
+  = pointwise ((unwrap ∘ tactic_list_index) ||> trefl);
+    norm_zeta_full_list_index ()
+
+let norm_index' (): Tac unit
+  = pointwise (   (unwrap ∘ tactic_seq_index_of_list)
+              ||> (unwrap ∘ tactic_list_index)
+              ||> (unwrap ∘ tactic_rw_index_slice)
+              ||> (unwrap ∘ tactic_rw_index_upd)
+              ||> trefl)
+
+let norm_index (): Tac unit
+  = goal_fixpoint norm_index' ();
+    norm_zeta_full_list_index ()
+
+
+(*** Tests *)
+let _ = assert (
+    let s = S.seq_of_list [1;2;3;4;5;6] in
+    let s = S.slice s 2 4 in
+    S.index s 1 == 4
+) by (norm []; norm_index (); trefl ())
+
+let _ = assert (
+  L.index [L.index [1;2;3;4;5;6] (L.index [1;2;3;4;3;3] 2)] 0 == 4
+) by (norm_index(); trefl ())
+let _ = assert (
+  S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;4;1]) 3);1]) 3);1]) 3 == 4
+) by (norm_index(); trefl ())
+
diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst
new file mode 100644
index 000000000..18030a682
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst
@@ -0,0 +1,328 @@
+module Tactics.Utils
+
+open Core
+open FStar.Option
+module L = FStar.List.Tot
+open FStar.Tactics.V2
+open FStar.Tactics.V2.SyntaxHelpers
+open FStar.Class.Printable
+open FStar.Mul
+
+(*** Let operators *)
+let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b)
+  = match x with
+  | Some x -> f x
+  | None   -> None
+
+let ( let?? ) (x: bool) (f: unit -> Tac (option 'a)): Tac (option 'a)
+  = if x then f () else None
+
+(*** Debug helpers *)
+/// Dump before failing (in some cases, exception cathing messes with
+/// `fail`)
+let fail' msg = dump msg; fail msg
+
+exception Restore
+/// Dumps a goal with a minimal number of binders in the environment
+let dump' (msg: string): Tac unit
+    = try set_smt_goals [];
+          iterAll (fun _ -> let _ = repeat clear_top in ());
+          dump msg;
+          raise Restore
+      with | _ -> ()
+
+(*** `option _` helpers *)
+/// Executes `f`, if it fails, execute `g`. Like `or_else`, but returns
+/// a chunk.
+let ( ||> ) (f: 'a -> Tac 'b) (g: 'a -> Tac 'b) (a: 'a): Tac 'b
+  = try f a with | _ -> g a
+
+exception ExpectedSome
+/// Unwraps an option, throws `ExpectedSome` if the option is `None`
+let unwrap (x: option 'a): Tac 'a 
+  = match x with
+  | Some x -> x
+  | None -> raise ExpectedSome
+
+/// Expects an option to be `None`, otherwise throws an error
+let expect (msg: string) (x: option 'a): Tac 'a
+  = match x with
+  | None -> dump' ("Expected " ^ msg);
+           fail ("Expected " ^ msg)
+  | Some x -> x
+
+(*** misc. utils *)
+/// Reverse function composition (in Tac)
+unfold let (>>>) (f: 'a -> Tac 'b) (g: 'b -> Tac 'c) (x: 'a): Tac 'c
+  = g (f x)
+/// Function composition (in Tac)
+unfold let (∘) (f: 'b -> Tac 'c) (g: 'a -> Tac 'b): 'a -> Tac 'c
+  = g >>> f
+
+
+let trace (fun_name: string) (t: unit -> Tac 'b) =
+  print (fun_name ^ ": enter");
+  let result = 
+    try t ()
+    with | e -> (print (fun_name ^ ": exit (with an exception!)"); raise e)
+  in 
+  print (fun_name ^ ": exit");
+  result
+
+(*** control utils *)
+/// Repeats a tactic `f` until the goal is stable
+let goal_fixpoint (f: unit -> Tac unit): unit -> Tac unit
+  = let rec aux (): Tac _ =
+        let goal0 = cur_goal () in
+        f ();
+        let goal1 = cur_goal () in
+        if not (term_eq goal0 goal1) then aux ()
+    in aux
+
+private exception DoRefl
+let some_or_refl (f: unit -> Tac (option unit))
+  = or_else (fun _ -> match f () with | None -> raise DoRefl | _ -> ()) trefl
+
+/// Runs `f` on each subterms for rewrite. If `f` is `None` or raises
+/// an error, applies `trefl`.
+let pointwise_or_refl (f: unit -> Tac (option unit))
+  = pointwise (fun _ -> some_or_refl f)
+
+let rec repeatWhile (f: unit -> Tac bool): Tac unit
+  = if f () then repeatWhile f
+
+(*** `expect_*` combinators *)
+let expect_int_literal (t: term): Tac (option int) =
+    match inspect_unascribe t with
+    | Tv_Const (C_Int n) -> Some n
+    | _ -> None
+
+let expect_fvar (t: term): Tac (option string) =
+    match t with
+    | Tv_UInst fv _
+    | Tv_FVar fv -> Some (implode_qn (inspect_fv fv))
+    | _ -> None
+
+let expect_free_var (t: term) (fv: string): Tac (option unit) =
+    let?# fv' = expect_fvar t in
+    if fv = fv' then Some () else None
+
+let expect_lhs_eq_rhs_term t = 
+    match term_as_formula t with
+    | Comp (Eq typ) lhs rhs -> 
+      let typ = match typ with | None -> `_ | Some typ -> typ in
+      Some (lhs, rhs, typ)
+    | _ -> None
+
+let expect_lhs_eq_rhs () = 
+    expect_lhs_eq_rhs_term (cur_goal ())
+
+let expect_lhs_eq_uvar () = 
+    match expect_lhs_eq_rhs () with
+    | Some (lhs, rhs, typ) -> 
+      ( match rhs with | Tv_Uvar _ _ -> Some (lhs, typ) | _ -> None )
+    | _ -> None
+
+let expect_app_n t n: Tac (option (term & (l: list _ {L.length l == n}))) =
+    let (head, args) = collect_app t in
+    if L.length args = n
+    then Some (head, args)
+    else None
+
+let expect_forall t: Tac _ =
+    match term_as_formula t with
+    | Forall bv typ phi -> Some (bv, typ, phi)
+    | _ -> None
+
+(*** Rewrite utils *)
+private exception ForceRevert
+let revert_if_none (f: unit -> Tac (option 'a)): Tac (option 'a)
+  = try match f () with Some x -> Some x 
+                      | None -> raise ForceRevert
+    with | ForceRevert -> None | e -> raise e
+
+/// Collects an application whose head is a free variable
+let collect_app_hd t: Tac (option (string & list argv))
+  = let (hd, args) = collect_app t in
+    let?# fv = expect_fvar hd in
+    Some (fv, args)
+
+let statement_of_lemma (lemma: term) =
+  let _, comp = collect_arr (tc (cur_env ()) lemma) in
+  match inspect_comp comp with
+  | C_Total x
+  | C_Lemma _ x _ -> (
+      match x with
+      | Tv_Abs _ x -> `(squash (`#x))
+      | _ -> `(squash (`#x))
+    )
+  | _ -> fail "statement_of_lemma: supports only Tot and Lemma"
+
+let weaken_eq2_lemma (u: Type) (t: Type {subtype_of t u}) (p q: t) ()
+  : Lemma (requires ( == ) #u p q)
+          (ensures  ( == ) #t p q)
+  = ()
+
+/// `apply_lemma_rw` doesn't work if the goal is `(==) #t ... (?u ...)` while the lemma is `(==) #u .. (?u ....)`. `apply_lemma_rw_eqtype` fixes some of those case, and warns about it.
+let apply_lemma_rw_eqtype (lemma: term): Tac unit
+  = try
+      apply_lemma_rw lemma 
+    with
+    | e -> match
+            let stmt = statement_of_lemma lemma in
+            let?# (lemma_lhs, lemma_rhs, type_lemma') = expect_lhs_eq_rhs_term stmt in
+            let?# (goal_lhs, goal_rhs, type_goal') = expect_lhs_eq_rhs () in
+            let type_lemma = norm_term [delta; iota; primops] type_lemma' in
+            let type_goal  = norm_term [delta; iota; primops] type_goal'  in
+            if term_eq type_lemma type_goal
+            then None
+            else
+              ( print "######## Warning: apply_lemma_rw, rewrite equalities with different type";
+                print ("######## Your lemma has eq over type " ^ term_to_string type_lemma);
+                print ("######## Your goal has eq over type " ^ term_to_string type_goal);
+                print ("######## Trying to weaken the type of the goal.");
+                apply_lemma (
+                  `weaken_eq2_lemma
+                    (`#type_lemma') (`#type_goal')
+                    (`#goal_lhs) (`#goal_rhs)
+                );
+                apply_lemma_rw lemma;
+                Some ()
+              )
+          with | None -> raise e
+               | Some () -> ()
+
+/// Rewrites LHS of an equality: on goal `squash (x == y)`, it will add `squash (x == (?u ...))`.
+let rewrite_lhs (): Tac _ =
+  let (lhs, _, _) = expect_lhs_eq_rhs () |> expect "a goal `<lhs> == <rhs>` (rewrite_lhs)" in
+  let uvar = fresh_uvar (Some (tc (cur_env ()) lhs)) in
+  tcut (`squash (`#lhs == `#uvar))
+  
+/// Rewrites RHS of an equality: on goal `squash (x == y)`, it will add `squash (y == (?u ...))`.
+let rewrite_rhs (): Tac _ =
+  let (_, rhs, _) = expect_lhs_eq_rhs () |> expect "a goal `<lhs> == <rhs>` (rewrite_rhs)" in
+  let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in
+  tcut (`squash (`#rhs == `#uvar))
+
+open FStar.Tactics
+(*** Unification *)
+(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are
+unification variables. This returns a list of terms to substitute `x1`
+... `xN` with. You probably want `norm_steps` to be `[delta_only
+[`%the_name_of_function_fn]]` *)
+exception UnifyAppReturn of (option (list term))
+let unify_app (t fn: term) norm_steps: Tac (option (list term))
+  = let (* Tactic types are confusing, seems like we need V1 here *)
+        open FStar.Tactics.V1 in
+    let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in
+    try
+      let _fake_goal = 
+        (* create a goal `b1 -> ... -> bn -> squash True` *)
+        let trivial = `squash True in
+        let trivial_comp = pack_comp (C_Total trivial) in
+        unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp)))
+      in
+      (* get back the binders `b1`, ..., `bn` *)
+      let bds = intros () in
+      let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in
+      let norm_term = norm_term (hnf::norm_steps) in
+      let fn, t = norm_term (mk_e_app fn args), norm_term t in
+      let fn = `(((`#fn), ())) in
+      let dummy_var = fresh_namedv_named "dummy_var" in
+      let t = `(((`#t), (`#dummy_var))) in
+      let vars = map (fun b -> 
+        let b = inspect_binder b in
+        let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in
+        let sort = b.binder_sort in
+        let nv: namedv_view = {uniq; ppname; sort = seal sort} in
+        (FStar.Reflection.V2.pack_namedv nv, sort)
+      ) bds in
+      let vars = 
+        List.Tot.append
+          vars 
+          [(FStar.Reflection.V2.pack_namedv dummy_var, `())] 
+      in
+      let?# substs = fst (try_unify (cur_env ()) vars fn t) in
+      raise (UnifyAppReturn (
+        if List.Tot.length substs <> List.Tot.length bds + 1
+        then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None)
+        else (
+          match substs with
+          | [] -> None
+          | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs))
+        )))
+    with | UnifyAppReturn result -> result
+         | e -> raise e
+
+(*** Logging and time *)
+let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int)
+  = let time0 = curms () in
+    let result = t x in
+    let time1 = curms () in
+    (result, time1 - time0)
+
+let print_time prefix (t: 'a -> Tac 'b) (x: 'a): Tac 'b
+  = let (result, time) = time_tactic_ms t x in
+    print (prefix ^ string_of_int (time / 1000) ^ "." ^ string_of_int ((time/100)%10) ^ "s");
+    result
+
+(*** Unroll forall goals *)
+let _split_forall_nat
+  (upper_bound: pos)
+  ($p: (i:nat{i < upper_bound}) -> Type0)
+  : Lemma (requires (if upper_bound = 0 then True
+                     else p (upper_bound - 1) /\ (forall (i:nat{i < upper_bound - 1}). p i)))
+          (ensures forall (i:nat{i < upper_bound}). p i)
+  = ()
+
+
+let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit =
+  let goals = goals () in
+  let found_goal = alloc false in
+  iterAll (fun _ -> 
+    (match expect_forall (cur_goal ()) with
+    | Some _ ->
+      if read found_goal
+      then ()
+      else begin
+        write found_goal true;
+        t ();
+        ()
+      end
+    | _ -> 
+      ())
+  );
+  if not (read found_goal) then t ()
+
+/// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int
+let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit
+  = focus_first_forall_goal (fun _ -> 
+      let _ =
+        (* hacky way of printing the progress *)
+        let goal = term_to_string (cur_goal ()) in
+        let goal = match String.split ['\n'] goal with
+                   | s::_ -> s | _ -> "" in
+        print ("prove_forall_pointwise: " ^ goal ^ "...")
+      in
+      apply_lemma (`_split_forall_nat);
+      trivial `or_else` (fun _ -> 
+        if try norm [primops];
+               split ();
+               true
+           with | e -> false
+        then (
+          tactic ();
+          prove_forall_nat_pointwise tactic
+        )
+      )
+    )
+
+#push-options "--compat_pre_core 2"
+private let _example (phi: int -> Type0) (proof: (i:int -> Lemma (phi i))) = 
+  assert (forall (i: nat {i < 40}). phi i)
+      by (
+        prove_forall_nat_pointwise (fun _ -> 
+          apply_lemma (quote proof)
+        )
+      )
+#pop-options
diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph
new file mode 100644
index 000000000..58c54a479
--- /dev/null
+++ b/fstar-helpers/fstar-bitvec/dep.graph
@@ -0,0 +1,2316 @@
+digraph {
+  "fstar_int32" -> "fstar_uint"
+  "fstar_int32" -> "fstar_uint"
+  "fstar_int32" -> "fstar_uint32"
+  "fstar_int32" -> "fstar_uint32"
+  "fstar_int32" -> "fstar_mul"
+  "fstar_int32" -> "fstar_mul"
+  "fstar_int32" -> "fstar_int"
+  "fstar_int32" -> "fstar_int"
+  "fstar_int32" -> "fstar_pervasives"
+  "fstar_int32" -> "fstar_pervasives"
+  "fstar_int32" -> "prims"
+  "fstar_int32" -> "prims"
+  "fstar_pervasives" -> "fstar_pervasives_native"
+  "fstar_pervasives" -> "fstar_pervasives_native"
+  "fstar_pervasives" -> "prims"
+  "fstar_pervasives" -> "prims"
+  "fstar_seq" -> "fstar_seq_properties"
+  "fstar_seq" -> "fstar_seq_properties"
+  "fstar_seq" -> "fstar_seq_base"
+  "fstar_seq" -> "fstar_seq_base"
+  "fstar_seq" -> "fstar_pervasives"
+  "fstar_seq" -> "fstar_pervasives"
+  "fstar_seq" -> "prims"
+  "fstar_seq" -> "prims"
+  "fstar_int32" -> "fstar_uint32"
+  "fstar_int32" -> "fstar_uint32"
+  "fstar_int32" -> "fstar_math_lemmas"
+  "fstar_int32" -> "fstar_math_lemmas"
+  "fstar_int32" -> "fstar_mul"
+  "fstar_int32" -> "fstar_mul"
+  "fstar_int32" -> "fstar_int"
+  "fstar_int32" -> "fstar_int"
+  "fstar_int32" -> "fstar_pervasives"
+  "fstar_int32" -> "fstar_pervasives"
+  "fstar_int32" -> "prims"
+  "fstar_int32" -> "prims"
+  "fstar_int32" -> "fstar_int32"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives"
+  "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives"
+  "fstar_tactics_v1_syntaxhelpers" -> "prims"
+  "fstar_tactics_v1_syntaxhelpers" -> "prims"
+  "core_option" -> "fstar_pervasives"
+  "core_option" -> "fstar_pervasives"
+  "core_option" -> "prims"
+  "core_option" -> "prims"
+  "fstar_seq_properties" -> "fstar_list_tot_properties"
+  "fstar_seq_properties" -> "fstar_list_tot_properties"
+  "fstar_seq_properties" -> "fstar_list_tot_base"
+  "fstar_seq_properties" -> "fstar_list_tot_base"
+  "fstar_seq_properties" -> "fstar_list_tot"
+  "fstar_seq_properties" -> "fstar_list_tot"
+  "fstar_seq_properties" -> "fstar_pervasives_native"
+  "fstar_seq_properties" -> "fstar_pervasives_native"
+  "fstar_seq_properties" -> "fstar_seq_base"
+  "fstar_seq_properties" -> "fstar_seq_base"
+  "fstar_seq_properties" -> "fstar_pervasives"
+  "fstar_seq_properties" -> "fstar_pervasives"
+  "fstar_seq_properties" -> "prims"
+  "fstar_seq_properties" -> "prims"
+  "fstar_squash" -> "fstar_pervasives"
+  "fstar_squash" -> "fstar_pervasives"
+  "fstar_squash" -> "prims"
+  "fstar_squash" -> "prims"
+  "fstar_squash" -> "fstar_squash"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives"
+  "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives"
+  "fstar_stubs_tactics_v1_builtins" -> "prims"
+  "fstar_stubs_tactics_v1_builtins" -> "prims"
+  "fstar_tactics_print" -> "fstar_tactics_namedview"
+  "fstar_tactics_print" -> "fstar_tactics_namedview"
+  "fstar_tactics_print" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_print" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_print" -> "fstar_tactics_effect"
+  "fstar_tactics_print" -> "fstar_tactics_effect"
+  "fstar_tactics_print" -> "fstar_reflection_v2"
+  "fstar_tactics_print" -> "fstar_reflection_v2"
+  "fstar_tactics_print" -> "fstar_pervasives"
+  "fstar_tactics_print" -> "fstar_pervasives"
+  "fstar_tactics_print" -> "prims"
+  "fstar_tactics_print" -> "prims"
+  "lib_inttypes" -> "fstar_uint"
+  "lib_inttypes" -> "fstar_uint"
+  "lib_inttypes" -> "fstar_int"
+  "lib_inttypes" -> "fstar_int"
+  "lib_inttypes" -> "fstar_int128"
+  "lib_inttypes" -> "fstar_int128"
+  "lib_inttypes" -> "fstar_int64"
+  "lib_inttypes" -> "fstar_int64"
+  "lib_inttypes" -> "fstar_int32"
+  "lib_inttypes" -> "fstar_int32"
+  "lib_inttypes" -> "fstar_int16"
+  "lib_inttypes" -> "fstar_int16"
+  "lib_inttypes" -> "fstar_int8"
+  "lib_inttypes" -> "fstar_int8"
+  "lib_inttypes" -> "fstar_uint128"
+  "lib_inttypes" -> "fstar_uint128"
+  "lib_inttypes" -> "fstar_uint64"
+  "lib_inttypes" -> "fstar_uint64"
+  "lib_inttypes" -> "fstar_uint32"
+  "lib_inttypes" -> "fstar_uint32"
+  "lib_inttypes" -> "fstar_uint16"
+  "lib_inttypes" -> "fstar_uint16"
+  "lib_inttypes" -> "fstar_uint8"
+  "lib_inttypes" -> "fstar_uint8"
+  "lib_inttypes" -> "fstar_mul"
+  "lib_inttypes" -> "fstar_mul"
+  "lib_inttypes" -> "fstar_pervasives"
+  "lib_inttypes" -> "fstar_pervasives"
+  "lib_inttypes" -> "prims"
+  "lib_inttypes" -> "prims"
+  "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare"
+  "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare"
+  "fstar_reflection_v1_compare" -> "fstar_pervasives"
+  "fstar_reflection_v1_compare" -> "fstar_pervasives"
+  "fstar_reflection_v1_compare" -> "prims"
+  "fstar_reflection_v1_compare" -> "prims"
+  "fstar_classical" -> "fstar_squash"
+  "fstar_classical" -> "fstar_squash"
+  "fstar_classical" -> "fstar_pervasives"
+  "fstar_classical" -> "fstar_pervasives"
+  "fstar_classical" -> "prims"
+  "fstar_classical" -> "prims"
+  "fstar_classical" -> "fstar_classical"
+  "fstar_seq_base" -> "fstar_list_tot"
+  "fstar_seq_base" -> "fstar_list_tot"
+  "fstar_seq_base" -> "fstar_pervasives"
+  "fstar_seq_base" -> "fstar_pervasives"
+  "fstar_seq_base" -> "prims"
+  "fstar_seq_base" -> "prims"
+  "fstar_seq_properties" -> "fstar_list_tot_properties"
+  "fstar_seq_properties" -> "fstar_list_tot_properties"
+  "fstar_seq_properties" -> "fstar_list_tot_base"
+  "fstar_seq_properties" -> "fstar_list_tot_base"
+  "fstar_seq_properties" -> "fstar_squash"
+  "fstar_seq_properties" -> "fstar_squash"
+  "fstar_seq_properties" -> "fstar_list_tot"
+  "fstar_seq_properties" -> "fstar_list_tot"
+  "fstar_seq_properties" -> "fstar_pervasives_native"
+  "fstar_seq_properties" -> "fstar_pervasives_native"
+  "fstar_seq_properties" -> "fstar_classical"
+  "fstar_seq_properties" -> "fstar_classical"
+  "fstar_seq_properties" -> "fstar_seq_base"
+  "fstar_seq_properties" -> "fstar_seq_base"
+  "fstar_seq_properties" -> "fstar_pervasives"
+  "fstar_seq_properties" -> "fstar_pervasives"
+  "fstar_seq_properties" -> "prims"
+  "fstar_seq_properties" -> "prims"
+  "fstar_seq_properties" -> "fstar_seq_properties"
+  "fstar_calc" -> "fstar_classical"
+  "fstar_calc" -> "fstar_classical"
+  "fstar_calc" -> "fstar_preorder"
+  "fstar_calc" -> "fstar_preorder"
+  "fstar_calc" -> "fstar_squash"
+  "fstar_calc" -> "fstar_squash"
+  "fstar_calc" -> "fstar_pervasives"
+  "fstar_calc" -> "fstar_pervasives"
+  "fstar_calc" -> "prims"
+  "fstar_calc" -> "prims"
+  "fstar_calc" -> "fstar_calc"
+  "fstar_reflection_termeq" -> "fstar_list_tot"
+  "fstar_reflection_termeq" -> "fstar_list_tot"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_termeq" -> "fstar_pervasives"
+  "fstar_reflection_termeq" -> "fstar_pervasives"
+  "fstar_reflection_termeq" -> "prims"
+  "fstar_reflection_termeq" -> "prims"
+  "tactics_pow2" -> "fstar_tactics_effect"
+  "tactics_pow2" -> "fstar_tactics_effect"
+  "tactics_pow2" -> "fstar_tactics_v2"
+  "tactics_pow2" -> "fstar_tactics_v2"
+  "tactics_pow2" -> "tactics_utils"
+  "tactics_pow2" -> "tactics_utils"
+  "tactics_pow2" -> "core"
+  "tactics_pow2" -> "core"
+  "tactics_pow2" -> "fstar_pervasives"
+  "tactics_pow2" -> "fstar_pervasives"
+  "tactics_pow2" -> "prims"
+  "tactics_pow2" -> "prims"
+  "fstar_classical" -> "fstar_pervasives"
+  "fstar_classical" -> "fstar_pervasives"
+  "fstar_classical" -> "prims"
+  "fstar_classical" -> "prims"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_order"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_order"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v2_builtins" -> "prims"
+  "fstar_stubs_reflection_v2_builtins" -> "prims"
+  "rust_primitives_bitvectors" -> "fstar_math_lemmas"
+  "rust_primitives_bitvectors" -> "fstar_math_lemmas"
+  "rust_primitives_bitvectors" -> "rust_primitives_integers"
+  "rust_primitives_bitvectors" -> "rust_primitives_integers"
+  "rust_primitives_bitvectors" -> "rust_primitives_arrays"
+  "rust_primitives_bitvectors" -> "rust_primitives_arrays"
+  "rust_primitives_bitvectors" -> "fstar_mul"
+  "rust_primitives_bitvectors" -> "fstar_mul"
+  "rust_primitives_bitvectors" -> "fstar_pervasives"
+  "rust_primitives_bitvectors" -> "fstar_pervasives"
+  "rust_primitives_bitvectors" -> "prims"
+  "rust_primitives_bitvectors" -> "prims"
+  "rust_primitives_bitvectors" -> "rust_primitives_bitvectors"
+  "fstar_option" -> "fstar_pervasives_native"
+  "fstar_option" -> "fstar_pervasives_native"
+  "fstar_option" -> "fstar_all"
+  "fstar_option" -> "fstar_all"
+  "fstar_option" -> "fstar_pervasives"
+  "fstar_option" -> "fstar_pervasives"
+  "fstar_option" -> "prims"
+  "fstar_option" -> "prims"
+  "fstar_propositionalextensionality" -> "fstar_pervasives"
+  "fstar_propositionalextensionality" -> "fstar_pervasives"
+  "fstar_propositionalextensionality" -> "prims"
+  "fstar_propositionalextensionality" -> "prims"
+  "fstar_erasedlogic" -> "fstar_ghost"
+  "fstar_erasedlogic" -> "fstar_ghost"
+  "fstar_erasedlogic" -> "fstar_pervasives"
+  "fstar_erasedlogic" -> "fstar_pervasives"
+  "fstar_erasedlogic" -> "prims"
+  "fstar_erasedlogic" -> "prims"
+  "bitveceq" -> "fstar_functionalextensionality"
+  "bitveceq" -> "fstar_functionalextensionality"
+  "bitveceq" -> "fstar_mul"
+  "bitveceq" -> "fstar_mul"
+  "bitveceq" -> "core"
+  "bitveceq" -> "core"
+  "bitveceq" -> "fstar_pervasives"
+  "bitveceq" -> "fstar_pervasives"
+  "bitveceq" -> "prims"
+  "bitveceq" -> "prims"
+  "bitveceq" -> "bitveceq"
+  "fstar_issue" -> "fstar_stubs_pprint"
+  "fstar_issue" -> "fstar_range"
+  "fstar_issue" -> "fstar_pervasives"
+  "fstar_issue" -> "fstar_pervasives"
+  "fstar_issue" -> "prims"
+  "fstar_issue" -> "prims"
+  "fstar_mul" -> "fstar_pervasives"
+  "fstar_mul" -> "fstar_pervasives"
+  "fstar_mul" -> "prims"
+  "fstar_mul" -> "prims"
+  "tactics_utils" -> "fstar_tactics_effect"
+  "tactics_utils" -> "fstar_tactics_effect"
+  "tactics_utils" -> "fstar_char"
+  "tactics_utils" -> "fstar_string"
+  "tactics_utils" -> "fstar_reflection_v2"
+  "tactics_utils" -> "fstar_reflection_v2"
+  "tactics_utils" -> "fstar_tactics_util"
+  "tactics_utils" -> "fstar_tactics_util"
+  "tactics_utils" -> "fstar_tactics_v1"
+  "tactics_utils" -> "fstar_tactics_v1"
+  "tactics_utils" -> "fstar_tactics"
+  "tactics_utils" -> "fstar_tactics"
+  "tactics_utils" -> "fstar_pervasives_native"
+  "tactics_utils" -> "fstar_pervasives_native"
+  "tactics_utils" -> "fstar_mul"
+  "tactics_utils" -> "fstar_mul"
+  "tactics_utils" -> "fstar_class_printable"
+  "tactics_utils" -> "fstar_class_printable"
+  "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_utils" -> "fstar_tactics_v2"
+  "tactics_utils" -> "fstar_tactics_v2"
+  "tactics_utils" -> "fstar_list_tot"
+  "tactics_utils" -> "fstar_list_tot"
+  "tactics_utils" -> "fstar_option"
+  "tactics_utils" -> "fstar_option"
+  "tactics_utils" -> "core"
+  "tactics_utils" -> "core"
+  "tactics_utils" -> "fstar_pervasives"
+  "tactics_utils" -> "fstar_pervasives"
+  "tactics_utils" -> "prims"
+  "tactics_utils" -> "prims"
+  "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_mul"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_mul"
+  "libcrux_intrinsics_avx2_extract" -> "core"
+  "libcrux_intrinsics_avx2_extract" -> "core"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives"
+  "libcrux_intrinsics_avx2_extract" -> "prims"
+  "libcrux_intrinsics_avx2_extract" -> "prims"
+  "fstar_stubs_tactics_types" -> "fstar_issue"
+  "fstar_stubs_tactics_types" -> "fstar_range"
+  "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core"
+  "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common"
+  "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_tactics_types" -> "fstar_pervasives"
+  "fstar_stubs_tactics_types" -> "fstar_pervasives"
+  "fstar_stubs_tactics_types" -> "prims"
+  "fstar_stubs_tactics_types" -> "prims"
+  "fstar_exn" -> "fstar_pervasives"
+  "fstar_exn" -> "fstar_pervasives"
+  "fstar_exn" -> "prims"
+  "fstar_exn" -> "prims"
+  "core_iter" -> "rust_primitives_arrays"
+  "core_iter" -> "rust_primitives_arrays"
+  "core_iter" -> "core_ops_range"
+  "core_iter" -> "core_iter_adapters_step_by"
+  "core_iter" -> "core_iter_adapters_step_by"
+  "core_iter" -> "fstar_pervasives_native"
+  "core_iter" -> "fstar_pervasives_native"
+  "core_iter" -> "core_ops"
+  "core_iter" -> "core_ops"
+  "core_iter" -> "fstar_tactics_typeclasses"
+  "core_iter" -> "fstar_tactics_typeclasses"
+  "core_iter" -> "core_iter_adapters_enumerate"
+  "core_iter" -> "core_iter_adapters_enumerate"
+  "core_iter" -> "core_iter_traits_iterator"
+  "core_iter" -> "core_iter_traits_iterator"
+  "core_iter" -> "rust_primitives"
+  "core_iter" -> "rust_primitives"
+  "core_iter" -> "fstar_pervasives"
+  "core_iter" -> "fstar_pervasives"
+  "core_iter" -> "prims"
+  "core_iter" -> "prims"
+  "fstar_functionalextensionality" -> "fstar_pervasives_native"
+  "fstar_functionalextensionality" -> "fstar_pervasives_native"
+  "fstar_functionalextensionality" -> "fstar_tactics_effect"
+  "fstar_functionalextensionality" -> "fstar_tactics_effect"
+  "fstar_functionalextensionality" -> "fstar_stubs_tactics_types"
+  "fstar_functionalextensionality" -> "fstar_stubs_reflection_types"
+  "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_functionalextensionality" -> "fstar_pervasives"
+  "fstar_functionalextensionality" -> "fstar_pervasives"
+  "fstar_functionalextensionality" -> "prims"
+  "fstar_functionalextensionality" -> "prims"
+  "fstar_functionalextensionality" -> "fstar_functionalextensionality"
+  "core_iter_adapters_step_by" -> "rust_primitives"
+  "core_iter_adapters_step_by" -> "rust_primitives"
+  "core_iter_adapters_step_by" -> "fstar_pervasives"
+  "core_iter_adapters_step_by" -> "fstar_pervasives"
+  "core_iter_adapters_step_by" -> "prims"
+  "core_iter_adapters_step_by" -> "prims"
+  "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality"
+  "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality"
+  "fstar_tactics_v1_derived" -> "fstar_squash"
+  "fstar_tactics_v1_derived" -> "fstar_squash"
+  "fstar_tactics_v1_derived" -> "fstar_range"
+  "fstar_tactics_v1_derived" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_derived" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_visit"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_visit"
+  "fstar_tactics_v1_derived" -> "fstar_list_tot_base"
+  "fstar_tactics_v1_derived" -> "fstar_list_tot_base"
+  "fstar_tactics_v1_derived" -> "fstar_vconfig"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers"
+  "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_util"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_util"
+  "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result"
+  "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_derived" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1_derived" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_derived" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_derived" -> "fstar_pervasives"
+  "fstar_tactics_v1_derived" -> "fstar_pervasives"
+  "fstar_tactics_v1_derived" -> "prims"
+  "fstar_tactics_v1_derived" -> "prims"
+  "fstar_tactics_visit" -> "fstar_pervasives_native"
+  "fstar_tactics_visit" -> "fstar_pervasives_native"
+  "fstar_tactics_visit" -> "fstar_tactics_util"
+  "fstar_tactics_visit" -> "fstar_tactics_util"
+  "fstar_tactics_visit" -> "fstar_tactics_effect"
+  "fstar_tactics_visit" -> "fstar_tactics_effect"
+  "fstar_tactics_visit" -> "fstar_reflection_v2"
+  "fstar_tactics_visit" -> "fstar_reflection_v2"
+  "fstar_tactics_visit" -> "fstar_pervasives"
+  "fstar_tactics_visit" -> "fstar_pervasives"
+  "fstar_tactics_visit" -> "prims"
+  "fstar_tactics_visit" -> "prims"
+  "rust_primitives_bitvectors" -> "fstar_uint8"
+  "rust_primitives_bitvectors" -> "fstar_uint8"
+  "rust_primitives_bitvectors" -> "fstar_uint16"
+  "rust_primitives_bitvectors" -> "fstar_uint16"
+  "rust_primitives_bitvectors" -> "fstar_uint32"
+  "rust_primitives_bitvectors" -> "fstar_uint32"
+  "rust_primitives_bitvectors" -> "fstar_int16"
+  "rust_primitives_bitvectors" -> "fstar_int16"
+  "rust_primitives_bitvectors" -> "fstar_int32"
+  "rust_primitives_bitvectors" -> "fstar_int32"
+  "rust_primitives_bitvectors" -> "fstar_seq"
+  "rust_primitives_bitvectors" -> "fstar_seq"
+  "rust_primitives_bitvectors" -> "fstar_functionalextensionality"
+  "rust_primitives_bitvectors" -> "fstar_functionalextensionality"
+  "rust_primitives_bitvectors" -> "rust_primitives_integers"
+  "rust_primitives_bitvectors" -> "rust_primitives_integers"
+  "rust_primitives_bitvectors" -> "rust_primitives_arrays"
+  "rust_primitives_bitvectors" -> "rust_primitives_arrays"
+  "rust_primitives_bitvectors" -> "fstar_mul"
+  "rust_primitives_bitvectors" -> "fstar_mul"
+  "rust_primitives_bitvectors" -> "fstar_pervasives"
+  "rust_primitives_bitvectors" -> "fstar_pervasives"
+  "rust_primitives_bitvectors" -> "prims"
+  "rust_primitives_bitvectors" -> "prims"
+  "fstar_uint16" -> "fstar_uint32"
+  "fstar_uint16" -> "fstar_uint32"
+  "fstar_uint16" -> "fstar_mul"
+  "fstar_uint16" -> "fstar_mul"
+  "fstar_uint16" -> "fstar_uint"
+  "fstar_uint16" -> "fstar_uint"
+  "fstar_uint16" -> "fstar_pervasives"
+  "fstar_uint16" -> "fstar_pervasives"
+  "fstar_uint16" -> "prims"
+  "fstar_uint16" -> "prims"
+  "fstar_uint16" -> "fstar_uint16"
+  "core_num_error" -> "rust_primitives"
+  "core_num_error" -> "rust_primitives"
+  "core_num_error" -> "fstar_pervasives"
+  "core_num_error" -> "fstar_pervasives"
+  "core_num_error" -> "prims"
+  "core_num_error" -> "prims"
+  "bitveceq" -> "fstar_math_lemmas"
+  "bitveceq" -> "fstar_math_lemmas"
+  "bitveceq" -> "fstar_seq"
+  "bitveceq" -> "fstar_seq"
+  "bitveceq" -> "fstar_classical_sugar"
+  "bitveceq" -> "fstar_classical_sugar"
+  "bitveceq" -> "fstar_functionalextensionality"
+  "bitveceq" -> "fstar_functionalextensionality"
+  "bitveceq" -> "mkseq"
+  "bitveceq" -> "mkseq"
+  "bitveceq" -> "fstar_mul"
+  "bitveceq" -> "fstar_mul"
+  "bitveceq" -> "core"
+  "bitveceq" -> "core"
+  "bitveceq" -> "fstar_pervasives"
+  "bitveceq" -> "fstar_pervasives"
+  "bitveceq" -> "prims"
+  "bitveceq" -> "prims"
+  "lib_inttypes" -> "fstar_bitvector"
+  "lib_inttypes" -> "fstar_bitvector"
+  "lib_inttypes" -> "fstar_seq"
+  "lib_inttypes" -> "fstar_seq"
+  "lib_inttypes" -> "fstar_uint"
+  "lib_inttypes" -> "fstar_uint"
+  "lib_inttypes" -> "fstar_pervasives_native"
+  "lib_inttypes" -> "fstar_pervasives_native"
+  "lib_inttypes" -> "fstar_int_cast_full"
+  "lib_inttypes" -> "fstar_int_cast_full"
+  "lib_inttypes" -> "fstar_int"
+  "lib_inttypes" -> "fstar_int"
+  "lib_inttypes" -> "fstar_int_cast"
+  "lib_inttypes" -> "fstar_int_cast"
+  "lib_inttypes" -> "fstar_int128"
+  "lib_inttypes" -> "fstar_int128"
+  "lib_inttypes" -> "fstar_int64"
+  "lib_inttypes" -> "fstar_int64"
+  "lib_inttypes" -> "fstar_int32"
+  "lib_inttypes" -> "fstar_int32"
+  "lib_inttypes" -> "fstar_int16"
+  "lib_inttypes" -> "fstar_int16"
+  "lib_inttypes" -> "fstar_int8"
+  "lib_inttypes" -> "fstar_int8"
+  "lib_inttypes" -> "fstar_uint128"
+  "lib_inttypes" -> "fstar_uint128"
+  "lib_inttypes" -> "fstar_uint64"
+  "lib_inttypes" -> "fstar_uint64"
+  "lib_inttypes" -> "fstar_uint32"
+  "lib_inttypes" -> "fstar_uint32"
+  "lib_inttypes" -> "fstar_uint16"
+  "lib_inttypes" -> "fstar_uint16"
+  "lib_inttypes" -> "fstar_uint8"
+  "lib_inttypes" -> "fstar_uint8"
+  "lib_inttypes" -> "fstar_math_lemmas"
+  "lib_inttypes" -> "fstar_math_lemmas"
+  "lib_inttypes" -> "fstar_pervasives"
+  "lib_inttypes" -> "fstar_pervasives"
+  "lib_inttypes" -> "prims"
+  "lib_inttypes" -> "prims"
+  "lib_inttypes" -> "lib_inttypes"
+  "fstar_int_cast_full" -> "fstar_uint128"
+  "fstar_int_cast_full" -> "fstar_uint128"
+  "fstar_int_cast_full" -> "fstar_uint64"
+  "fstar_int_cast_full" -> "fstar_uint64"
+  "fstar_int_cast_full" -> "fstar_int_cast"
+  "fstar_int_cast_full" -> "fstar_int_cast"
+  "fstar_int_cast_full" -> "fstar_pervasives"
+  "fstar_int_cast_full" -> "fstar_pervasives"
+  "fstar_int_cast_full" -> "prims"
+  "fstar_int_cast_full" -> "prims"
+  "rust_primitives_hax" -> "fstar_list_tot"
+  "rust_primitives_hax" -> "fstar_list_tot"
+  "rust_primitives_hax" -> "lib_inttypes"
+  "rust_primitives_hax" -> "lib_inttypes"
+  "rust_primitives_hax" -> "core_slice"
+  "rust_primitives_hax" -> "fstar_tactics_typeclasses"
+  "rust_primitives_hax" -> "fstar_tactics_typeclasses"
+  "rust_primitives_hax" -> "core_ops_index"
+  "rust_primitives_hax" -> "core_ops_index"
+  "rust_primitives_hax" -> "fstar_seq"
+  "rust_primitives_hax" -> "fstar_seq"
+  "rust_primitives_hax" -> "rust_primitives_arrays"
+  "rust_primitives_hax" -> "rust_primitives_arrays"
+  "rust_primitives_hax" -> "rust_primitives_integers"
+  "rust_primitives_hax" -> "rust_primitives_integers"
+  "rust_primitives_hax" -> "fstar_pervasives"
+  "rust_primitives_hax" -> "fstar_pervasives"
+  "rust_primitives_hax" -> "prims"
+  "rust_primitives_hax" -> "prims"
+  "fstar_reflection_v2_formula" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_formula" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple"
+  "fstar_reflection_v2_formula" -> "fstar_tactics_namedview"
+  "fstar_reflection_v2_formula" -> "fstar_tactics_namedview"
+  "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_reflection_v2_formula" -> "fstar_tactics_effect"
+  "fstar_reflection_v2_formula" -> "fstar_tactics_effect"
+  "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common"
+  "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_const"
+  "fstar_reflection_v2_formula" -> "fstar_reflection_const"
+  "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2_formula" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_formula" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_formula" -> "fstar_pervasives"
+  "fstar_reflection_v2_formula" -> "fstar_pervasives"
+  "fstar_reflection_v2_formula" -> "prims"
+  "fstar_reflection_v2_formula" -> "prims"
+  "fstar_tactics_unseal" -> "fstar_tactics_effect"
+  "fstar_tactics_unseal" -> "fstar_tactics_effect"
+  "fstar_tactics_unseal" -> "fstar_sealed"
+  "fstar_tactics_unseal" -> "fstar_pervasives"
+  "fstar_tactics_unseal" -> "fstar_pervasives"
+  "fstar_tactics_unseal" -> "prims"
+  "fstar_tactics_unseal" -> "prims"
+  "fstar_int128" -> "fstar_int64"
+  "fstar_int128" -> "fstar_int64"
+  "fstar_int128" -> "fstar_uint32"
+  "fstar_int128" -> "fstar_uint32"
+  "fstar_int128" -> "fstar_math_lemmas"
+  "fstar_int128" -> "fstar_math_lemmas"
+  "fstar_int128" -> "fstar_mul"
+  "fstar_int128" -> "fstar_mul"
+  "fstar_int128" -> "fstar_int"
+  "fstar_int128" -> "fstar_int"
+  "fstar_int128" -> "fstar_pervasives"
+  "fstar_int128" -> "fstar_pervasives"
+  "fstar_int128" -> "prims"
+  "fstar_int128" -> "prims"
+  "fstar_int128" -> "fstar_int128"
+  "tactics_seq" -> "fstar_tactics_effect"
+  "tactics_seq" -> "fstar_tactics_effect"
+  "tactics_seq" -> "fstar_pervasives_native"
+  "tactics_seq" -> "fstar_pervasives_native"
+  "tactics_seq" -> "tactics_pow2"
+  "tactics_seq" -> "tactics_pow2"
+  "tactics_seq" -> "tactics_utils"
+  "tactics_seq" -> "tactics_utils"
+  "tactics_seq" -> "fstar_option"
+  "tactics_seq" -> "fstar_option"
+  "tactics_seq" -> "fstar_mul"
+  "tactics_seq" -> "fstar_mul"
+  "tactics_seq" -> "fstar_class_printable"
+  "tactics_seq" -> "fstar_class_printable"
+  "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_seq" -> "fstar_tactics_v2"
+  "tactics_seq" -> "fstar_tactics_v2"
+  "tactics_seq" -> "fstar_seq_base"
+  "tactics_seq" -> "fstar_seq_base"
+  "tactics_seq" -> "fstar_list_tot"
+  "tactics_seq" -> "fstar_list_tot"
+  "tactics_seq" -> "core"
+  "tactics_seq" -> "core"
+  "tactics_seq" -> "fstar_pervasives"
+  "tactics_seq" -> "fstar_pervasives"
+  "tactics_seq" -> "prims"
+  "tactics_seq" -> "prims"
+  "rust_primitives" -> "fstar_seq"
+  "rust_primitives" -> "fstar_seq"
+  "rust_primitives" -> "fstar_tactics_typeclasses"
+  "rust_primitives" -> "fstar_tactics_typeclasses"
+  "rust_primitives" -> "core_ops_control_flow"
+  "rust_primitives" -> "core_ops_control_flow"
+  "rust_primitives" -> "core_result"
+  "rust_primitives" -> "core_result"
+  "rust_primitives" -> "core_option"
+  "rust_primitives" -> "core_option"
+  "rust_primitives" -> "rust_primitives_bitvectors"
+  "rust_primitives" -> "rust_primitives_bitvectors"
+  "rust_primitives" -> "rust_primitives_arrays"
+  "rust_primitives" -> "rust_primitives_arrays"
+  "rust_primitives" -> "rust_primitives_integers"
+  "rust_primitives" -> "rust_primitives_integers"
+  "rust_primitives" -> "fstar_pervasives"
+  "rust_primitives" -> "fstar_pervasives"
+  "rust_primitives" -> "prims"
+  "rust_primitives" -> "prims"
+  "fstar_set" -> "fstar_classical"
+  "fstar_set" -> "fstar_classical"
+  "fstar_set" -> "fstar_functionalextensionality"
+  "fstar_set" -> "fstar_functionalextensionality"
+  "fstar_set" -> "fstar_pervasives"
+  "fstar_set" -> "fstar_pervasives"
+  "fstar_set" -> "prims"
+  "fstar_set" -> "prims"
+  "fstar_set" -> "fstar_set"
+  "fstar_tactics_v1_logic" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_logic" -> "fstar_pervasives_native"
+  "fstar_tactics_v1_logic" -> "fstar_squash"
+  "fstar_tactics_v1_logic" -> "fstar_squash"
+  "fstar_tactics_v1_logic" -> "fstar_indefinitedescription"
+  "fstar_tactics_v1_logic" -> "fstar_indefinitedescription"
+  "fstar_tactics_v1_logic" -> "fstar_classical"
+  "fstar_tactics_v1_logic" -> "fstar_classical"
+  "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1_logic" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_logic" -> "fstar_reflection_v1"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_util"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_util"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived"
+  "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_logic" -> "fstar_tactics_effect"
+  "fstar_tactics_v1_logic" -> "fstar_pervasives"
+  "fstar_tactics_v1_logic" -> "fstar_pervasives"
+  "fstar_tactics_v1_logic" -> "prims"
+  "fstar_tactics_v1_logic" -> "prims"
+  "fstar_class_printable" -> "fstar_seq"
+  "fstar_class_printable" -> "fstar_seq"
+  "fstar_class_printable" -> "fstar_uint64"
+  "fstar_class_printable" -> "fstar_uint64"
+  "fstar_class_printable" -> "fstar_int64"
+  "fstar_class_printable" -> "fstar_int64"
+  "fstar_class_printable" -> "fstar_uint32"
+  "fstar_class_printable" -> "fstar_uint32"
+  "fstar_class_printable" -> "fstar_int32"
+  "fstar_class_printable" -> "fstar_int32"
+  "fstar_class_printable" -> "fstar_uint16"
+  "fstar_class_printable" -> "fstar_uint16"
+  "fstar_class_printable" -> "fstar_int16"
+  "fstar_class_printable" -> "fstar_int16"
+  "fstar_class_printable" -> "fstar_int8"
+  "fstar_class_printable" -> "fstar_int8"
+  "fstar_class_printable" -> "fstar_uint8"
+  "fstar_class_printable" -> "fstar_uint8"
+  "fstar_class_printable" -> "fstar_char"
+  "fstar_class_printable" -> "fstar_list_tot"
+  "fstar_class_printable" -> "fstar_list_tot"
+  "fstar_class_printable" -> "fstar_tactics_typeclasses"
+  "fstar_class_printable" -> "fstar_tactics_typeclasses"
+  "fstar_class_printable" -> "fstar_seq_properties"
+  "fstar_class_printable" -> "fstar_seq_properties"
+  "fstar_class_printable" -> "fstar_string"
+  "fstar_class_printable" -> "fstar_pervasives"
+  "fstar_class_printable" -> "fstar_pervasives"
+  "fstar_class_printable" -> "prims"
+  "fstar_class_printable" -> "prims"
+  "tactics_getbit" -> "fstar_functionalextensionality"
+  "tactics_getbit" -> "fstar_functionalextensionality"
+  "tactics_getbit" -> "tactics_machineints"
+  "tactics_getbit" -> "tactics_machineints"
+  "tactics_getbit" -> "rust_primitives_hax"
+  "tactics_getbit" -> "rust_primitives_hax"
+  "tactics_getbit" -> "tactics_seq"
+  "tactics_getbit" -> "tactics_seq"
+  "tactics_getbit" -> "bitveceq"
+  "tactics_getbit" -> "bitveceq"
+  "tactics_getbit" -> "tactics_pow2"
+  "tactics_getbit" -> "tactics_pow2"
+  "tactics_getbit" -> "tactics_utils"
+  "tactics_getbit" -> "tactics_utils"
+  "tactics_getbit" -> "fstar_option"
+  "tactics_getbit" -> "fstar_option"
+  "tactics_getbit" -> "fstar_mul"
+  "tactics_getbit" -> "fstar_mul"
+  "tactics_getbit" -> "fstar_class_printable"
+  "tactics_getbit" -> "fstar_class_printable"
+  "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_getbit" -> "fstar_tactics_v2"
+  "tactics_getbit" -> "fstar_tactics_v2"
+  "tactics_getbit" -> "fstar_list_tot"
+  "tactics_getbit" -> "fstar_list_tot"
+  "tactics_getbit" -> "core"
+  "tactics_getbit" -> "core"
+  "tactics_getbit" -> "fstar_pervasives"
+  "tactics_getbit" -> "fstar_pervasives"
+  "tactics_getbit" -> "prims"
+  "tactics_getbit" -> "prims"
+  "tactics_machineints" -> "fstar_uint8"
+  "tactics_machineints" -> "fstar_uint8"
+  "tactics_machineints" -> "fstar_tactics_effect"
+  "tactics_machineints" -> "fstar_tactics_effect"
+  "tactics_machineints" -> "fstar_list_tot"
+  "tactics_machineints" -> "fstar_list_tot"
+  "tactics_machineints" -> "lib_inttypes"
+  "tactics_machineints" -> "lib_inttypes"
+  "tactics_machineints" -> "fstar_pervasives_native"
+  "tactics_machineints" -> "fstar_pervasives_native"
+  "tactics_machineints" -> "rust_primitives_integers"
+  "tactics_machineints" -> "rust_primitives_integers"
+  "tactics_machineints" -> "tactics_utils"
+  "tactics_machineints" -> "tactics_utils"
+  "tactics_machineints" -> "fstar_option"
+  "tactics_machineints" -> "fstar_option"
+  "tactics_machineints" -> "fstar_class_printable"
+  "tactics_machineints" -> "fstar_class_printable"
+  "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_machineints" -> "fstar_tactics_v2"
+  "tactics_machineints" -> "fstar_tactics_v2"
+  "tactics_machineints" -> "fstar_pervasives"
+  "tactics_machineints" -> "fstar_pervasives"
+  "tactics_machineints" -> "prims"
+  "tactics_machineints" -> "prims"
+  "fstar_preorder" -> "fstar_pervasives"
+  "fstar_preorder" -> "fstar_pervasives"
+  "fstar_preorder" -> "prims"
+  "fstar_preorder" -> "prims"
+  "fstar_reflection_const" -> "fstar_pervasives"
+  "fstar_reflection_const" -> "fstar_pervasives"
+  "fstar_reflection_const" -> "prims"
+  "fstar_reflection_const" -> "prims"
+  "fstar_tactics_bv" -> "fstar_pervasives_native"
+  "fstar_tactics_bv" -> "fstar_pervasives_native"
+  "fstar_tactics_bv" -> "fstar_uint"
+  "fstar_tactics_bv" -> "fstar_uint"
+  "fstar_tactics_bv" -> "fstar_bv"
+  "fstar_tactics_bv" -> "fstar_bv"
+  "fstar_tactics_bv" -> "fstar_reflection_v2_arith"
+  "fstar_tactics_bv" -> "fstar_reflection_v2_arith"
+  "fstar_tactics_bv" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_bv" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_bv" -> "fstar_tactics_v2"
+  "fstar_tactics_bv" -> "fstar_tactics_v2"
+  "fstar_tactics_bv" -> "fstar_pervasives"
+  "fstar_tactics_bv" -> "fstar_pervasives"
+  "fstar_tactics_bv" -> "prims"
+  "fstar_tactics_bv" -> "prims"
+  "fstar_tactics_v2" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2" -> "fstar_tactics_smt"
+  "fstar_tactics_v2" -> "fstar_tactics_smt"
+  "fstar_tactics_v2" -> "fstar_tactics_mapply"
+  "fstar_tactics_v2" -> "fstar_tactics_mapply"
+  "fstar_tactics_v2" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2" -> "fstar_tactics_visit"
+  "fstar_tactics_v2" -> "fstar_tactics_visit"
+  "fstar_tactics_v2" -> "fstar_tactics_print"
+  "fstar_tactics_v2" -> "fstar_tactics_print"
+  "fstar_tactics_v2" -> "fstar_tactics_util"
+  "fstar_tactics_v2" -> "fstar_tactics_util"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_logic"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_logic"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_v2" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_v2" -> "fstar_tactics_effect"
+  "fstar_tactics_v2" -> "fstar_tactics_effect"
+  "fstar_tactics_v2" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v2" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2" -> "fstar_reflection_v2"
+  "fstar_tactics_v2" -> "fstar_reflection_v2"
+  "fstar_tactics_v2" -> "fstar_stubs_reflection_types"
+  "fstar_tactics_v2" -> "fstar_pervasives"
+  "fstar_tactics_v2" -> "fstar_pervasives"
+  "fstar_tactics_v2" -> "prims"
+  "fstar_tactics_v2" -> "prims"
+  "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types"
+  "fstar_stubs_tactics_result" -> "fstar_pervasives"
+  "fstar_stubs_tactics_result" -> "fstar_pervasives"
+  "fstar_stubs_tactics_result" -> "prims"
+  "fstar_stubs_tactics_result" -> "prims"
+  "fstar_tactics_effect" -> "fstar_stubs_tactics_result"
+  "fstar_tactics_effect" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_effect" -> "fstar_stubs_reflection_types"
+  "fstar_tactics_effect" -> "fstar_pervasives"
+  "fstar_tactics_effect" -> "fstar_pervasives"
+  "fstar_tactics_effect" -> "prims"
+  "fstar_tactics_effect" -> "prims"
+  "fstar_tactics_effect" -> "fstar_tactics_effect"
+  "fstar_monotonic_witnessed" -> "fstar_preorder"
+  "fstar_monotonic_witnessed" -> "fstar_preorder"
+  "fstar_monotonic_witnessed" -> "fstar_pervasives"
+  "fstar_monotonic_witnessed" -> "fstar_pervasives"
+  "fstar_monotonic_witnessed" -> "prims"
+  "fstar_monotonic_witnessed" -> "prims"
+  "fstar_range" -> "fstar_sealed"
+  "fstar_range" -> "fstar_pervasives"
+  "fstar_range" -> "fstar_pervasives"
+  "fstar_range" -> "prims"
+  "fstar_range" -> "prims"
+  "fstar_monotonic_witnessed" -> "fstar_classical"
+  "fstar_monotonic_witnessed" -> "fstar_classical"
+  "fstar_monotonic_witnessed" -> "fstar_preorder"
+  "fstar_monotonic_witnessed" -> "fstar_preorder"
+  "fstar_monotonic_witnessed" -> "fstar_pervasives"
+  "fstar_monotonic_witnessed" -> "fstar_pervasives"
+  "fstar_monotonic_witnessed" -> "prims"
+  "fstar_monotonic_witnessed" -> "prims"
+  "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed"
+  "fstar_uint32" -> "fstar_mul"
+  "fstar_uint32" -> "fstar_mul"
+  "fstar_uint32" -> "fstar_uint"
+  "fstar_uint32" -> "fstar_uint"
+  "fstar_uint32" -> "fstar_pervasives"
+  "fstar_uint32" -> "fstar_pervasives"
+  "fstar_uint32" -> "prims"
+  "fstar_uint32" -> "prims"
+  "fstar_uint32" -> "fstar_uint32"
+  "fstar_st" -> "fstar_set"
+  "fstar_st" -> "fstar_set"
+  "fstar_st" -> "fstar_monotonic_witnessed"
+  "fstar_st" -> "fstar_monotonic_witnessed"
+  "fstar_st" -> "fstar_preorder"
+  "fstar_st" -> "fstar_preorder"
+  "fstar_st" -> "fstar_heap"
+  "fstar_st" -> "fstar_heap"
+  "fstar_st" -> "fstar_tset"
+  "fstar_st" -> "fstar_tset"
+  "fstar_st" -> "fstar_pervasives"
+  "fstar_st" -> "fstar_pervasives"
+  "fstar_st" -> "prims"
+  "fstar_st" -> "prims"
+  "bitvec_intrinsics" -> "fstar_list_tot"
+  "bitvec_intrinsics" -> "fstar_list_tot"
+  "bitvec_intrinsics" -> "fstar_string"
+  "bitvec_intrinsics" -> "fstar_tactics_v2_derived"
+  "bitvec_intrinsics" -> "fstar_tactics_v2_derived"
+  "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins"
+  "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract"
+  "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract"
+  "bitvec_intrinsics" -> "fstar_tactics"
+  "bitvec_intrinsics" -> "fstar_tactics"
+  "bitvec_intrinsics" -> "fstar_int16"
+  "bitvec_intrinsics" -> "fstar_int16"
+  "bitvec_intrinsics" -> "fstar_tactics_v2"
+  "bitvec_intrinsics" -> "fstar_tactics_v2"
+  "bitvec_intrinsics" -> "fstar_int32"
+  "bitvec_intrinsics" -> "fstar_int32"
+  "bitvec_intrinsics" -> "tactics_utils"
+  "bitvec_intrinsics" -> "tactics_utils"
+  "bitvec_intrinsics" -> "bitvec_equality"
+  "bitvec_intrinsics" -> "bitvec_equality"
+  "bitvec_intrinsics" -> "bitvec_utils"
+  "bitvec_intrinsics" -> "bitvec_utils"
+  "bitvec_intrinsics" -> "fstar_mul"
+  "bitvec_intrinsics" -> "fstar_mul"
+  "bitvec_intrinsics" -> "rust_primitives"
+  "bitvec_intrinsics" -> "rust_primitives"
+  "bitvec_intrinsics" -> "core"
+  "bitvec_intrinsics" -> "core"
+  "bitvec_intrinsics" -> "fstar_pervasives"
+  "bitvec_intrinsics" -> "fstar_pervasives"
+  "bitvec_intrinsics" -> "prims"
+  "bitvec_intrinsics" -> "prims"
+  "fstar_stubs_typechecker_core" -> "fstar_pervasives"
+  "fstar_stubs_typechecker_core" -> "fstar_pervasives"
+  "fstar_stubs_typechecker_core" -> "prims"
+  "fstar_stubs_typechecker_core" -> "prims"
+  "fstar_char" -> "fstar_uint32"
+  "fstar_char" -> "fstar_uint32"
+  "fstar_char" -> "fstar_pervasives"
+  "fstar_char" -> "fstar_pervasives"
+  "fstar_char" -> "prims"
+  "fstar_char" -> "prims"
+  "fstar_int8" -> "fstar_uint32"
+  "fstar_int8" -> "fstar_uint32"
+  "fstar_int8" -> "fstar_math_lemmas"
+  "fstar_int8" -> "fstar_math_lemmas"
+  "fstar_int8" -> "fstar_mul"
+  "fstar_int8" -> "fstar_mul"
+  "fstar_int8" -> "fstar_int"
+  "fstar_int8" -> "fstar_int"
+  "fstar_int8" -> "fstar_pervasives"
+  "fstar_int8" -> "fstar_pervasives"
+  "fstar_int8" -> "prims"
+  "fstar_int8" -> "prims"
+  "fstar_int8" -> "fstar_int8"
+  "fstar_uint32" -> "fstar_mul"
+  "fstar_uint32" -> "fstar_mul"
+  "fstar_uint32" -> "fstar_uint"
+  "fstar_uint32" -> "fstar_uint"
+  "fstar_uint32" -> "fstar_pervasives"
+  "fstar_uint32" -> "fstar_pervasives"
+  "fstar_uint32" -> "prims"
+  "fstar_uint32" -> "prims"
+  "fstar_tset" -> "fstar_squash"
+  "fstar_tset" -> "fstar_squash"
+  "fstar_tset" -> "fstar_strongexcludedmiddle"
+  "fstar_tset" -> "fstar_strongexcludedmiddle"
+  "fstar_tset" -> "fstar_set"
+  "fstar_tset" -> "fstar_set"
+  "fstar_tset" -> "fstar_predicateextensionality"
+  "fstar_tset" -> "fstar_predicateextensionality"
+  "fstar_tset" -> "fstar_functionalextensionality"
+  "fstar_tset" -> "fstar_functionalextensionality"
+  "fstar_tset" -> "fstar_propositionalextensionality"
+  "fstar_tset" -> "fstar_propositionalextensionality"
+  "fstar_tset" -> "fstar_pervasives"
+  "fstar_tset" -> "fstar_pervasives"
+  "fstar_tset" -> "prims"
+  "fstar_tset" -> "prims"
+  "fstar_tset" -> "fstar_tset"
+  "tactics_folds" -> "tactics_utils"
+  "tactics_folds" -> "tactics_utils"
+  "tactics_folds" -> "rust_primitives_hax_folds"
+  "tactics_folds" -> "fstar_option"
+  "tactics_folds" -> "fstar_option"
+  "tactics_folds" -> "fstar_mul"
+  "tactics_folds" -> "fstar_mul"
+  "tactics_folds" -> "fstar_class_printable"
+  "tactics_folds" -> "fstar_class_printable"
+  "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers"
+  "tactics_folds" -> "fstar_tactics_v2"
+  "tactics_folds" -> "fstar_tactics_v2"
+  "tactics_folds" -> "fstar_seq_base"
+  "tactics_folds" -> "fstar_seq_base"
+  "tactics_folds" -> "fstar_list_tot"
+  "tactics_folds" -> "fstar_list_tot"
+  "tactics_folds" -> "core"
+  "tactics_folds" -> "core"
+  "tactics_folds" -> "fstar_pervasives"
+  "tactics_folds" -> "fstar_pervasives"
+  "tactics_folds" -> "prims"
+  "tactics_folds" -> "prims"
+  "fstar_vconfig" -> "fstar_pervasives"
+  "fstar_vconfig" -> "fstar_pervasives"
+  "fstar_vconfig" -> "prims"
+  "fstar_vconfig" -> "prims"
+  "fstar_reflection_v2_derived" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_derived" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_derived" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_derived" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_derived" -> "fstar_list_tot"
+  "fstar_reflection_v2_derived" -> "fstar_list_tot"
+  "fstar_reflection_v2_derived" -> "fstar_vconfig"
+  "fstar_reflection_v2_derived" -> "fstar_order"
+  "fstar_reflection_v2_derived" -> "fstar_order"
+  "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_v2_derived" -> "fstar_reflection_const"
+  "fstar_reflection_v2_derived" -> "fstar_reflection_const"
+  "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2_derived" -> "fstar_pervasives"
+  "fstar_reflection_v2_derived" -> "fstar_pervasives"
+  "fstar_reflection_v2_derived" -> "prims"
+  "fstar_reflection_v2_derived" -> "prims"
+  "fstar_tset" -> "fstar_set"
+  "fstar_tset" -> "fstar_set"
+  "fstar_tset" -> "fstar_pervasives"
+  "fstar_tset" -> "fstar_pervasives"
+  "fstar_tset" -> "prims"
+  "fstar_tset" -> "prims"
+  "fstar_tactics" -> "fstar_tactics_v1"
+  "fstar_tactics" -> "fstar_tactics_v1"
+  "fstar_tactics" -> "fstar_pervasives"
+  "fstar_tactics" -> "fstar_pervasives"
+  "fstar_tactics" -> "prims"
+  "fstar_tactics" -> "prims"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_classical"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_classical"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives"
+  "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives"
+  "fstar_reflection_v1_derived_lemmas" -> "prims"
+  "fstar_reflection_v1_derived_lemmas" -> "prims"
+  "fstar_set" -> "fstar_pervasives"
+  "fstar_set" -> "fstar_pervasives"
+  "fstar_set" -> "prims"
+  "fstar_set" -> "prims"
+  "fstar_classical_sugar" -> "fstar_squash"
+  "fstar_classical_sugar" -> "fstar_squash"
+  "fstar_classical_sugar" -> "fstar_pervasives"
+  "fstar_classical_sugar" -> "fstar_pervasives"
+  "fstar_classical_sugar" -> "prims"
+  "fstar_classical_sugar" -> "prims"
+  "fstar_classical_sugar" -> "fstar_classical_sugar"
+  "rust_primitives_integers" -> "fstar_pervasives_native"
+  "rust_primitives_integers" -> "fstar_pervasives_native"
+  "rust_primitives_integers" -> "fstar_int"
+  "rust_primitives_integers" -> "fstar_int"
+  "rust_primitives_integers" -> "fstar_int128"
+  "rust_primitives_integers" -> "fstar_int128"
+  "rust_primitives_integers" -> "fstar_uint128"
+  "rust_primitives_integers" -> "fstar_uint128"
+  "rust_primitives_integers" -> "fstar_int64"
+  "rust_primitives_integers" -> "fstar_int64"
+  "rust_primitives_integers" -> "fstar_uint64"
+  "rust_primitives_integers" -> "fstar_uint64"
+  "rust_primitives_integers" -> "fstar_int32"
+  "rust_primitives_integers" -> "fstar_int32"
+  "rust_primitives_integers" -> "fstar_uint32"
+  "rust_primitives_integers" -> "fstar_uint32"
+  "rust_primitives_integers" -> "fstar_int16"
+  "rust_primitives_integers" -> "fstar_int16"
+  "rust_primitives_integers" -> "fstar_uint16"
+  "rust_primitives_integers" -> "fstar_uint16"
+  "rust_primitives_integers" -> "fstar_int8"
+  "rust_primitives_integers" -> "fstar_int8"
+  "rust_primitives_integers" -> "fstar_uint8"
+  "rust_primitives_integers" -> "fstar_uint8"
+  "rust_primitives_integers" -> "lib_inttypes"
+  "rust_primitives_integers" -> "lib_inttypes"
+  "rust_primitives_integers" -> "fstar_mul"
+  "rust_primitives_integers" -> "fstar_mul"
+  "rust_primitives_integers" -> "fstar_pervasives"
+  "rust_primitives_integers" -> "fstar_pervasives"
+  "rust_primitives_integers" -> "prims"
+  "rust_primitives_integers" -> "prims"
+  "fstar_squash" -> "fstar_pervasives"
+  "fstar_squash" -> "fstar_pervasives"
+  "fstar_squash" -> "prims"
+  "fstar_squash" -> "prims"
+  "fstar_stubs_reflection_types" -> "fstar_sealed"
+  "fstar_stubs_reflection_types" -> "fstar_range"
+  "fstar_stubs_reflection_types" -> "fstar_pervasives"
+  "fstar_stubs_reflection_types" -> "fstar_pervasives"
+  "fstar_stubs_reflection_types" -> "prims"
+  "fstar_stubs_reflection_types" -> "prims"
+  "fstar_tactics_v1" -> "fstar_tactics_smt"
+  "fstar_tactics_v1" -> "fstar_tactics_smt"
+  "fstar_tactics_v1" -> "fstar_tactics_visit"
+  "fstar_tactics_v1" -> "fstar_tactics_visit"
+  "fstar_tactics_v1" -> "fstar_tactics_print"
+  "fstar_tactics_v1" -> "fstar_tactics_print"
+  "fstar_tactics_v1" -> "fstar_tactics_util"
+  "fstar_tactics_v1" -> "fstar_tactics_util"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_logic"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_logic"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_derived"
+  "fstar_tactics_v1" -> "fstar_tactics_v1_derived"
+  "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_tactics_v1" -> "fstar_tactics_effect"
+  "fstar_tactics_v1" -> "fstar_tactics_effect"
+  "fstar_tactics_v1" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v1" -> "fstar_reflection_v1_compare"
+  "fstar_tactics_v1" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1" -> "fstar_reflection_v1_formula"
+  "fstar_tactics_v1" -> "fstar_reflection_v1_derived"
+  "fstar_tactics_v1" -> "fstar_reflection_v1_derived"
+  "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data"
+  "fstar_tactics_v1" -> "fstar_reflection_const"
+  "fstar_tactics_v1" -> "fstar_reflection_const"
+  "fstar_tactics_v1" -> "fstar_stubs_reflection_types"
+  "fstar_tactics_v1" -> "fstar_pervasives"
+  "fstar_tactics_v1" -> "fstar_pervasives"
+  "fstar_tactics_v1" -> "prims"
+  "fstar_tactics_v1" -> "prims"
+  "fstar_list_tot" -> "fstar_list_tot_properties"
+  "fstar_list_tot" -> "fstar_list_tot_properties"
+  "fstar_list_tot" -> "fstar_list_tot_base"
+  "fstar_list_tot" -> "fstar_list_tot_base"
+  "fstar_list_tot" -> "fstar_pervasives"
+  "fstar_list_tot" -> "fstar_pervasives"
+  "fstar_list_tot" -> "prims"
+  "fstar_list_tot" -> "prims"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_mapply" -> "fstar_tactics_typeclasses"
+  "fstar_tactics_mapply" -> "fstar_tactics_typeclasses"
+  "fstar_tactics_mapply" -> "fstar_tactics_effect"
+  "fstar_tactics_mapply" -> "fstar_tactics_effect"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2"
+  "fstar_tactics_mapply" -> "fstar_pervasives"
+  "fstar_tactics_mapply" -> "fstar_pervasives"
+  "fstar_tactics_mapply" -> "prims"
+  "fstar_tactics_mapply" -> "prims"
+  "fstar_ghost" -> "fstar_pervasives"
+  "fstar_ghost" -> "fstar_pervasives"
+  "fstar_ghost" -> "prims"
+  "fstar_ghost" -> "prims"
+  "fstar_ghost" -> "fstar_ghost"
+  "fstar_bitvector" -> "fstar_seq"
+  "fstar_bitvector" -> "fstar_seq"
+  "fstar_bitvector" -> "fstar_mul"
+  "fstar_bitvector" -> "fstar_mul"
+  "fstar_bitvector" -> "fstar_pervasives"
+  "fstar_bitvector" -> "fstar_pervasives"
+  "fstar_bitvector" -> "prims"
+  "fstar_bitvector" -> "prims"
+  "core" -> "core_ops"
+  "core" -> "core_ops"
+  "core" -> "core_iter"
+  "core" -> "core_num"
+  "core" -> "rust_primitives"
+  "core" -> "rust_primitives"
+  "core" -> "fstar_pervasives"
+  "core" -> "fstar_pervasives"
+  "core" -> "prims"
+  "core" -> "prims"
+  "fstar_uint" -> "fstar_seq"
+  "fstar_uint" -> "fstar_seq"
+  "fstar_uint" -> "fstar_math_lemmas"
+  "fstar_uint" -> "fstar_math_lemmas"
+  "fstar_uint" -> "fstar_bitvector"
+  "fstar_uint" -> "fstar_bitvector"
+  "fstar_uint" -> "fstar_mul"
+  "fstar_uint" -> "fstar_mul"
+  "fstar_uint" -> "fstar_pervasives"
+  "fstar_uint" -> "fstar_pervasives"
+  "fstar_uint" -> "prims"
+  "fstar_uint" -> "prims"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives"
+  "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives"
+  "fstar_tactics_v2_syntaxcoercions" -> "prims"
+  "fstar_tactics_v2_syntaxcoercions" -> "prims"
+  "fstar_tactics_v2_logic" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_logic" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_logic" -> "fstar_squash"
+  "fstar_tactics_v2_logic" -> "fstar_squash"
+  "fstar_tactics_v2_logic" -> "fstar_indefinitedescription"
+  "fstar_tactics_v2_logic" -> "fstar_indefinitedescription"
+  "fstar_tactics_v2_logic" -> "fstar_classical"
+  "fstar_tactics_v2_logic" -> "fstar_classical"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_util"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_util"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_logic" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_logic" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_logic" -> "fstar_pervasives"
+  "fstar_tactics_v2_logic" -> "fstar_pervasives"
+  "fstar_tactics_v2_logic" -> "prims"
+  "fstar_tactics_v2_logic" -> "prims"
+  "fstar_uint" -> "fstar_calc"
+  "fstar_uint" -> "fstar_calc"
+  "fstar_uint" -> "fstar_seq_base"
+  "fstar_uint" -> "fstar_seq_base"
+  "fstar_uint" -> "fstar_classical"
+  "fstar_uint" -> "fstar_classical"
+  "fstar_uint" -> "fstar_seq"
+  "fstar_uint" -> "fstar_seq"
+  "fstar_uint" -> "fstar_math_lib"
+  "fstar_uint" -> "fstar_math_lib"
+  "fstar_uint" -> "fstar_math_lemmas"
+  "fstar_uint" -> "fstar_math_lemmas"
+  "fstar_uint" -> "fstar_bitvector"
+  "fstar_uint" -> "fstar_bitvector"
+  "fstar_uint" -> "fstar_mul"
+  "fstar_uint" -> "fstar_mul"
+  "fstar_uint" -> "fstar_pervasives"
+  "fstar_uint" -> "fstar_pervasives"
+  "fstar_uint" -> "prims"
+  "fstar_uint" -> "prims"
+  "fstar_uint" -> "fstar_uint"
+  "fstar_uint8" -> "fstar_uint32"
+  "fstar_uint8" -> "fstar_uint32"
+  "fstar_uint8" -> "fstar_mul"
+  "fstar_uint8" -> "fstar_mul"
+  "fstar_uint8" -> "fstar_uint"
+  "fstar_uint8" -> "fstar_uint"
+  "fstar_uint8" -> "fstar_pervasives"
+  "fstar_uint8" -> "fstar_pervasives"
+  "fstar_uint8" -> "prims"
+  "fstar_uint8" -> "prims"
+  "fstar_uint8" -> "fstar_uint8"
+  "fstar_monotonic_pure" -> "fstar_pervasives"
+  "fstar_monotonic_pure" -> "fstar_pervasives"
+  "fstar_monotonic_pure" -> "prims"
+  "fstar_monotonic_pure" -> "prims"
+  "core_ops_index" -> "fstar_tactics_typeclasses"
+  "core_ops_index" -> "fstar_tactics_typeclasses"
+  "core_ops_index" -> "fstar_pervasives"
+  "core_ops_index" -> "fstar_pervasives"
+  "core_ops_index" -> "prims"
+  "core_ops_index" -> "prims"
+  "fstar_uint64" -> "fstar_uint32"
+  "fstar_uint64" -> "fstar_uint32"
+  "fstar_uint64" -> "fstar_mul"
+  "fstar_uint64" -> "fstar_mul"
+  "fstar_uint64" -> "fstar_uint"
+  "fstar_uint64" -> "fstar_uint"
+  "fstar_uint64" -> "fstar_pervasives"
+  "fstar_uint64" -> "fstar_pervasives"
+  "fstar_uint64" -> "prims"
+  "fstar_uint64" -> "prims"
+  "fstar_uint64" -> "fstar_uint64"
+  "fstar_float" -> "fstar_pervasives"
+  "fstar_float" -> "fstar_pervasives"
+  "fstar_float" -> "prims"
+  "fstar_float" -> "prims"
+  "fstar_reflection_v2_compare" -> "fstar_ghost"
+  "fstar_reflection_v2_compare" -> "fstar_ghost"
+  "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas"
+  "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_compare" -> "fstar_order"
+  "fstar_reflection_v2_compare" -> "fstar_order"
+  "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives"
+  "fstar_reflection_v2_compare" -> "prims"
+  "fstar_reflection_v2_compare" -> "prims"
+  "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare"
+  "fstar_int" -> "fstar_uint"
+  "fstar_int" -> "fstar_uint"
+  "fstar_int" -> "fstar_seq"
+  "fstar_int" -> "fstar_seq"
+  "fstar_int" -> "fstar_math_lib"
+  "fstar_int" -> "fstar_math_lib"
+  "fstar_int" -> "fstar_math_lemmas"
+  "fstar_int" -> "fstar_math_lemmas"
+  "fstar_int" -> "fstar_bitvector"
+  "fstar_int" -> "fstar_bitvector"
+  "fstar_int" -> "fstar_mul"
+  "fstar_int" -> "fstar_mul"
+  "fstar_int" -> "fstar_pervasives"
+  "fstar_int" -> "fstar_pervasives"
+  "fstar_int" -> "prims"
+  "fstar_int" -> "prims"
+  "fstar_int" -> "fstar_int"
+  "fstar_int16" -> "fstar_uint"
+  "fstar_int16" -> "fstar_uint"
+  "fstar_int16" -> "fstar_uint32"
+  "fstar_int16" -> "fstar_uint32"
+  "fstar_int16" -> "fstar_mul"
+  "fstar_int16" -> "fstar_mul"
+  "fstar_int16" -> "fstar_int"
+  "fstar_int16" -> "fstar_int"
+  "fstar_int16" -> "fstar_pervasives"
+  "fstar_int16" -> "fstar_pervasives"
+  "fstar_int16" -> "prims"
+  "fstar_int16" -> "prims"
+  "fstar_list" -> "fstar_pervasives_native"
+  "fstar_list" -> "fstar_pervasives_native"
+  "fstar_list" -> "fstar_list_tot"
+  "fstar_list" -> "fstar_list_tot"
+  "fstar_list" -> "fstar_all"
+  "fstar_list" -> "fstar_all"
+  "fstar_list" -> "fstar_pervasives"
+  "fstar_list" -> "fstar_pervasives"
+  "fstar_list" -> "prims"
+  "fstar_list" -> "prims"
+  "fstar_predicateextensionality" -> "fstar_propositionalextensionality"
+  "fstar_predicateextensionality" -> "fstar_propositionalextensionality"
+  "fstar_predicateextensionality" -> "fstar_functionalextensionality"
+  "fstar_predicateextensionality" -> "fstar_functionalextensionality"
+  "fstar_predicateextensionality" -> "fstar_pervasives"
+  "fstar_predicateextensionality" -> "fstar_pervasives"
+  "fstar_predicateextensionality" -> "prims"
+  "fstar_predicateextensionality" -> "prims"
+  "fstar_reflection_v1_derived" -> "fstar_list_tot_base"
+  "fstar_reflection_v1_derived" -> "fstar_list_tot_base"
+  "fstar_reflection_v1_derived" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_derived" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_derived" -> "fstar_vconfig"
+  "fstar_reflection_v1_derived" -> "fstar_order"
+  "fstar_reflection_v1_derived" -> "fstar_order"
+  "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data"
+  "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_reflection_v1_derived" -> "fstar_reflection_const"
+  "fstar_reflection_v1_derived" -> "fstar_reflection_const"
+  "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v1_derived" -> "fstar_pervasives"
+  "fstar_reflection_v1_derived" -> "fstar_pervasives"
+  "fstar_reflection_v1_derived" -> "prims"
+  "fstar_reflection_v1_derived" -> "prims"
+  "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited"
+  "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited"
+  "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax"
+  "fstar_stubs_reflection_v2_data" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v2_data" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v2_data" -> "prims"
+  "fstar_stubs_reflection_v2_data" -> "prims"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_order"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_order"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v1_builtins" -> "prims"
+  "fstar_stubs_reflection_v1_builtins" -> "prims"
+  "fstar_uint128" -> "fstar_uint64"
+  "fstar_uint128" -> "fstar_uint64"
+  "fstar_uint128" -> "fstar_uint32"
+  "fstar_uint128" -> "fstar_uint32"
+  "fstar_uint128" -> "fstar_mul"
+  "fstar_uint128" -> "fstar_mul"
+  "fstar_uint128" -> "fstar_uint"
+  "fstar_uint128" -> "fstar_uint"
+  "fstar_uint128" -> "fstar_pervasives"
+  "fstar_uint128" -> "fstar_pervasives"
+  "fstar_uint128" -> "prims"
+  "fstar_uint128" -> "prims"
+  "fstar_reflection_v2_arith" -> "fstar_classical"
+  "fstar_reflection_v2_arith" -> "fstar_classical"
+  "fstar_reflection_v2_arith" -> "fstar_list_tot"
+  "fstar_reflection_v2_arith" -> "fstar_list_tot"
+  "fstar_reflection_v2_arith" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_arith" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_arith" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_arith" -> "fstar_list_tot_base"
+  "fstar_reflection_v2_arith" -> "fstar_order"
+  "fstar_reflection_v2_arith" -> "fstar_order"
+  "fstar_reflection_v2_arith" -> "fstar_reflection_v2"
+  "fstar_reflection_v2_arith" -> "fstar_reflection_v2"
+  "fstar_reflection_v2_arith" -> "fstar_tactics_v2"
+  "fstar_reflection_v2_arith" -> "fstar_tactics_v2"
+  "fstar_reflection_v2_arith" -> "fstar_pervasives"
+  "fstar_reflection_v2_arith" -> "fstar_pervasives"
+  "fstar_reflection_v2_arith" -> "prims"
+  "fstar_reflection_v2_arith" -> "prims"
+  "fstar_functionalextensionality" -> "fstar_pervasives"
+  "fstar_functionalextensionality" -> "fstar_pervasives"
+  "fstar_functionalextensionality" -> "prims"
+  "fstar_functionalextensionality" -> "prims"
+  "fstar_reflection_termeq" -> "fstar_classical_sugar"
+  "fstar_reflection_termeq" -> "fstar_classical_sugar"
+  "fstar_reflection_termeq" -> "fstar_sealed"
+  "fstar_reflection_termeq" -> "fstar_pervasives_native"
+  "fstar_reflection_termeq" -> "fstar_pervasives_native"
+  "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle"
+  "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle"
+  "fstar_reflection_termeq" -> "fstar_list_tot"
+  "fstar_reflection_termeq" -> "fstar_list_tot"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_termeq" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_termeq" -> "fstar_pervasives"
+  "fstar_reflection_termeq" -> "fstar_pervasives"
+  "fstar_reflection_termeq" -> "prims"
+  "fstar_reflection_termeq" -> "prims"
+  "fstar_reflection_termeq" -> "fstar_reflection_termeq"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_classical"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_classical"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives"
+  "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives"
+  "fstar_reflection_v2_derived_lemmas" -> "prims"
+  "fstar_reflection_v2_derived_lemmas" -> "prims"
+  "core_ops_range" -> "rust_primitives_hax"
+  "core_ops_range" -> "rust_primitives_hax"
+  "core_ops_range" -> "fstar_seq"
+  "core_ops_range" -> "fstar_seq"
+  "core_ops_range" -> "core_ops_index"
+  "core_ops_range" -> "core_ops_index"
+  "core_ops_range" -> "fstar_tactics_typeclasses"
+  "core_ops_range" -> "fstar_tactics_typeclasses"
+  "core_ops_range" -> "fstar_pervasives_native"
+  "core_ops_range" -> "fstar_pervasives_native"
+  "core_ops_range" -> "core_iter_traits_iterator"
+  "core_ops_range" -> "core_iter_traits_iterator"
+  "core_ops_range" -> "rust_primitives"
+  "core_ops_range" -> "rust_primitives"
+  "core_ops_range" -> "fstar_pervasives"
+  "core_ops_range" -> "fstar_pervasives"
+  "core_ops_range" -> "prims"
+  "core_ops_range" -> "prims"
+  "core_iter_traits_iterator" -> "fstar_tactics_typeclasses"
+  "core_iter_traits_iterator" -> "fstar_tactics_typeclasses"
+  "core_iter_traits_iterator" -> "core_iter_adapters_step_by"
+  "core_iter_traits_iterator" -> "core_iter_adapters_step_by"
+  "core_iter_traits_iterator" -> "core_iter_adapters_enumerate"
+  "core_iter_traits_iterator" -> "core_iter_adapters_enumerate"
+  "core_iter_traits_iterator" -> "rust_primitives"
+  "core_iter_traits_iterator" -> "rust_primitives"
+  "core_iter_traits_iterator" -> "fstar_pervasives"
+  "core_iter_traits_iterator" -> "fstar_pervasives"
+  "core_iter_traits_iterator" -> "prims"
+  "core_iter_traits_iterator" -> "prims"
+  "fstar_bv" -> "fstar_list"
+  "fstar_bv" -> "fstar_list"
+  "fstar_bv" -> "fstar_uint"
+  "fstar_bv" -> "fstar_uint"
+  "fstar_bv" -> "fstar_pervasives"
+  "fstar_bv" -> "fstar_pervasives"
+  "fstar_bv" -> "prims"
+  "fstar_bv" -> "prims"
+  "fstar_math_lemmas" -> "fstar_calc"
+  "fstar_math_lemmas" -> "fstar_calc"
+  "fstar_math_lemmas" -> "fstar_math_lib"
+  "fstar_math_lemmas" -> "fstar_math_lib"
+  "fstar_math_lemmas" -> "fstar_mul"
+  "fstar_math_lemmas" -> "fstar_mul"
+  "fstar_math_lemmas" -> "fstar_pervasives"
+  "fstar_math_lemmas" -> "fstar_pervasives"
+  "fstar_math_lemmas" -> "prims"
+  "fstar_math_lemmas" -> "prims"
+  "fstar_math_lemmas" -> "fstar_math_lemmas"
+  "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_tactics_builtins" -> "fstar_pervasives"
+  "fstar_tactics_builtins" -> "fstar_pervasives"
+  "fstar_tactics_builtins" -> "prims"
+  "fstar_tactics_builtins" -> "prims"
+  "fstar_string" -> "fstar_all"
+  "fstar_string" -> "fstar_all"
+  "fstar_string" -> "fstar_list"
+  "fstar_string" -> "fstar_list"
+  "fstar_string" -> "fstar_char"
+  "fstar_string" -> "fstar_list_tot"
+  "fstar_string" -> "fstar_list_tot"
+  "fstar_string" -> "fstar_pervasives"
+  "fstar_string" -> "fstar_pervasives"
+  "fstar_string" -> "prims"
+  "fstar_string" -> "prims"
+  "fstar_pervasives" -> "prims"
+  "fstar_pervasives" -> "prims"
+  "fstar_pervasives" -> "fstar_pervasives"
+  "fstar_tactics_util" -> "fstar_pervasives_native"
+  "fstar_tactics_util" -> "fstar_pervasives_native"
+  "fstar_tactics_util" -> "fstar_list_tot_base"
+  "fstar_tactics_util" -> "fstar_list_tot_base"
+  "fstar_tactics_util" -> "fstar_tactics_effect"
+  "fstar_tactics_util" -> "fstar_tactics_effect"
+  "fstar_tactics_util" -> "fstar_pervasives"
+  "fstar_tactics_util" -> "fstar_pervasives"
+  "fstar_tactics_util" -> "prims"
+  "fstar_tactics_util" -> "prims"
+  "core_slice_iter" -> "rust_primitives"
+  "core_slice_iter" -> "rust_primitives"
+  "core_slice_iter" -> "fstar_pervasives"
+  "core_slice_iter" -> "fstar_pervasives"
+  "core_slice_iter" -> "prims"
+  "core_slice_iter" -> "prims"
+  "core_ops_control_flow" -> "fstar_pervasives"
+  "core_ops_control_flow" -> "fstar_pervasives"
+  "core_ops_control_flow" -> "prims"
+  "core_ops_control_flow" -> "prims"
+  "core_slice" -> "fstar_tactics_typeclasses"
+  "core_slice" -> "fstar_tactics_typeclasses"
+  "core_slice" -> "core_ops_index"
+  "core_slice" -> "core_ops_index"
+  "core_slice" -> "core_slice_iter"
+  "core_slice" -> "core_slice_iter"
+  "core_slice" -> "fstar_seq"
+  "core_slice" -> "fstar_seq"
+  "core_slice" -> "rust_primitives_integers"
+  "core_slice" -> "rust_primitives_integers"
+  "core_slice" -> "rust_primitives_arrays"
+  "core_slice" -> "rust_primitives_arrays"
+  "core_slice" -> "fstar_pervasives"
+  "core_slice" -> "fstar_pervasives"
+  "core_slice" -> "prims"
+  "core_slice" -> "prims"
+  "fstar_all" -> "fstar_exn"
+  "fstar_all" -> "fstar_exn"
+  "fstar_all" -> "fstar_st"
+  "fstar_all" -> "fstar_st"
+  "fstar_all" -> "fstar_heap"
+  "fstar_all" -> "fstar_heap"
+  "fstar_all" -> "fstar_pervasives"
+  "fstar_all" -> "fstar_pervasives"
+  "fstar_all" -> "prims"
+  "fstar_all" -> "prims"
+  "fstar_ghost" -> "fstar_pervasives"
+  "fstar_ghost" -> "fstar_pervasives"
+  "fstar_ghost" -> "prims"
+  "fstar_ghost" -> "prims"
+  "fstar_indefinitedescription" -> "fstar_ghost"
+  "fstar_indefinitedescription" -> "fstar_ghost"
+  "fstar_indefinitedescription" -> "fstar_pervasives"
+  "fstar_indefinitedescription" -> "fstar_pervasives"
+  "fstar_indefinitedescription" -> "prims"
+  "fstar_indefinitedescription" -> "prims"
+  "fstar_list_tot_properties" -> "fstar_classical"
+  "fstar_list_tot_properties" -> "fstar_classical"
+  "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle"
+  "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle"
+  "fstar_list_tot_properties" -> "fstar_classical_sugar"
+  "fstar_list_tot_properties" -> "fstar_classical_sugar"
+  "fstar_list_tot_properties" -> "fstar_pervasives_native"
+  "fstar_list_tot_properties" -> "fstar_pervasives_native"
+  "fstar_list_tot_properties" -> "fstar_list_tot_base"
+  "fstar_list_tot_properties" -> "fstar_list_tot_base"
+  "fstar_list_tot_properties" -> "fstar_pervasives"
+  "fstar_list_tot_properties" -> "fstar_pervasives"
+  "fstar_list_tot_properties" -> "prims"
+  "fstar_list_tot_properties" -> "prims"
+  "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_syntax_syntax" -> "fstar_pervasives"
+  "fstar_stubs_syntax_syntax" -> "fstar_pervasives"
+  "fstar_stubs_syntax_syntax" -> "prims"
+  "fstar_stubs_syntax_syntax" -> "prims"
+  "core_ops_arith" -> "fstar_tactics_typeclasses"
+  "core_ops_arith" -> "fstar_tactics_typeclasses"
+  "core_ops_arith" -> "rust_primitives"
+  "core_ops_arith" -> "rust_primitives"
+  "core_ops_arith" -> "fstar_pervasives"
+  "core_ops_arith" -> "fstar_pervasives"
+  "core_ops_arith" -> "prims"
+  "core_ops_arith" -> "prims"
+  "rust_primitives_hax_folds" -> "fstar_math_lemmas"
+  "rust_primitives_hax_folds" -> "fstar_math_lemmas"
+  "rust_primitives_hax_folds" -> "lib_inttypes"
+  "rust_primitives_hax_folds" -> "lib_inttypes"
+  "rust_primitives_hax_folds" -> "fstar_seq"
+  "rust_primitives_hax_folds" -> "fstar_seq"
+  "rust_primitives_hax_folds" -> "fstar_mul"
+  "rust_primitives_hax_folds" -> "fstar_mul"
+  "rust_primitives_hax_folds" -> "core_ops_range"
+  "rust_primitives_hax_folds" -> "rust_primitives"
+  "rust_primitives_hax_folds" -> "rust_primitives"
+  "rust_primitives_hax_folds" -> "fstar_pervasives"
+  "rust_primitives_hax_folds" -> "fstar_pervasives"
+  "rust_primitives_hax_folds" -> "prims"
+  "rust_primitives_hax_folds" -> "prims"
+  "fstar_strongexcludedmiddle" -> "fstar_pervasives"
+  "fstar_strongexcludedmiddle" -> "fstar_pervasives"
+  "fstar_strongexcludedmiddle" -> "prims"
+  "fstar_strongexcludedmiddle" -> "prims"
+  "fstar_uint8" -> "fstar_uint32"
+  "fstar_uint8" -> "fstar_uint32"
+  "fstar_uint8" -> "fstar_mul"
+  "fstar_uint8" -> "fstar_mul"
+  "fstar_uint8" -> "fstar_uint"
+  "fstar_uint8" -> "fstar_uint"
+  "fstar_uint8" -> "fstar_pervasives"
+  "fstar_uint8" -> "fstar_pervasives"
+  "fstar_uint8" -> "prims"
+  "fstar_uint8" -> "prims"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_issue"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives"
+  "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives"
+  "fstar_stubs_tactics_v2_builtins" -> "prims"
+  "fstar_stubs_tactics_v2_builtins" -> "prims"
+  "rust_primitives_arrays" -> "fstar_pervasives_native"
+  "rust_primitives_arrays" -> "fstar_pervasives_native"
+  "rust_primitives_arrays" -> "lib_inttypes"
+  "rust_primitives_arrays" -> "lib_inttypes"
+  "rust_primitives_arrays" -> "fstar_list_tot"
+  "rust_primitives_arrays" -> "fstar_list_tot"
+  "rust_primitives_arrays" -> "fstar_seq"
+  "rust_primitives_arrays" -> "fstar_seq"
+  "rust_primitives_arrays" -> "fstar_mul"
+  "rust_primitives_arrays" -> "fstar_mul"
+  "rust_primitives_arrays" -> "rust_primitives_integers"
+  "rust_primitives_arrays" -> "rust_primitives_integers"
+  "rust_primitives_arrays" -> "fstar_pervasives"
+  "rust_primitives_arrays" -> "fstar_pervasives"
+  "rust_primitives_arrays" -> "prims"
+  "rust_primitives_arrays" -> "prims"
+  "fstar_reflection_v1" -> "fstar_reflection_v1_compare"
+  "fstar_reflection_v1" -> "fstar_reflection_const"
+  "fstar_reflection_v1" -> "fstar_reflection_const"
+  "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas"
+  "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas"
+  "fstar_reflection_v1" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data"
+  "fstar_reflection_v1" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v1" -> "fstar_pervasives"
+  "fstar_reflection_v1" -> "fstar_pervasives"
+  "fstar_reflection_v1" -> "prims"
+  "fstar_reflection_v1" -> "prims"
+  "fstar_bv" -> "fstar_math_lemmas"
+  "fstar_bv" -> "fstar_math_lemmas"
+  "fstar_bv" -> "fstar_seq"
+  "fstar_bv" -> "fstar_seq"
+  "fstar_bv" -> "fstar_bitvector"
+  "fstar_bv" -> "fstar_bitvector"
+  "fstar_bv" -> "fstar_uint"
+  "fstar_bv" -> "fstar_uint"
+  "fstar_bv" -> "fstar_pervasives"
+  "fstar_bv" -> "fstar_pervasives"
+  "fstar_bv" -> "prims"
+  "fstar_bv" -> "prims"
+  "fstar_bv" -> "fstar_bv"
+  "fstar_list_tot_base" -> "fstar_classical_sugar"
+  "fstar_list_tot_base" -> "fstar_classical_sugar"
+  "fstar_list_tot_base" -> "fstar_pervasives_native"
+  "fstar_list_tot_base" -> "fstar_pervasives_native"
+  "fstar_list_tot_base" -> "fstar_pervasives"
+  "fstar_list_tot_base" -> "fstar_pervasives"
+  "fstar_list_tot_base" -> "prims"
+  "fstar_list_tot_base" -> "prims"
+  "fstar_math_lib" -> "fstar_mul"
+  "fstar_math_lib" -> "fstar_mul"
+  "fstar_math_lib" -> "fstar_pervasives"
+  "fstar_math_lib" -> "fstar_pervasives"
+  "fstar_math_lib" -> "prims"
+  "fstar_math_lib" -> "prims"
+  "core_num" -> "fstar_tactics_typeclasses"
+  "core_num" -> "fstar_tactics_typeclasses"
+  "core_num" -> "core_ops_arith"
+  "core_num" -> "core_num_error"
+  "core_num" -> "core_result"
+  "core_num" -> "core_result"
+  "core_num" -> "fstar_math_lemmas"
+  "core_num" -> "fstar_math_lemmas"
+  "core_num" -> "lib_inttypes"
+  "core_num" -> "lib_inttypes"
+  "core_num" -> "fstar_uint128"
+  "core_num" -> "fstar_uint128"
+  "core_num" -> "fstar_uint32"
+  "core_num" -> "fstar_uint32"
+  "core_num" -> "rust_primitives"
+  "core_num" -> "rust_primitives"
+  "core_num" -> "fstar_pervasives"
+  "core_num" -> "fstar_pervasives"
+  "core_num" -> "prims"
+  "core_num" -> "prims"
+  "fstar_math_lemmas" -> "fstar_mul"
+  "fstar_math_lemmas" -> "fstar_mul"
+  "fstar_math_lemmas" -> "fstar_pervasives"
+  "fstar_math_lemmas" -> "fstar_pervasives"
+  "fstar_math_lemmas" -> "prims"
+  "fstar_math_lemmas" -> "prims"
+  "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_termeq_simple" -> "fstar_pervasives"
+  "fstar_reflection_termeq_simple" -> "fstar_pervasives"
+  "fstar_reflection_termeq_simple" -> "prims"
+  "fstar_reflection_termeq_simple" -> "prims"
+  "fstar_int16" -> "fstar_uint32"
+  "fstar_int16" -> "fstar_uint32"
+  "fstar_int16" -> "fstar_math_lemmas"
+  "fstar_int16" -> "fstar_math_lemmas"
+  "fstar_int16" -> "fstar_mul"
+  "fstar_int16" -> "fstar_mul"
+  "fstar_int16" -> "fstar_int"
+  "fstar_int16" -> "fstar_int"
+  "fstar_int16" -> "fstar_pervasives"
+  "fstar_int16" -> "fstar_pervasives"
+  "fstar_int16" -> "prims"
+  "fstar_int16" -> "prims"
+  "fstar_int16" -> "fstar_int16"
+  "bitvec_utils" -> "rust_primitives_bitvectors"
+  "bitvec_utils" -> "rust_primitives_bitvectors"
+  "bitvec_utils" -> "bitvec_equality"
+  "bitvec_utils" -> "bitvec_equality"
+  "bitvec_utils" -> "fstar_functionalextensionality"
+  "bitvec_utils" -> "fstar_functionalextensionality"
+  "bitvec_utils" -> "core"
+  "bitvec_utils" -> "core"
+  "bitvec_utils" -> "fstar_pervasives"
+  "bitvec_utils" -> "fstar_pervasives"
+  "bitvec_utils" -> "prims"
+  "bitvec_utils" -> "prims"
+  "fstar_tactics_typeclasses" -> "fstar_stubs_pprint"
+  "fstar_tactics_typeclasses" -> "fstar_list_tot"
+  "fstar_tactics_typeclasses" -> "fstar_list_tot"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_util"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_util"
+  "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives_native"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives_native"
+  "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_tactics_typeclasses" -> "fstar_list_tot_base"
+  "fstar_tactics_typeclasses" -> "fstar_list_tot_base"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_namedview"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_namedview"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_effect"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_effect"
+  "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common"
+  "fstar_tactics_typeclasses" -> "fstar_reflection_v2"
+  "fstar_tactics_typeclasses" -> "fstar_reflection_v2"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives"
+  "fstar_tactics_typeclasses" -> "prims"
+  "fstar_tactics_typeclasses" -> "prims"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses"
+  "rust_primitives_integers" -> "fstar_int_cast"
+  "rust_primitives_integers" -> "fstar_int_cast"
+  "rust_primitives_integers" -> "fstar_pervasives"
+  "rust_primitives_integers" -> "fstar_pervasives"
+  "rust_primitives_integers" -> "prims"
+  "rust_primitives_integers" -> "prims"
+  "rust_primitives_integers" -> "rust_primitives_integers"
+  "fstar_tactics_namedview" -> "fstar_range"
+  "fstar_tactics_namedview" -> "fstar_reflection_v2"
+  "fstar_tactics_namedview" -> "fstar_reflection_v2"
+  "fstar_tactics_namedview" -> "fstar_tactics_effect"
+  "fstar_tactics_namedview" -> "fstar_tactics_effect"
+  "fstar_tactics_namedview" -> "fstar_pervasives"
+  "fstar_tactics_namedview" -> "fstar_pervasives"
+  "fstar_tactics_namedview" -> "prims"
+  "fstar_tactics_namedview" -> "prims"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_compare"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_compare"
+  "fstar_reflection_v2" -> "fstar_reflection_const"
+  "fstar_reflection_v2" -> "fstar_reflection_const"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2" -> "fstar_reflection_v2_derived"
+  "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2" -> "fstar_pervasives"
+  "fstar_reflection_v2" -> "fstar_pervasives"
+  "fstar_reflection_v2" -> "prims"
+  "fstar_reflection_v2" -> "prims"
+  "fstar_int_cast" -> "fstar_int"
+  "fstar_int_cast" -> "fstar_int"
+  "fstar_int_cast" -> "fstar_int64"
+  "fstar_int_cast" -> "fstar_int64"
+  "fstar_int_cast" -> "fstar_int32"
+  "fstar_int_cast" -> "fstar_int32"
+  "fstar_int_cast" -> "fstar_int16"
+  "fstar_int_cast" -> "fstar_int16"
+  "fstar_int_cast" -> "fstar_int8"
+  "fstar_int_cast" -> "fstar_int8"
+  "fstar_int_cast" -> "fstar_uint64"
+  "fstar_int_cast" -> "fstar_uint64"
+  "fstar_int_cast" -> "fstar_uint32"
+  "fstar_int_cast" -> "fstar_uint32"
+  "fstar_int_cast" -> "fstar_uint16"
+  "fstar_int_cast" -> "fstar_uint16"
+  "fstar_int_cast" -> "fstar_uint8"
+  "fstar_int_cast" -> "fstar_uint8"
+  "fstar_int_cast" -> "fstar_pervasives"
+  "fstar_int_cast" -> "fstar_pervasives"
+  "fstar_int_cast" -> "prims"
+  "fstar_int_cast" -> "prims"
+  "fstar_stubs_errors_msg" -> "fstar_stubs_pprint"
+  "fstar_stubs_errors_msg" -> "fstar_pervasives"
+  "fstar_stubs_errors_msg" -> "fstar_pervasives"
+  "fstar_stubs_errors_msg" -> "prims"
+  "fstar_stubs_errors_msg" -> "prims"
+  "fstar_tactics_mapply" -> "fstar_squash"
+  "fstar_tactics_mapply" -> "fstar_squash"
+  "fstar_tactics_mapply" -> "fstar_tactics_typeclasses"
+  "fstar_tactics_mapply" -> "fstar_tactics_typeclasses"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_derived"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_mapply" -> "fstar_tactics_namedview"
+  "fstar_tactics_mapply" -> "fstar_tactics_namedview"
+  "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_mapply" -> "fstar_tactics_effect"
+  "fstar_tactics_mapply" -> "fstar_tactics_effect"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2"
+  "fstar_tactics_mapply" -> "fstar_reflection_v2"
+  "fstar_tactics_mapply" -> "fstar_pervasives"
+  "fstar_tactics_mapply" -> "fstar_pervasives"
+  "fstar_tactics_mapply" -> "prims"
+  "fstar_tactics_mapply" -> "prims"
+  "fstar_tactics_mapply" -> "fstar_tactics_mapply"
+  "fstar_monotonic_heap" -> "fstar_preorder"
+  "fstar_monotonic_heap" -> "fstar_preorder"
+  "fstar_monotonic_heap" -> "fstar_tset"
+  "fstar_monotonic_heap" -> "fstar_tset"
+  "fstar_monotonic_heap" -> "fstar_set"
+  "fstar_monotonic_heap" -> "fstar_set"
+  "fstar_monotonic_heap" -> "fstar_pervasives"
+  "fstar_monotonic_heap" -> "fstar_pervasives"
+  "fstar_monotonic_heap" -> "prims"
+  "fstar_monotonic_heap" -> "prims"
+  "fstar_stubs_tactics_common" -> "fstar_range"
+  "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg"
+  "fstar_stubs_tactics_common" -> "fstar_pervasives"
+  "fstar_stubs_tactics_common" -> "fstar_pervasives"
+  "fstar_stubs_tactics_common" -> "prims"
+  "fstar_stubs_tactics_common" -> "prims"
+  "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited"
+  "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited"
+  "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types"
+  "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins"
+  "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data"
+  "fstar_stubs_reflection_v1_data" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v1_data" -> "fstar_pervasives"
+  "fstar_stubs_reflection_v1_data" -> "prims"
+  "fstar_stubs_reflection_v1_data" -> "prims"
+  "fstar_seq_base" -> "fstar_list_tot"
+  "fstar_seq_base" -> "fstar_list_tot"
+  "fstar_seq_base" -> "fstar_pervasives"
+  "fstar_seq_base" -> "fstar_pervasives"
+  "fstar_seq_base" -> "prims"
+  "fstar_seq_base" -> "prims"
+  "fstar_seq_base" -> "fstar_seq_base"
+  "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality"
+  "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality"
+  "fstar_tactics_v2_derived" -> "fstar_squash"
+  "fstar_tactics_v2_derived" -> "fstar_squash"
+  "fstar_tactics_v2_derived" -> "fstar_range"
+  "fstar_tactics_v2_derived" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_derived" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_visit"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_visit"
+  "fstar_tactics_v2_derived" -> "fstar_list_tot_base"
+  "fstar_tactics_v2_derived" -> "fstar_list_tot_base"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_derived" -> "fstar_vconfig"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_util"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_util"
+  "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result"
+  "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_derived" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_derived" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_derived" -> "fstar_pervasives"
+  "fstar_tactics_v2_derived" -> "fstar_pervasives"
+  "fstar_tactics_v2_derived" -> "prims"
+  "fstar_tactics_v2_derived" -> "prims"
+  "fstar_uint128" -> "fstar_pervasives_native"
+  "fstar_uint128" -> "fstar_pervasives_native"
+  "fstar_uint128" -> "fstar_int_cast"
+  "fstar_uint128" -> "fstar_int_cast"
+  "fstar_uint128" -> "fstar_calc"
+  "fstar_uint128" -> "fstar_calc"
+  "fstar_uint128" -> "fstar_classical_sugar"
+  "fstar_uint128" -> "fstar_classical_sugar"
+  "fstar_uint128" -> "fstar_tactics_effect"
+  "fstar_uint128" -> "fstar_tactics_effect"
+  "fstar_uint128" -> "fstar_tactics_bv"
+  "fstar_uint128" -> "fstar_tactics_bv"
+  "fstar_uint128" -> "fstar_tactics_v2"
+  "fstar_uint128" -> "fstar_tactics_v2"
+  "fstar_uint128" -> "fstar_bv"
+  "fstar_uint128" -> "fstar_bv"
+  "fstar_uint128" -> "fstar_math_lemmas"
+  "fstar_uint128" -> "fstar_math_lemmas"
+  "fstar_uint128" -> "fstar_uint64"
+  "fstar_uint128" -> "fstar_uint64"
+  "fstar_uint128" -> "fstar_uint32"
+  "fstar_uint128" -> "fstar_uint32"
+  "fstar_uint128" -> "fstar_bitvector"
+  "fstar_uint128" -> "fstar_bitvector"
+  "fstar_uint128" -> "fstar_seq"
+  "fstar_uint128" -> "fstar_seq"
+  "fstar_uint128" -> "fstar_uint"
+  "fstar_uint128" -> "fstar_uint"
+  "fstar_uint128" -> "fstar_mul"
+  "fstar_uint128" -> "fstar_mul"
+  "fstar_uint128" -> "fstar_pervasives"
+  "fstar_uint128" -> "fstar_pervasives"
+  "fstar_uint128" -> "prims"
+  "fstar_uint128" -> "prims"
+  "fstar_uint128" -> "fstar_uint128"
+  "bitvec_equality" -> "fstar_functionalextensionality"
+  "bitvec_equality" -> "fstar_functionalextensionality"
+  "bitvec_equality" -> "fstar_mul"
+  "bitvec_equality" -> "fstar_mul"
+  "bitvec_equality" -> "rust_primitives"
+  "bitvec_equality" -> "rust_primitives"
+  "bitvec_equality" -> "core"
+  "bitvec_equality" -> "core"
+  "bitvec_equality" -> "fstar_pervasives"
+  "bitvec_equality" -> "fstar_pervasives"
+  "bitvec_equality" -> "prims"
+  "bitvec_equality" -> "prims"
+  "fstar_int8" -> "fstar_uint"
+  "fstar_int8" -> "fstar_uint"
+  "fstar_int8" -> "fstar_uint32"
+  "fstar_int8" -> "fstar_uint32"
+  "fstar_int8" -> "fstar_mul"
+  "fstar_int8" -> "fstar_mul"
+  "fstar_int8" -> "fstar_int"
+  "fstar_int8" -> "fstar_int"
+  "fstar_int8" -> "fstar_pervasives"
+  "fstar_int8" -> "fstar_pervasives"
+  "fstar_int8" -> "prims"
+  "fstar_int8" -> "prims"
+  "rust_primitives_arrays" -> "fstar_seq"
+  "rust_primitives_arrays" -> "fstar_seq"
+  "rust_primitives_arrays" -> "lib_inttypes"
+  "rust_primitives_arrays" -> "lib_inttypes"
+  "rust_primitives_arrays" -> "fstar_list_tot"
+  "rust_primitives_arrays" -> "fstar_list_tot"
+  "rust_primitives_arrays" -> "rust_primitives_integers"
+  "rust_primitives_arrays" -> "rust_primitives_integers"
+  "rust_primitives_arrays" -> "fstar_pervasives"
+  "rust_primitives_arrays" -> "fstar_pervasives"
+  "rust_primitives_arrays" -> "prims"
+  "rust_primitives_arrays" -> "prims"
+  "rust_primitives_arrays" -> "rust_primitives_arrays"
+  "fstar_int128" -> "fstar_int64"
+  "fstar_int128" -> "fstar_int64"
+  "fstar_int128" -> "fstar_uint"
+  "fstar_int128" -> "fstar_uint"
+  "fstar_int128" -> "fstar_uint32"
+  "fstar_int128" -> "fstar_uint32"
+  "fstar_int128" -> "fstar_mul"
+  "fstar_int128" -> "fstar_mul"
+  "fstar_int128" -> "fstar_int"
+  "fstar_int128" -> "fstar_int"
+  "fstar_int128" -> "fstar_pervasives"
+  "fstar_int128" -> "fstar_pervasives"
+  "fstar_int128" -> "prims"
+  "fstar_int128" -> "prims"
+  "fstar_uint16" -> "fstar_uint32"
+  "fstar_uint16" -> "fstar_uint32"
+  "fstar_uint16" -> "fstar_mul"
+  "fstar_uint16" -> "fstar_mul"
+  "fstar_uint16" -> "fstar_uint"
+  "fstar_uint16" -> "fstar_uint"
+  "fstar_uint16" -> "fstar_pervasives"
+  "fstar_uint16" -> "fstar_pervasives"
+  "fstar_uint16" -> "prims"
+  "fstar_uint16" -> "prims"
+  "fstar_calc" -> "fstar_range"
+  "fstar_calc" -> "fstar_preorder"
+  "fstar_calc" -> "fstar_preorder"
+  "fstar_calc" -> "fstar_pervasives"
+  "fstar_calc" -> "fstar_pervasives"
+  "fstar_calc" -> "prims"
+  "fstar_calc" -> "prims"
+  "bitvec_equality" -> "fstar_functionalextensionality"
+  "bitvec_equality" -> "fstar_functionalextensionality"
+  "bitvec_equality" -> "fstar_mul"
+  "bitvec_equality" -> "fstar_mul"
+  "bitvec_equality" -> "rust_primitives"
+  "bitvec_equality" -> "rust_primitives"
+  "bitvec_equality" -> "core"
+  "bitvec_equality" -> "core"
+  "bitvec_equality" -> "fstar_pervasives"
+  "bitvec_equality" -> "fstar_pervasives"
+  "bitvec_equality" -> "prims"
+  "bitvec_equality" -> "prims"
+  "bitvec_equality" -> "bitvec_equality"
+  "fstar_sealed" -> "fstar_pervasives"
+  "fstar_sealed" -> "fstar_pervasives"
+  "fstar_sealed" -> "prims"
+  "fstar_sealed" -> "prims"
+  "fstar_int" -> "fstar_seq"
+  "fstar_int" -> "fstar_seq"
+  "fstar_int" -> "fstar_uint"
+  "fstar_int" -> "fstar_uint"
+  "fstar_int" -> "fstar_math_lemmas"
+  "fstar_int" -> "fstar_math_lemmas"
+  "fstar_int" -> "fstar_bitvector"
+  "fstar_int" -> "fstar_bitvector"
+  "fstar_int" -> "fstar_mul"
+  "fstar_int" -> "fstar_mul"
+  "fstar_int" -> "fstar_pervasives"
+  "fstar_int" -> "fstar_pervasives"
+  "fstar_int" -> "prims"
+  "fstar_int" -> "prims"
+  "fstar_uint64" -> "fstar_uint32"
+  "fstar_uint64" -> "fstar_uint32"
+  "fstar_uint64" -> "fstar_mul"
+  "fstar_uint64" -> "fstar_mul"
+  "fstar_uint64" -> "fstar_uint"
+  "fstar_uint64" -> "fstar_uint"
+  "fstar_uint64" -> "fstar_pervasives"
+  "fstar_uint64" -> "fstar_pervasives"
+  "fstar_uint64" -> "prims"
+  "fstar_uint64" -> "prims"
+  "fstar_indefinitedescription" -> "fstar_ghost"
+  "fstar_indefinitedescription" -> "fstar_ghost"
+  "fstar_indefinitedescription" -> "fstar_squash"
+  "fstar_indefinitedescription" -> "fstar_squash"
+  "fstar_indefinitedescription" -> "fstar_classical"
+  "fstar_indefinitedescription" -> "fstar_classical"
+  "fstar_indefinitedescription" -> "fstar_pervasives"
+  "fstar_indefinitedescription" -> "fstar_pervasives"
+  "fstar_indefinitedescription" -> "prims"
+  "fstar_indefinitedescription" -> "prims"
+  "fstar_indefinitedescription" -> "fstar_indefinitedescription"
+  "fstar_int64" -> "fstar_uint32"
+  "fstar_int64" -> "fstar_uint32"
+  "fstar_int64" -> "fstar_math_lemmas"
+  "fstar_int64" -> "fstar_math_lemmas"
+  "fstar_int64" -> "fstar_mul"
+  "fstar_int64" -> "fstar_mul"
+  "fstar_int64" -> "fstar_int"
+  "fstar_int64" -> "fstar_int"
+  "fstar_int64" -> "fstar_pervasives"
+  "fstar_int64" -> "fstar_pervasives"
+  "fstar_int64" -> "prims"
+  "fstar_int64" -> "prims"
+  "fstar_int64" -> "fstar_int64"
+  "fstar_classical_sugar" -> "fstar_pervasives"
+  "fstar_classical_sugar" -> "fstar_pervasives"
+  "fstar_classical_sugar" -> "prims"
+  "fstar_classical_sugar" -> "prims"
+  "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq"
+  "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq"
+  "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_termeq_simple" -> "fstar_pervasives"
+  "fstar_reflection_termeq_simple" -> "fstar_pervasives"
+  "fstar_reflection_termeq_simple" -> "prims"
+  "fstar_reflection_termeq_simple" -> "prims"
+  "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple"
+  "fstar_pervasives_native" -> "prims"
+  "fstar_pervasives_native" -> "prims"
+  "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_effect"
+  "fstar_tactics_typeclasses" -> "fstar_tactics_effect"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives"
+  "fstar_tactics_typeclasses" -> "fstar_pervasives"
+  "fstar_tactics_typeclasses" -> "prims"
+  "fstar_tactics_typeclasses" -> "prims"
+  "fstar_stubs_pprint" -> "fstar_float"
+  "fstar_stubs_pprint" -> "fstar_char"
+  "fstar_stubs_pprint" -> "fstar_pervasives"
+  "fstar_stubs_pprint" -> "fstar_pervasives"
+  "fstar_stubs_pprint" -> "prims"
+  "fstar_stubs_pprint" -> "prims"
+  "fstar_sealed_inhabited" -> "fstar_sealed"
+  "fstar_sealed_inhabited" -> "fstar_pervasives"
+  "fstar_sealed_inhabited" -> "fstar_pervasives"
+  "fstar_sealed_inhabited" -> "prims"
+  "fstar_sealed_inhabited" -> "prims"
+  "fstar_tactics_namedview" -> "fstar_list_tot"
+  "fstar_tactics_namedview" -> "fstar_list_tot"
+  "fstar_tactics_namedview" -> "fstar_pervasives_native"
+  "fstar_tactics_namedview" -> "fstar_pervasives_native"
+  "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data"
+  "fstar_tactics_namedview" -> "fstar_reflection_v2"
+  "fstar_tactics_namedview" -> "fstar_reflection_v2"
+  "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_namedview" -> "fstar_tactics_util"
+  "fstar_tactics_namedview" -> "fstar_tactics_util"
+  "fstar_tactics_namedview" -> "fstar_tactics_effect"
+  "fstar_tactics_namedview" -> "fstar_tactics_effect"
+  "fstar_tactics_namedview" -> "fstar_pervasives"
+  "fstar_tactics_namedview" -> "fstar_pervasives"
+  "fstar_tactics_namedview" -> "prims"
+  "fstar_tactics_namedview" -> "prims"
+  "fstar_tactics_namedview" -> "fstar_tactics_namedview"
+  "fstar_heap" -> "fstar_preorder"
+  "fstar_heap" -> "fstar_preorder"
+  "fstar_heap" -> "fstar_monotonic_heap"
+  "fstar_heap" -> "fstar_monotonic_heap"
+  "fstar_heap" -> "fstar_pervasives"
+  "fstar_heap" -> "fstar_pervasives"
+  "fstar_heap" -> "prims"
+  "fstar_heap" -> "prims"
+  "mkseq" -> "fstar_tactics_effect"
+  "mkseq" -> "fstar_tactics_effect"
+  "mkseq" -> "fstar_classical"
+  "mkseq" -> "fstar_classical"
+  "mkseq" -> "fstar_list_tot"
+  "mkseq" -> "fstar_list_tot"
+  "mkseq" -> "fstar_pervasives_native"
+  "mkseq" -> "fstar_pervasives_native"
+  "mkseq" -> "fstar_tactics"
+  "mkseq" -> "fstar_tactics"
+  "mkseq" -> "fstar_seq"
+  "mkseq" -> "fstar_seq"
+  "mkseq" -> "fstar_reflection_v2"
+  "mkseq" -> "fstar_reflection_v2"
+  "mkseq" -> "rust_primitives_integers"
+  "mkseq" -> "rust_primitives_integers"
+  "mkseq" -> "fstar_tactics_v2"
+  "mkseq" -> "fstar_tactics_v2"
+  "mkseq" -> "core"
+  "mkseq" -> "core"
+  "mkseq" -> "fstar_pervasives"
+  "mkseq" -> "fstar_pervasives"
+  "mkseq" -> "prims"
+  "mkseq" -> "prims"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives"
+  "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives"
+  "fstar_tactics_v2_syntaxhelpers" -> "prims"
+  "fstar_tactics_v2_syntaxhelpers" -> "prims"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_visit"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_visit"
+  "bitvec_intrinsics_constants" -> "tactics_seq"
+  "bitvec_intrinsics_constants" -> "tactics_seq"
+  "bitvec_intrinsics_constants" -> "tactics_pow2"
+  "bitvec_intrinsics_constants" -> "tactics_pow2"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_effect"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_effect"
+  "bitvec_intrinsics_constants" -> "fstar_list_tot"
+  "bitvec_intrinsics_constants" -> "fstar_list_tot"
+  "bitvec_intrinsics_constants" -> "fstar_reflection_v2"
+  "bitvec_intrinsics_constants" -> "fstar_reflection_v2"
+  "bitvec_intrinsics_constants" -> "fstar_pervasives_native"
+  "bitvec_intrinsics_constants" -> "fstar_pervasives_native"
+  "bitvec_intrinsics_constants" -> "fstar_tactics"
+  "bitvec_intrinsics_constants" -> "fstar_tactics"
+  "bitvec_intrinsics_constants" -> "tactics_utils"
+  "bitvec_intrinsics_constants" -> "tactics_utils"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_v2"
+  "bitvec_intrinsics_constants" -> "fstar_tactics_v2"
+  "bitvec_intrinsics_constants" -> "fstar_int32"
+  "bitvec_intrinsics_constants" -> "fstar_int32"
+  "bitvec_intrinsics_constants" -> "fstar_int16"
+  "bitvec_intrinsics_constants" -> "fstar_int16"
+  "bitvec_intrinsics_constants" -> "bitvec_equality"
+  "bitvec_intrinsics_constants" -> "bitvec_equality"
+  "bitvec_intrinsics_constants" -> "bitvec_utils"
+  "bitvec_intrinsics_constants" -> "bitvec_utils"
+  "bitvec_intrinsics_constants" -> "fstar_functionalextensionality"
+  "bitvec_intrinsics_constants" -> "fstar_functionalextensionality"
+  "bitvec_intrinsics_constants" -> "fstar_mul"
+  "bitvec_intrinsics_constants" -> "fstar_mul"
+  "bitvec_intrinsics_constants" -> "rust_primitives"
+  "bitvec_intrinsics_constants" -> "rust_primitives"
+  "bitvec_intrinsics_constants" -> "core"
+  "bitvec_intrinsics_constants" -> "core"
+  "bitvec_intrinsics_constants" -> "fstar_pervasives"
+  "bitvec_intrinsics_constants" -> "fstar_pervasives"
+  "bitvec_intrinsics_constants" -> "prims"
+  "bitvec_intrinsics_constants" -> "prims"
+  "fstar_order" -> "fstar_pervasives_native"
+  "fstar_order" -> "fstar_pervasives_native"
+  "fstar_order" -> "fstar_pervasives"
+  "fstar_order" -> "fstar_pervasives"
+  "fstar_order" -> "prims"
+  "fstar_order" -> "prims"
+  "fstar_tactics_effect" -> "fstar_range"
+  "fstar_tactics_effect" -> "fstar_stubs_tactics_result"
+  "fstar_tactics_effect" -> "fstar_stubs_tactics_types"
+  "fstar_tactics_effect" -> "fstar_stubs_reflection_types"
+  "fstar_tactics_effect" -> "fstar_monotonic_pure"
+  "fstar_tactics_effect" -> "fstar_monotonic_pure"
+  "fstar_tactics_effect" -> "fstar_pervasives"
+  "fstar_tactics_effect" -> "fstar_pervasives"
+  "fstar_tactics_effect" -> "prims"
+  "fstar_tactics_effect" -> "prims"
+  "core_ops" -> "core_ops_index"
+  "core_ops" -> "core_ops_index"
+  "core_ops" -> "fstar_tactics_typeclasses"
+  "core_ops" -> "fstar_tactics_typeclasses"
+  "core_ops" -> "rust_primitives"
+  "core_ops" -> "rust_primitives"
+  "core_ops" -> "fstar_pervasives"
+  "core_ops" -> "fstar_pervasives"
+  "core_ops" -> "prims"
+  "core_ops" -> "prims"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_mul"
+  "libcrux_intrinsics_avx2_extract" -> "core"
+  "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives"
+  "libcrux_intrinsics_avx2_extract" -> "prims"
+  "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract"
+  "core_result" -> "fstar_pervasives"
+  "core_result" -> "fstar_pervasives"
+  "core_result" -> "prims"
+  "core_result" -> "prims"
+  "fstar_monotonic_heap" -> "fstar_erasedlogic"
+  "fstar_monotonic_heap" -> "fstar_erasedlogic"
+  "fstar_monotonic_heap" -> "fstar_squash"
+  "fstar_monotonic_heap" -> "fstar_squash"
+  "fstar_monotonic_heap" -> "fstar_set"
+  "fstar_monotonic_heap" -> "fstar_set"
+  "fstar_monotonic_heap" -> "fstar_pervasives_native"
+  "fstar_monotonic_heap" -> "fstar_pervasives_native"
+  "fstar_monotonic_heap" -> "fstar_functionalextensionality"
+  "fstar_monotonic_heap" -> "fstar_functionalextensionality"
+  "fstar_monotonic_heap" -> "fstar_classical"
+  "fstar_monotonic_heap" -> "fstar_classical"
+  "fstar_monotonic_heap" -> "fstar_preorder"
+  "fstar_monotonic_heap" -> "fstar_preorder"
+  "fstar_monotonic_heap" -> "fstar_pervasives"
+  "fstar_monotonic_heap" -> "fstar_pervasives"
+  "fstar_monotonic_heap" -> "prims"
+  "fstar_monotonic_heap" -> "prims"
+  "fstar_monotonic_heap" -> "fstar_monotonic_heap"
+  "fstar_tactics_smt" -> "fstar_vconfig"
+  "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins"
+  "fstar_tactics_smt" -> "fstar_tactics_effect"
+  "fstar_tactics_smt" -> "fstar_tactics_effect"
+  "fstar_tactics_smt" -> "fstar_pervasives"
+  "fstar_tactics_smt" -> "fstar_pervasives"
+  "fstar_tactics_smt" -> "prims"
+  "fstar_tactics_smt" -> "prims"
+  "fstar_reflection_v2_compare" -> "fstar_order"
+  "fstar_reflection_v2_compare" -> "fstar_order"
+  "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data"
+  "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives"
+  "fstar_reflection_v2_compare" -> "fstar_pervasives"
+  "fstar_reflection_v2_compare" -> "prims"
+  "fstar_reflection_v2_compare" -> "prims"
+  "fstar_int64" -> "fstar_uint"
+  "fstar_int64" -> "fstar_uint"
+  "fstar_int64" -> "fstar_uint32"
+  "fstar_int64" -> "fstar_uint32"
+  "fstar_int64" -> "fstar_mul"
+  "fstar_int64" -> "fstar_mul"
+  "fstar_int64" -> "fstar_int"
+  "fstar_int64" -> "fstar_int"
+  "fstar_int64" -> "fstar_pervasives"
+  "fstar_int64" -> "fstar_pervasives"
+  "fstar_int64" -> "prims"
+  "fstar_int64" -> "prims"
+  "core_iter_adapters_enumerate" -> "rust_primitives"
+  "core_iter_adapters_enumerate" -> "rust_primitives"
+  "core_iter_adapters_enumerate" -> "fstar_pervasives"
+  "core_iter_adapters_enumerate" -> "fstar_pervasives"
+  "core_iter_adapters_enumerate" -> "prims"
+  "core_iter_adapters_enumerate" -> "prims"
+  "fstar_reflection_v1_formula" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_formula" -> "fstar_pervasives_native"
+  "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data"
+  "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived"
+  "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins"
+  "fstar_reflection_v1_formula" -> "fstar_reflection_const"
+  "fstar_reflection_v1_formula" -> "fstar_reflection_const"
+  "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types"
+  "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins"
+  "fstar_reflection_v1_formula" -> "fstar_tactics_effect"
+  "fstar_reflection_v1_formula" -> "fstar_tactics_effect"
+  "fstar_reflection_v1_formula" -> "fstar_list_tot_base"
+  "fstar_reflection_v1_formula" -> "fstar_list_tot_base"
+  "fstar_reflection_v1_formula" -> "fstar_pervasives"
+  "fstar_reflection_v1_formula" -> "fstar_pervasives"
+  "fstar_reflection_v1_formula" -> "prims"
+  "fstar_reflection_v1_formula" -> "prims"
+}
diff --git a/libcrux-intrinsics/Cargo.toml b/libcrux-intrinsics/Cargo.toml
index cdc0acc2b..f0126871a 100644
--- a/libcrux-intrinsics/Cargo.toml
+++ b/libcrux-intrinsics/Cargo.toml
@@ -11,6 +11,7 @@ description = "Libcrux intrinsics crate"
 exclude = ["/proofs"]
 
 [dependencies]
+hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [features]
 simd128 = []
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst
new file mode 100644
index 000000000..e23020d49
--- /dev/null
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst
@@ -0,0 +1,391 @@
+module Libcrux_intrinsics.Arm64_extract
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val v__vaddq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vaddq_s16 = v__vaddq_s16'
+
+assume
+val v__vaddq_u32': compressed: u8 -> half: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vaddq_u32 = v__vaddq_u32'
+
+assume
+val v__vaddv_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vaddv_u16 = v__vaddv_u16'
+
+assume
+val v__vaddvq_s16': a: u8 -> Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vaddvq_s16 = v__vaddvq_s16'
+
+assume
+val v__vaddvq_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vaddvq_u16 = v__vaddvq_u16'
+
+assume
+val v__vandq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vandq_s16 = v__vandq_s16'
+
+assume
+val v__vandq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vandq_u16 = v__vandq_u16'
+
+assume
+val v__vandq_u32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vandq_u32 = v__vandq_u32'
+
+assume
+val v__vbicq_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vbicq_u64 = v__vbicq_u64'
+
+assume
+val v__vcgeq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vcgeq_s16 = v__vcgeq_s16'
+
+assume
+val v__vcleq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vcleq_s16 = v__vcleq_s16'
+
+assume
+val v__vdupq_n_s16': i: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vdupq_n_s16 = v__vdupq_n_s16'
+
+assume
+val v__vdupq_n_u16': value: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vdupq_n_u16 = v__vdupq_n_u16'
+
+assume
+val v__vdupq_n_u32': value: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vdupq_n_u32 = v__vdupq_n_u32'
+
+assume
+val v__vdupq_n_u64': i: u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vdupq_n_u64 = v__vdupq_n_u64'
+
+assume
+val v__veorq_s16': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__veorq_s16 = v__veorq_s16'
+
+assume
+val v__veorq_u64': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__veorq_u64 = v__veorq_u64'
+
+assume
+val v__vget_high_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vget_high_u16 = v__vget_high_u16'
+
+assume
+val v__vget_low_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vget_low_s16 = v__vget_low_s16'
+
+assume
+val v__vget_low_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vget_low_u16 = v__vget_low_u16'
+
+assume
+val v__vld1q_bytes_u64': array: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vld1q_bytes_u64 = v__vld1q_bytes_u64'
+
+assume
+val v__vld1q_s16': array: t_Slice i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vld1q_s16 = v__vld1q_s16'
+
+assume
+val v__vld1q_u16': ptr: t_Slice u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vld1q_u16 = v__vld1q_u16'
+
+assume
+val v__vld1q_u64': array: t_Slice u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vld1q_u64 = v__vld1q_u64'
+
+assume
+val v__vld1q_u8': ptr: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vld1q_u8 = v__vld1q_u8'
+
+assume
+val v__vmlal_high_s16': a: u8 -> b: u8 -> c: u8
+  -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmlal_high_s16 = v__vmlal_high_s16'
+
+assume
+val v__vmlal_s16': a: u8 -> b: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmlal_s16 = v__vmlal_s16'
+
+assume
+val v__vmull_high_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmull_high_s16 = v__vmull_high_s16'
+
+assume
+val v__vmull_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmull_s16 = v__vmull_s16'
+
+assume
+val v__vmulq_n_s16': v: u8 -> c: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmulq_n_s16 = v__vmulq_n_s16'
+
+assume
+val v__vmulq_n_u16': v: u8 -> c: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmulq_n_u16 = v__vmulq_n_u16'
+
+assume
+val v__vmulq_n_u32': a: u8 -> b: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmulq_n_u32 = v__vmulq_n_u32'
+
+assume
+val v__vmulq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vmulq_s16 = v__vmulq_s16'
+
+assume
+val v__vqdmulhq_n_s16': k: u8 -> b: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vqdmulhq_n_s16 = v__vqdmulhq_n_s16'
+
+assume
+val v__vqdmulhq_n_s32': a: u8 -> b: i32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vqdmulhq_n_s32 = v__vqdmulhq_n_s32'
+
+assume
+val v__vqdmulhq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vqdmulhq_s16 = v__vqdmulhq_s16'
+
+assume
+val v__vqtbl1q_u8': t: u8 -> idx: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vqtbl1q_u8 = v__vqtbl1q_u8'
+
+assume
+val v__vreinterpretq_s16_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s16_s32 = v__vreinterpretq_s16_s32'
+
+assume
+val v__vreinterpretq_s16_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s16_s64 = v__vreinterpretq_s16_s64'
+
+assume
+val v__vreinterpretq_s16_u16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s16_u16 = v__vreinterpretq_s16_u16'
+
+assume
+val v__vreinterpretq_s16_u32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s16_u32 = v__vreinterpretq_s16_u32'
+
+assume
+val v__vreinterpretq_s16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s16_u8 = v__vreinterpretq_s16_u8'
+
+assume
+val v__vreinterpretq_s32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s32_s16 = v__vreinterpretq_s32_s16'
+
+assume
+val v__vreinterpretq_s32_u32': compressed: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s32_u32 = v__vreinterpretq_s32_u32'
+
+assume
+val v__vreinterpretq_s64_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s64_s16 = v__vreinterpretq_s64_s16'
+
+assume
+val v__vreinterpretq_s64_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_s64_s32 = v__vreinterpretq_s64_s32'
+
+assume
+val v__vreinterpretq_u16_s16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u16_s16 = v__vreinterpretq_u16_s16'
+
+assume
+val v__vreinterpretq_u16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u16_u8 = v__vreinterpretq_u16_u8'
+
+assume
+val v__vreinterpretq_u32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u32_s16 = v__vreinterpretq_u32_s16'
+
+assume
+val v__vreinterpretq_u32_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u32_s32 = v__vreinterpretq_u32_s32'
+
+assume
+val v__vreinterpretq_u8_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u8_s16 = v__vreinterpretq_u8_s16'
+
+assume
+val v__vreinterpretq_u8_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vreinterpretq_u8_s64 = v__vreinterpretq_u8_s64'
+
+assume
+val v__vshlq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshlq_n_s16 (v_SHIFT_BY: i32) = v__vshlq_n_s16' v_SHIFT_BY
+
+assume
+val v__vshlq_n_u32': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshlq_n_u32 (v_SHIFT_BY: i32) = v__vshlq_n_u32' v_SHIFT_BY
+
+assume
+val v__vshlq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshlq_n_u64 (v_SHIFT_BY: i32) = v__vshlq_n_u64' v_SHIFT_BY
+
+assume
+val v__vshlq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshlq_s16 = v__vshlq_s16'
+
+assume
+val v__vshlq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshlq_u16 = v__vshlq_u16'
+
+assume
+val v__vshrq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshrq_n_s16 (v_SHIFT_BY: i32) = v__vshrq_n_s16' v_SHIFT_BY
+
+assume
+val v__vshrq_n_u16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshrq_n_u16 (v_SHIFT_BY: i32) = v__vshrq_n_u16' v_SHIFT_BY
+
+assume
+val v__vshrq_n_u32': v_N: i32 -> a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshrq_n_u32 (v_N: i32) = v__vshrq_n_u32' v_N
+
+assume
+val v__vshrq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vshrq_n_u64 (v_SHIFT_BY: i32) = v__vshrq_n_u64' v_SHIFT_BY
+
+assume
+val v__vsliq_n_s32': v_N: i32 -> a: u8 -> b: u8
+  -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vsliq_n_s32 (v_N: i32) = v__vsliq_n_s32' v_N
+
+assume
+val v__vsliq_n_s64': v_N: i32 -> a: u8 -> b: u8
+  -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vsliq_n_s64 (v_N: i32) = v__vsliq_n_s64' v_N
+
+assume
+val v__vst1q_bytes_u64': out: t_Slice u8 -> v: u8
+  -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vst1q_bytes_u64 = v__vst1q_bytes_u64'
+
+assume
+val v__vst1q_s16': out: t_Slice i16 -> v: u8
+  -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vst1q_s16 = v__vst1q_s16'
+
+assume
+val v__vst1q_u64': out: t_Slice u64 -> v: u8
+  -> Prims.Pure (t_Slice u64) Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vst1q_u64 = v__vst1q_u64'
+
+assume
+val v__vst1q_u8': out: t_Slice u8 -> v: u8
+  -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vst1q_u8 = v__vst1q_u8'
+
+assume
+val v__vsubq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vsubq_s16 = v__vsubq_s16'
+
+assume
+val v__vtrn1q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn1q_s16 = v__vtrn1q_s16'
+
+assume
+val v__vtrn1q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn1q_s32 = v__vtrn1q_s32'
+
+assume
+val v__vtrn1q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn1q_s64 = v__vtrn1q_s64'
+
+assume
+val v__vtrn1q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn1q_u64 = v__vtrn1q_u64'
+
+assume
+val v__vtrn2q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn2q_s16 = v__vtrn2q_s16'
+
+assume
+val v__vtrn2q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn2q_s32 = v__vtrn2q_s32'
+
+assume
+val v__vtrn2q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn2q_s64 = v__vtrn2q_s64'
+
+assume
+val v__vtrn2q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let v__vtrn2q_u64 = v__vtrn2q_u64'
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst
new file mode 100644
index 000000000..5cf54bf43
--- /dev/null
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst
@@ -0,0 +1,463 @@
+module Libcrux_intrinsics.Avx2_extract
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val mm256_movemask_ps': a: u8 -> Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_movemask_ps = mm256_movemask_ps'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_3': Core.Clone.t_Clone t_Vec128
+
+let impl_3 = impl_3'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Core.Marker.t_Copy t_Vec128
+
+let impl_2 = impl_2'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_Vec256
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_Vec256
+
+let impl_1 = impl_1'
+
+assume
+val mm256_abs_epi32': a: t_Vec256 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_abs_epi32 = mm256_abs_epi32'
+
+assume
+val mm256_add_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+
+let mm256_add_epi16 = mm256_add_epi16'
+
+assume
+val mm256_add_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_add_epi32 = mm256_add_epi32'
+
+assume
+val mm256_add_epi64': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_add_epi64 = mm256_add_epi64'
+
+assume
+val mm256_andnot_si256': a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_andnot_si256 = mm256_andnot_si256'
+
+assume
+val mm256_blend_epi16': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_blend_epi16 (v_CONTROL: i32) = mm256_blend_epi16' v_CONTROL
+
+assume
+val mm256_blend_epi32': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_blend_epi32 (v_CONTROL: i32) = mm256_blend_epi32' v_CONTROL
+
+assume
+val mm256_bsrli_epi128': v_SHIFT_BY: i32 -> x: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_bsrli_epi128 (v_SHIFT_BY: i32) = mm256_bsrli_epi128' v_SHIFT_BY
+
+assume
+val mm256_castsi128_si256': vector: t_Vec128
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_castsi128_si256 = mm256_castsi128_si256'
+
+assume
+val mm256_castsi256_ps': a: t_Vec256 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_castsi256_ps = mm256_castsi256_ps'
+
+assume
+val mm256_cmpeq_epi32': a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_cmpeq_epi32 = mm256_cmpeq_epi32'
+
+assume
+val mm256_cmpgt_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_cmpgt_epi16 = mm256_cmpgt_epi16'
+
+assume
+val mm256_cmpgt_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_cmpgt_epi32 = mm256_cmpgt_epi32'
+
+assume
+val mm256_cvtepi16_epi32': vector: t_Vec128
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_cvtepi16_epi32 = mm256_cvtepi16_epi32'
+
+assume
+val mm256_inserti128_si256': v_CONTROL: i32 -> vector: t_Vec256 -> vector_i128: t_Vec128
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_inserti128_si256 (v_CONTROL: i32) = mm256_inserti128_si256' v_CONTROL
+
+assume
+val mm256_loadu_si256_i16': input: t_Slice i16
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_loadu_si256_i16 = mm256_loadu_si256_i16'
+
+assume
+val mm256_loadu_si256_i32': input: t_Slice i32
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_loadu_si256_i32 = mm256_loadu_si256_i32'
+
+assume
+val mm256_loadu_si256_u8': input: t_Slice u8
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_loadu_si256_u8 = mm256_loadu_si256_u8'
+
+assume
+val mm256_mul_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_mul_epi32 = mm256_mul_epi32'
+
+assume
+val mm256_mul_epu32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_mul_epu32 = mm256_mul_epu32'
+
+assume
+val mm256_mulhi_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+            (vec256_as_i16x16 lhs)
+            (vec256_as_i16x16 rhs))
+
+let mm256_mulhi_epi16 = mm256_mulhi_epi16'
+
+assume
+val mm256_mullo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_mullo_epi32 = mm256_mullo_epi32'
+
+assume
+val mm256_or_si256': a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_or_si256 = mm256_or_si256'
+
+assume
+val mm256_packs_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_packs_epi32 = mm256_packs_epi32'
+
+assume
+val mm256_permute2x128_si256': v_IMM8: i32 -> a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_permute2x128_si256 (v_IMM8: i32) = mm256_permute2x128_si256' v_IMM8
+
+assume
+val mm256_permute4x64_epi64': v_CONTROL: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_permute4x64_epi64 (v_CONTROL: i32) = mm256_permute4x64_epi64' v_CONTROL
+
+assume
+val mm256_set1_epi32': constant: i32 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_set1_epi32 = mm256_set1_epi32'
+
+assume
+val mm256_set1_epi64x': a: i64 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_set1_epi64x = mm256_set1_epi64x'
+
+assume
+val mm256_set_epi64x': input3: i64 -> input2: i64 -> input1: i64 -> input0: i64
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_set_epi64x = mm256_set_epi64x'
+
+assume
+val mm256_set_m128i': hi: t_Vec128 -> lo: t_Vec128
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_set_m128i = mm256_set_m128i'
+
+assume
+val mm256_setzero_si256': Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_setzero_si256 = mm256_setzero_si256'
+
+assume
+val mm256_shuffle_epi32': v_CONTROL: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_shuffle_epi32 (v_CONTROL: i32) = mm256_shuffle_epi32' v_CONTROL
+
+assume
+val mm256_sign_epi32': a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_sign_epi32 = mm256_sign_epi32'
+
+assume
+val mm256_slli_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_slli_epi32 (v_SHIFT_BY: i32) = mm256_slli_epi32' v_SHIFT_BY
+
+assume
+val mm256_slli_epi64': v_LEFT: i32 -> x: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_slli_epi64 (v_LEFT: i32) = mm256_slli_epi64' v_LEFT
+
+assume
+val mm256_srai_epi16': v_SHIFT_BY: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256
+      (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector))
+
+let mm256_srai_epi16 (v_SHIFT_BY: i32) = mm256_srai_epi16' v_SHIFT_BY
+
+assume
+val mm256_srai_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_srai_epi32 (v_SHIFT_BY: i32) = mm256_srai_epi32' v_SHIFT_BY
+
+assume
+val mm256_srli_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_srli_epi32 (v_SHIFT_BY: i32) = mm256_srli_epi32' v_SHIFT_BY
+
+assume
+val mm256_srlv_epi32': vector: t_Vec256 -> counts: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_srlv_epi32 = mm256_srlv_epi32'
+
+assume
+val mm256_srlv_epi64': vector: t_Vec256 -> counts: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_srlv_epi64 = mm256_srlv_epi64'
+
+assume
+val mm256_storeu_si256_i16': output: t_Slice i16 -> vector: t_Vec256
+  -> Prims.Pure (t_Slice i16)
+      Prims.l_True
+      (ensures
+        fun output_future ->
+          let output_future:t_Slice i16 = output_future in
+          (Core.Slice.impl__len #i16 output_future <: usize) =.
+          (Core.Slice.impl__len #i16 output <: usize))
+
+let mm256_storeu_si256_i16 = mm256_storeu_si256_i16'
+
+assume
+val mm256_storeu_si256_i32': output: t_Slice i32 -> vector: t_Vec256
+  -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_storeu_si256_i32 = mm256_storeu_si256_i32'
+
+assume
+val mm256_storeu_si256_u8': output: t_Slice u8 -> vector: t_Vec256
+  -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_storeu_si256_u8 = mm256_storeu_si256_u8'
+
+assume
+val mm256_sub_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+
+let mm256_sub_epi16 = mm256_sub_epi16'
+
+assume
+val mm256_sub_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_sub_epi32 = mm256_sub_epi32'
+
+assume
+val mm256_testz_si256': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_testz_si256 = mm256_testz_si256'
+
+assume
+val mm256_unpackhi_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_unpackhi_epi32 = mm256_unpackhi_epi32'
+
+assume
+val mm256_unpackhi_epi64': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_unpackhi_epi64 = mm256_unpackhi_epi64'
+
+assume
+val mm256_unpacklo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_unpacklo_epi32 = mm256_unpacklo_epi32'
+
+assume
+val mm256_unpacklo_epi64': a: t_Vec256 -> b: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_unpacklo_epi64 = mm256_unpacklo_epi64'
+
+assume
+val mm256_xor_si256': lhs: t_Vec256 -> rhs: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_xor_si256 = mm256_xor_si256'
+
+assume
+val mm_add_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+  -> Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+
+let mm_add_epi16 = mm_add_epi16'
+
+assume
+val mm_mulhi_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+  -> Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+            (vec128_as_i16x8 lhs)
+            (vec128_as_i16x8 rhs))
+
+let mm_mulhi_epi16 = mm_mulhi_epi16'
+
+assume
+val mm_mullo_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+  -> Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+
+let mm_mullo_epi16 = mm_mullo_epi16'
+
+assume
+val mm_set1_epi16': constant: i16
+  -> Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
+
+let mm_set1_epi16 = mm_set1_epi16'
+
+assume
+val mm_set_epi32': input3: i32 -> input2: i32 -> input1: i32 -> input0: i32
+  -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm_set_epi32 = mm_set_epi32'
+
+assume
+val mm_sllv_epi32': vector: t_Vec128 -> counts: t_Vec128
+  -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm_sllv_epi32 = mm_sllv_epi32'
+
+assume
+val mm_srli_epi64': v_SHIFT_BY: i32 -> vector: t_Vec128
+  -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm_srli_epi64 (v_SHIFT_BY: i32) = mm_srli_epi64' v_SHIFT_BY
+
+assume
+val mm_storeu_si128': output: t_Slice i16 -> vector: t_Vec128
+  -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+
+let mm_storeu_si128 = mm_storeu_si128'
+
+assume
+val mm_storeu_si128_i32': output: t_Slice i32 -> vector: t_Vec128
+  -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+
+let mm_storeu_si128_i32 = mm_storeu_si128_i32'
+
+assume
+val mm_sub_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+  -> Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+
+let mm_sub_epi16 = mm_sub_epi16'
+
+assume
+val vec256_blendv_epi32': a: t_Vec256 -> b: t_Vec256 -> mask: t_Vec256
+  -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let vec256_blendv_epi32 = vec256_blendv_epi32'
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
index 8e2571881..4b6ebb714 100644
--- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
@@ -3,205 +3,311 @@ module Libcrux_intrinsics.Avx2_extract
 open Core
 open FStar.Mul
 
-val mm256_abs_epi32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_add_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+unfold type t_Vec128 = bit_vec 128
+val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8)
+let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i
 
-val mm256_add_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3:Core.Clone.t_Clone t_Vec128
 
-val mm256_and_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Marker.t_Copy t_Vec128
 
-val mm256_andnot_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+unfold type t_Vec256 = bit_vec 256
+val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16)
+let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i
 
-val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_Vec256
 
-val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_Vec256
 
-val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_castsi128_si256 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi16 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
 
-val mm256_castsi256_ps (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_castsi256_si128 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_cmpeq_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_cmpgt_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_cmpgt_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_cvtepi16_epi32 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_extracti128_si256 (v_CONTROL: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_castsi128_si256 (vector: t_Vec128)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_inserti128_si256 (v_CONTROL: i32) (vector vector_i128: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_loadu_si256_i32 (input: t_Slice i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_madd_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_cvtepi16_epi32 (vector: t_Vec128)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_mul_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_loadu_si256_i16 (input: t_Slice i16)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_mul_epu32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_loadu_si256_i32 (input: t_Slice i32)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_loadu_si256_u8 (input: t_Slice u8)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_mullo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_or_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mulhi_epi16 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+            (vec256_as_i16x16 lhs)
+            (vec256_as_i16x16 rhs))
 
-val mm256_packs_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_permute2x128_si256 (v_IMM8: i32) (a b: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_permutevar8x32_epi32 (vector control: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_set1_epi32 (constant: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_permutevar8x32_epi32}
 
-val mm256_set1_epi64x (a: i64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_set_epi16
-      (input15 input14 input13 input12 input11 input10 input9 input8 input7 input6 input5 input4 input3 input2 input1 input0:
-          i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_set_epi32}
 
 val mm256_set_epi64x (input3 input2 input1 input0: i64)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_set_epi8
-      (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0:
-          i8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_set_m128i (hi lo: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_set_epi8}
 
-val mm256_setzero_si256: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_sign_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_shuffle_epi8}
 
-val mm256_slli_epi16 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_slli_epi64 (v_LEFT: i32) (x: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_sllv_epi32}
 
-val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256
+      (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector))
 
-val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_srli_epi16 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_srlv_epi32 (vector counts: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_srlv_epi64 (vector counts: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_srlv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256)
+    : Prims.Pure (t_Slice i16)
+      Prims.l_True
+      (ensures
+        fun output_future ->
+          let output_future:t_Slice i16 = output_future in
+          (Core.Slice.impl__len #i16 output_future <: usize) =.
+          (Core.Slice.impl__len #i16 output <: usize))
 
-val mm256_srlv_epi64 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: u8)
-    : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: u8)
+val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256)
     : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: u8)
+val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256)
     : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_sub_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_sub_epi16 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec256 = result in
+          vec256_as_i16x16 result ==
+          Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+
+val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_unpackhi_epi32 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_unpackhi_epi64 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_unpacklo_epi32 (lhs rhs: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm_add_epi16 (lhs rhs: t_Vec128)
+    : Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+
+include BitVec.Intrinsics {mm_loadu_si128}
+
+val mm_mulhi_epi16 (lhs rhs: t_Vec128)
+    : Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+            (vec128_as_i16x8 lhs)
+            (vec128_as_i16x8 rhs))
+
+val mm_mullo_epi16 (lhs rhs: t_Vec128)
+    : Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+
+val mm_set1_epi16 (constant: i16)
+    : Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
 
-val mm256_testz_si256 (lhs rhs: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_unpackhi_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_set_epi32 (input3 input2 input1 input0: i32)
+    : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_unpackhi_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_set_epi8}
 
-val mm256_unpacklo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_shuffle_epi8}
 
-val mm256_unpacklo_epi64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_sllv_epi32 (vector counts: t_Vec128)
+    : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm256_xor_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128)
+    : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_storeu_bytes_si128}
 
-val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128)
+    : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
 
-val mm_movemask_epi8 (vector: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128)
+    : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
 
-val mm_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_sub_epi16 (lhs rhs: t_Vec128)
+    : Prims.Pure t_Vec128
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Vec128 = result in
+          vec128_as_i16x8 result ==
+          Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
 
-val mm_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val vec256_blendv_epi32 (a b mask: t_Vec256)
+    : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val mm_packs_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256}
+val lemma_mm256_and_si256 lhs rhs
+  : Lemma (   vec256_as_i16x16 (mm256_and_si256 lhs rhs)
+           == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)
+          )
+          [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))]
 
-val mm_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128}
 
-val mm_set_epi32 (input3 input2 input1 input0: i32)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256}
 
-val mm_set_epi8
-      (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0:
-          u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16}
 
-val mm_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16}
+let lemma_mm256_mullo_epi16 v1 v2 :
+   Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) == 
+       Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2))
+       [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit()
 
-val mm_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16}
+val lemma_mm256_set1_epi16 constant
+  : Lemma (   vec256_as_i16x16 (mm256_set1_epi16 constant)
+           == Spec.Utils.create (sz 16) constant
+          )
+          [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))]
 
-val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16}
+let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 :
+    Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == 
+            Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15)
+            [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit()
 
-val mm_storeu_bytes_si128 (output: t_Slice u8) (vector: u8)
-    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16}
 
-val mm_storeu_si128 (output: t_Slice i16) (vector: u8)
-    : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16}
 
-val mm_storeu_si128_i32 (output: t_Slice i32) (vector: u8)
-    : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64}
 
-val mm_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8}
 
-val vec256_blendv_epi32 (a b mask: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16}
diff --git a/libcrux-intrinsics/src/arm64_extract.rs b/libcrux-intrinsics/src/arm64_extract.rs
index e43abc8f4..9f651b6c0 100644
--- a/libcrux-intrinsics/src/arm64_extract.rs
+++ b/libcrux-intrinsics/src/arm64_extract.rs
@@ -3,14 +3,23 @@
 
 #![allow(non_camel_case_types, unsafe_code, unused_variables)]
 
+#[hax_lib::opaque]
 pub type _uint16x4_t = u8;
+#[hax_lib::opaque]
 pub type _int16x4_t = u8;
+#[hax_lib::opaque]
 pub type _int16x8_t = u8;
+#[hax_lib::opaque]
 pub type _uint8x16_t = u8;
+#[hax_lib::opaque]
 pub type _uint16x8_t = u8;
+#[hax_lib::opaque]
 pub type _uint32x4_t = u8;
+#[hax_lib::opaque]
 pub type _int32x4_t = u8;
+#[hax_lib::opaque]
 pub type _uint64x2_t = u8;
+#[hax_lib::opaque]
 pub type _int64x2_t = u8;
 
 #[inline(always)]
diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs
index 8afb4ab49..7954efeb1 100644
--- a/libcrux-intrinsics/src/avx2_extract.rs
+++ b/libcrux-intrinsics/src/avx2_extract.rs
@@ -3,62 +3,111 @@
 
 #![allow(unused_variables, non_camel_case_types)]
 
+#[cfg(hax)]
+#[derive(Clone, Copy)]
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+unfold type $:{Vec256} = bit_vec 256
+val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16)
+let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i
+"#
+)]
+pub struct Vec256(u8);
+
+#[cfg(hax)]
+#[derive(Copy, Clone)]
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+unfold type $:{Vec128} = bit_vec 128
+val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8)
+let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i
+"#
+)]
+pub struct Vec128(u8);
+
+#[cfg(not(hax))]
 pub type Vec256 = u8;
+#[cfg(not(hax))]
 pub type Vec128 = u8;
 pub type Vec256Float = u8;
 
+#[inline(always)]
 pub fn mm256_storeu_si256_u8(output: &mut [u8], vector: Vec256) {
     debug_assert_eq!(output.len(), 32);
     unimplemented!()
 }
+
+#[hax_lib::ensures(|()| future(output).len() == output.len())]
+#[inline(always)]
 pub fn mm256_storeu_si256_i16(output: &mut [i16], vector: Vec256) {
     debug_assert_eq!(output.len(), 16);
     unimplemented!()
 }
+
+#[inline(always)]
 pub fn mm256_storeu_si256_i32(output: &mut [i32], vector: Vec256) {
     debug_assert_eq!(output.len(), 8);
     unimplemented!()
 }
 
+#[inline(always)]
 pub fn mm_storeu_si128(output: &mut [i16], vector: Vec128) {
     debug_assert!(output.len() >= 8);
     unimplemented!()
 }
+
+#[inline(always)]
 pub fn mm_storeu_si128_i32(output: &mut [i32], vector: Vec128) {
     debug_assert_eq!(output.len(), 4);
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_storeu_bytes_si128}")]
+#[inline(always)]
 pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) {
     debug_assert_eq!(output.len(), 16);
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_loadu_si128}")]
+#[inline(always)]
 pub fn mm_loadu_si128(input: &[u8]) -> Vec128 {
     debug_assert_eq!(input.len(), 16);
     unimplemented!()
 }
 
+#[inline(always)]
 pub fn mm256_loadu_si256_u8(input: &[u8]) -> Vec256 {
     debug_assert_eq!(input.len(), 32);
     unimplemented!()
 }
+
+#[inline(always)]
 pub fn mm256_loadu_si256_i16(input: &[i16]) -> Vec256 {
     debug_assert_eq!(input.len(), 16);
     unimplemented!()
 }
+
+#[inline(always)]
 pub fn mm256_loadu_si256_i32(input: &[i32]) -> Vec256 {
     debug_assert_eq!(input.len(), 8);
     unimplemented!()
 }
 
+#[inline(always)]
 pub fn mm256_setzero_si256() -> Vec256 {
     unimplemented!()
 }
+
+#[inline(always)]
 pub fn mm256_set_m128i(hi: Vec128, lo: Vec128) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_set_epi8}")]
+#[inline(always)]
 pub fn mm_set_epi8(
     byte15: u8,
     byte14: u8,
@@ -80,6 +129,8 @@ pub fn mm_set_epi8(
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi8}")]
+#[inline(always)]
 pub fn mm256_set_epi8(
     byte31: i8,
     byte30: i8,
@@ -117,9 +168,34 @@ pub fn mm256_set_epi8(
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == 
+                                    Spec.Utils.create (sz 16) $constant"))]
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}}
+val lemma_mm256_set1_epi16 constant
+  : Lemma (   vec256_as_i16x16 (mm256_set1_epi16 constant)
+           == Spec.Utils.create (sz 16) constant
+          )
+          [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))]
+"#
+)]
+#[inline(always)]
 pub fn mm256_set1_epi16(constant: i16) -> Vec256 {
     unimplemented!()
 }
+
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}}
+let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 :
+    Lemma (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == 
+            Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15)
+            [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit()
+"#
+)]
 pub fn mm256_set_epi16(
     input15: i16,
     input14: i16,
@@ -141,6 +217,8 @@ pub fn mm256_set_epi16(
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == 
+                                    Spec.Utils.create (sz 8) $constant"))]
 #[inline(always)]
 pub fn mm_set1_epi16(constant: i16) -> Vec128 {
     unimplemented!()
@@ -155,6 +233,8 @@ pub fn mm256_set1_epi32(constant: i32) -> Vec256 {
 pub fn mm_set_epi32(input3: i32, input2: i32, input1: i32, input0: i32) -> Vec128 {
     unimplemented!()
 }
+
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi32}")]
 #[inline(always)]
 pub fn mm256_set_epi32(
     input7: i32,
@@ -169,14 +249,31 @@ pub fn mm256_set_epi32(
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == 
+            Spec.Utils.map2 (+.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))]
 #[inline(always)]
 pub fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
     unimplemented!()
 }
+
+#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == 
+            Spec.Utils.map2 (-.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))]
+#[inline(always)]
+pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
+    unimplemented!()
+}
+
+#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == 
+            Spec.Utils.map2 (+.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))]
 #[inline(always)]
 pub fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
+
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_madd_epi16 as ${mm256_madd_epi16}}"
+)]
 #[inline(always)]
 pub fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
@@ -186,6 +283,12 @@ pub fn mm256_add_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == 
+            Spec.Utils.map2 (-.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))]
+pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
+    unimplemented!()
+}
+
 #[inline(always)]
 pub fn mm256_add_epi64(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
@@ -196,21 +299,26 @@ pub fn mm256_abs_epi32(a: Vec256) -> Vec256 {
     unimplemented!()
 }
 
-pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
-    unimplemented!()
-}
 pub fn mm256_sub_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
-pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
-    unimplemented!()
-}
-
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+include BitVec.Intrinsics {mm256_mullo_epi16 as ${mm256_mullo_epi16}}
+let lemma_mm256_mullo_epi16 v1 v2 :
+   Lemma (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2) == 
+       Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2))
+       [SMTPat (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2))] = admit()
+"#
+)]
 pub fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == 
+            Spec.Utils.map2 mul_mod (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))]
 pub fn mm_mullo_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
     unimplemented!()
 }
@@ -243,6 +351,9 @@ pub fn mm256_movemask_ps(a: Vec256Float) -> i32 {
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == 
+            Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) 
+                (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))]
 pub fn mm_mulhi_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
     unimplemented!()
 }
@@ -251,6 +362,8 @@ pub fn mm256_mullo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == 
+            Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))]
 pub fn mm256_mulhi_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
@@ -264,6 +377,17 @@ pub fn mm256_mul_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    r#"
+include BitVec.Intrinsics {mm256_and_si256 as ${mm256_and_si256}}
+val lemma_mm256_and_si256 lhs rhs
+  : Lemma (   vec256_as_i16x16 (mm256_and_si256 lhs rhs)
+           == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)
+          )
+          [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))]
+"#
+)]
 #[inline(always)]
 pub fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
@@ -282,6 +406,9 @@ pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == 
+            Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (vec256_as_i16x16 $vector)"))]
 pub fn mm256_srai_epi16<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16);
     unimplemented!()
@@ -291,6 +418,10 @@ pub fn mm256_srai_epi32<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_srli_epi16 as ${mm256_srli_epi16::<0>}}"
+)]
 pub fn mm256_srli_epi16<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16);
     unimplemented!()
@@ -304,11 +435,20 @@ pub fn mm_srli_epi64<const SHIFT_BY: i32>(vector: Vec128) -> Vec128 {
     debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64);
     unimplemented!()
 }
+
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_srli_epi64 as ${mm256_srli_epi64::<0>}}"
+)]
 pub fn mm256_srli_epi64<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64);
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_slli_epi16 as ${mm256_slli_epi16::<0>}}"
+)]
 pub fn mm256_slli_epi16<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16);
     unimplemented!()
@@ -319,9 +459,11 @@ pub fn mm256_slli_epi32<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_shuffle_epi8}")]
 pub fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 {
     unimplemented!()
 }
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_shuffle_epi8}")]
 pub fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 {
     unimplemented!()
 }
@@ -347,6 +489,10 @@ pub fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_castsi256_si128 as ${mm256_castsi256_si128}}"
+)]
 pub fn mm256_castsi256_si128(vector: Vec256) -> Vec128 {
     unimplemented!()
 }
@@ -358,6 +504,10 @@ pub fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm_packs_epi16 as ${mm_packs_epi16}}"
+)]
 pub fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 {
     unimplemented!()
 }
@@ -365,6 +515,10 @@ pub fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_extracti128_si256 as ${mm256_extracti128_si256::<0>}}"
+)]
 pub fn mm256_extracti128_si256<const CONTROL: i32>(vector: Vec256) -> Vec128 {
     debug_assert!(CONTROL == 0 || CONTROL == 1);
     unimplemented!()
@@ -394,11 +548,16 @@ pub fn vec256_blendv_epi32(a: Vec256, b: Vec256, mask: Vec256) -> Vec256 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm_movemask_epi8 as ${mm_movemask_epi8}}"
+)]
 #[inline(always)]
 pub fn mm_movemask_epi8(vector: Vec128) -> i32 {
     unimplemented!()
 }
 
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_permutevar8x32_epi32}")]
 #[inline(always)]
 pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 {
     unimplemented!()
@@ -408,6 +567,7 @@ pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 {
 pub fn mm256_srlv_epi32(vector: Vec256, counts: Vec256) -> Vec256 {
     unimplemented!()
 }
+
 #[inline(always)]
 pub fn mm256_srlv_epi64(vector: Vec256, counts: Vec256) -> Vec256 {
     unimplemented!()
@@ -416,6 +576,9 @@ pub fn mm256_srlv_epi64(vector: Vec256, counts: Vec256) -> Vec256 {
 pub fn mm_sllv_epi32(vector: Vec128, counts: Vec128) -> Vec128 {
     unimplemented!()
 }
+
+#[inline(always)]
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_sllv_epi32}")]
 pub fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 {
     unimplemented!()
 }
diff --git a/libcrux-kem/Cargo.toml b/libcrux-kem/Cargo.toml
index 8e8cdfaa6..f8e5ca399 100644
--- a/libcrux-kem/Cargo.toml
+++ b/libcrux-kem/Cargo.toml
@@ -20,9 +20,9 @@ libcrux-ecdh = { version = "=0.0.2-beta.2", path = "../libcrux-ecdh" }
 rand = { version = "0.8" }
 
 [features]
-tests = []                                             # Expose functions for testing.
+tests = []                       # Expose functions for testing.
 kyber = ["libcrux-ml-kem/kyber"]
-pre-verification = ["libcrux-ml-kem/pre-verification"]
+pre-verification = []
 
 [dev-dependencies]
 libcrux-kem = { path = "./", features = ["tests"] }
diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml
index e58fef695..03104549f 100644
--- a/libcrux-ml-dsa/Cargo.toml
+++ b/libcrux-ml-dsa/Cargo.toml
@@ -19,8 +19,6 @@ bench = false # so libtest doesn't eat the arguments to criterion
 libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" }
 libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" }
 libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" }
-
-[target.'cfg(hax)'.dependencies]
 hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [dev-dependencies]
diff --git a/libcrux-ml-dsa/cg.yaml b/libcrux-ml-dsa/cg.yaml
index 76d5bf23d..5ea47625a 100644
--- a/libcrux-ml-dsa/cg.yaml
+++ b/libcrux-ml-dsa/cg.yaml
@@ -45,26 +45,6 @@ files:
       monomorphizations_using:
         - [libcrux_sha3, "*"]
 
-  # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS
-  - name: libcrux_core
-    inline_static: true
-    private:
-      monomorphizations_of:
-        - [core, "*"]
-        - [libcrux_ml_dsa, types, "*"]
-        - [libcrux_ml_dsa, utils, "*" ]
-      monomorphizations_using:
-        - [Eurydice, "*" ]
-        - [libcrux_ml_dsa, types, "*"]
-      patterns:
-        - [core, "*"]
-        - [libcrux_ml_dsa, types, "*" ]
-        - [libcrux_ml_dsa, constants ]
-        - [libcrux_ml_dsa, utils, "*" ]
-        - [libcrux_ml_dsa, simd, traits ]
-    api:
-      - [Eurydice, "*"]
-
   # MLDSA-65
 
   - name: libcrux_mldsa65_avx2
@@ -73,11 +53,13 @@ files:
     include_in_h:
       - '"intrinsics/libcrux_intrinsics_avx2.h"'
     api:
-      patterns:  
+      patterns:
+        - [libcrux_ml_dsa, samplex4, avx2, "*"]
         - [libcrux_ml_dsa, simd, avx2, "*"]
         - [libcrux_ml_dsa, hash_functions, simd256, "*"]
         - [libcrux_ml_dsa, ml_dsa_65, avx2, "*"]
         - [libcrux_ml_dsa, ml_dsa_generic, instantiations, avx2, "*"]
+        # - [core, option, Option_c4]
         # - [libcrux_ml_dsa, polynomial, "*" ]
       monomorphizations_of:
         - [libcrux_ml_dsa, simd, avx2, "*"]
@@ -87,27 +69,60 @@ files:
       monomorphizations_using:
         - [libcrux_ml_dsa, simd, avx2, "*"]
         - [libcrux_ml_dsa, hash_functions, simd256, "*"]
+      # monomorphizations_exact:
+      #   - [core, option, Option_c4]
 
   - name: libcrux_mldsa65_portable
     inline_static: true
     api:
       patterns:
         - [libcrux_ml_dsa, "*"]
+        - [libcrux_ml_dsa, samplex4, portable, "*"]
         - [libcrux_ml_dsa, simd, "*"]
         - [libcrux_ml_dsa, hash_functions, portable, "*"]
         - [libcrux_ml_dsa, ml_dsa_65, portable, "*"]
         - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"]
+        # - [libcrux_ml_dsa, pre_hash, PreHashResult]
+        # - [core, option, Option_84]
       monomorphizations_of:
         - [libcrux_ml_dsa, polynomial, "*" ]
         - [libcrux_ml_dsa, simd, "*"]
         - [libcrux_ml_dsa, hash_functions, portable, "*"]
         - [libcrux_ml_dsa, ml_dsa_65, portable]
         - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"]
+        # - [libcrux_ml_dsa, pre_hash, PreHashResult]
+        # - [core, option, Option_84]
       monomorphizations_using:
         - [libcrux_ml_dsa, polynomial, "*" ]
         - [libcrux_ml_dsa, simd, "*"]
         - [libcrux_ml_dsa, hash_functions, portable, "*"]
         - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"]
+        # - [libcrux_ml_dsa, pre_hash, PreHashResult]
+      monomorphizations_exact:
+        - [libcrux_ml_dsa, pre_hash, PreHashResult]
+        - [core, result, Result_a8]
+        - [core, option, Option_84]
+
+
+  # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS
+  - name: libcrux_core
+    inline_static: true
+    private:
+      monomorphizations_of:
+        - [core, "*"]
+        - [libcrux_ml_dsa, types, "*"]
+        - [libcrux_ml_dsa, utils, "*" ]
+      monomorphizations_using:
+        - [Eurydice, "*" ]
+        - [libcrux_ml_dsa, types, "*"]
+      patterns:
+        - [core, "*"]
+        - [libcrux_ml_dsa, types ]
+        - [libcrux_ml_dsa, constants ]
+        - [libcrux_ml_dsa, utils, "*" ]
+        # - [libcrux_ml_dsa, simd, traits ]
+    api:
+      - [Eurydice, "*"]
 
 naming:
   skip_prefix:
diff --git a/libcrux-ml-dsa/cg/.gitignore b/libcrux-ml-dsa/cg/.gitignore
new file mode 100644
index 000000000..567609b12
--- /dev/null
+++ b/libcrux-ml-dsa/cg/.gitignore
@@ -0,0 +1 @@
+build/
diff --git a/libcrux-ml-dsa/cg/CMakeLists.txt b/libcrux-ml-dsa/cg/CMakeLists.txt
new file mode 100644
index 000000000..ad60c81f9
--- /dev/null
+++ b/libcrux-ml-dsa/cg/CMakeLists.txt
@@ -0,0 +1,143 @@
+# cmake -B build -G "Ninja Multi-Config"
+# cmake --build build
+# # For release (benchmarks)
+# cmake --build build --config Release
+
+cmake_minimum_required(VERSION 3.10)
+
+project(libcrux-ml-dsa
+    VERSION 0.1.0
+    LANGUAGES C CXX
+)
+
+set(CMAKE_C_STANDARD 11)
+set(CMAKE_CXX_STANDARD 20)
+
+if(NOT MSVC)
+    add_compile_options(
+        -Wall
+        -fstack-usage
+        -Wunused-function
+        $<$<CONFIG:DEBUG>:-g>
+        $<$<CONFIG:DEBUG>:-Og>
+        $<$<CONFIG:RELEASE>:-g>
+        $<$<CONFIG:RELEASE>:-O3>
+    )
+endif(NOT MSVC)
+
+if((CMAKE_C_COMPILER_ID STREQUAL "Clang" AND
+    CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR
+    (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND
+    CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6"))
+    # add_compile_options(-Werror -Wframe-larger-than=25344)
+endif()
+
+set(CMAKE_COLOR_DIAGNOSTICS "ON")
+set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
+include_directories(
+    ${PROJECT_SOURCE_DIR}
+    ${PROJECT_SOURCE_DIR}/karamel
+)
+
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64")
+    message(STATUS "Detected an x64 architecture")
+    add_compile_definitions(LIBCRUX_X64)
+endif()
+
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8" AND DEFINED ENV{LIBCRUX_NEON})
+    message(STATUS "Detected an arm64 architecture")
+    add_compile_definitions(LIBCRUX_AARCH64)
+endif()
+
+# --- Tests
+
+# Get gtests
+include(FetchContent)
+FetchContent_Declare(googletest
+    DOWNLOAD_EXTRACT_TIMESTAMP TRUE
+    URL https://github.com/google/googletest/archive/refs/tags/release-1.11.0.zip
+)
+
+# For Windows: Prevent overriding the parent project's compiler/linker settings
+set(gtest_force_shared_crt ON CACHE BOOL "" FORCE)
+FetchContent_MakeAvailable(googletest)
+
+# Get nlohmann json
+FetchContent_Declare(json
+    DOWNLOAD_EXTRACT_TIMESTAMP TRUE
+    URL https://github.com/nlohmann/json/archive/refs/tags/v3.10.3.zip
+)
+FetchContent_MakeAvailable(json)
+
+add_executable(ml_dsa_test
+    ${PROJECT_SOURCE_DIR}/tests/mldsa65.cc
+)
+target_link_libraries(ml_dsa_test PRIVATE
+    gtest_main
+    nlohmann_json::nlohmann_json
+)
+
+# add_executable(kyber_test
+#     ${PROJECT_SOURCE_DIR}/tests/kyber768.cc
+# )
+# target_link_libraries(kyber_test PRIVATE
+#     gtest_main
+#     nlohmann_json::nlohmann_json
+# )
+
+# add_executable(sha3_test
+#     ${PROJECT_SOURCE_DIR}/tests/sha3.cc
+# )
+# target_link_libraries(sha3_test PRIVATE
+#     gtest_main
+#     nlohmann_json::nlohmann_json
+# )
+
+# # --- Benchmarks
+# if(DEFINED ENV{LIBCRUX_BENCHMARKS})
+#     FetchContent_Declare(benchmark
+#         GIT_REPOSITORY https://github.com/google/benchmark.git
+#         GIT_TAG v1.8.4
+#     )
+#     FetchContent_MakeAvailable(benchmark)
+
+#     add_executable(ml_dsa_bench
+#         ${PROJECT_SOURCE_DIR}/benches/mldsa768.cc
+#     )
+#     target_link_libraries(ml_dsa_bench PRIVATE
+#         benchmark::benchmark
+#     )
+
+#     if(DEFINED ENV{SYMCRYPT_PATH})
+#         message("Symcrypt path: $ENV{SYMCRYPT_PATH}")
+#         add_compile_definitions(LIBCRUX_SYMCRYPT)
+#         target_include_directories(ml_dsa_bench PRIVATE $ENV{SYMCRYPT_PATH})
+#         target_link_directories(ml_dsa_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib)
+#         target_link_libraries(ml_dsa_bench PRIVATE symcrypt)
+#     endif(DEFINED ENV{SYMCRYPT_PATH})
+
+#     add_executable(ml_dsa_keygen
+#         ${PROJECT_SOURCE_DIR}/benches/mldsa768_keygen.cc
+#     )
+#     target_link_libraries(ml_dsa_keygen PRIVATE
+#         benchmark::benchmark
+#     )
+
+#     add_executable(ml_dsa_encaps
+#         ${PROJECT_SOURCE_DIR}/benches/mldsa768_encaps.cc
+#     )
+#     target_link_libraries(ml_dsa_encaps PRIVATE
+#         benchmark::benchmark
+#     )
+
+#     if(NOT MSVC)
+#         # We benchmark internal functions here that are inlined and thus not available
+#         # in MSVC.
+#         add_executable(sha3_bench
+#             ${PROJECT_SOURCE_DIR}/benches/sha3.cc
+#         )
+#         target_link_libraries(sha3_bench PRIVATE
+#             benchmark::benchmark
+#         )
+#     endif(NOT MSVC)
+# endif(DEFINED ENV{LIBCRUX_BENCHMARKS})
diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt
index 19672611e..cd71b6131 100644
--- a/libcrux-ml-dsa/cg/code_gen.txt
+++ b/libcrux-ml-dsa/cg/code_gen.txt
@@ -1,6 +1,6 @@
 This code was generated with the following revisions:
-Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
-Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
-Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
-F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
-Libcrux: ef3ee2539580595003c62a749034ae0c76d22a0d
+Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+F*: b0961063393215ca65927f017720cb365a193833-dirty
+Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
diff --git a/libcrux-ml-dsa/cg/eurydice_glue.h b/libcrux-ml-dsa/cg/eurydice_glue.h
new file mode 100644
index 000000000..9bfd9f546
--- /dev/null
+++ b/libcrux-ml-dsa/cg/eurydice_glue.h
@@ -0,0 +1,189 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Eurydice Contributors
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ */
+
+#pragma once
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "karamel/endianness.h"
+#include "karamel/target.h"
+
+// SLICES, ARRAYS, ETC.
+
+// The MSVC C++ compiler does not support compound literals.
+// This CLITERAL is used to turn `(type){...}` into `type{...}` when using a C++
+// compiler.
+#if defined(__cplusplus)
+#define CLITERAL(type) type
+#else
+#define CLITERAL(type) (type)
+#endif
+
+// We represent a slice as a pair of an (untyped) pointer, along with the length
+// of the slice, i.e. the number of elements in the slice (this is NOT the
+// number of bytes). This design choice has two important consequences.
+// - if you need to use `ptr`, you MUST cast it to a proper type *before*
+// performing pointer
+//   arithmetic on it (remember that C desugars pointer arithmetic based on the
+//   type of the address)
+// - if you need to use `len` for a C style function (e.g. memcpy, memcmp), you
+// need to multiply it
+//   by sizeof t, where t is the type of the elements.
+//
+// Empty slices have `len == 0` and `ptr` always needs to be valid pointer that
+// is not NULL (otherwise the construction in EURYDICE_SLICE computes `NULL +
+// start`).
+typedef struct {
+  void *ptr;
+  size_t len;
+} Eurydice_slice;
+
+// Helper macro to create a slice out of a pointer x, a start index in x
+// (included), and an end index in x (excluded). The argument x must be suitably
+// cast to something that can decay (see remark above about how pointer
+// arithmetic works in C), meaning either pointer or array type.
+#define EURYDICE_SLICE(x, start, end) \
+  (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start})
+#define EURYDICE_SLICE_LEN(s, _) s.len
+// This macro is a pain because in case the dereferenced element type is an
+// array, you cannot simply write `t x` as it would yield `int[4] x` instead,
+// which is NOT correct C syntax, so we add a dedicated phase in Eurydice that
+// adds an extra argument to this macro at the last minute so that we have the
+// correct type of *pointers* to elements.
+#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i])
+#define Eurydice_slice_subslice(s, r, t, _) \
+  EURYDICE_SLICE((t *)s.ptr, r.start, r.end)
+// Variant for when the start and end indices are statically known (i.e., the
+// range argument `r` is a literal).
+#define Eurydice_slice_subslice2(s, start, end, t) \
+  EURYDICE_SLICE((t *)s.ptr, start, end)
+#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _) \
+  EURYDICE_SLICE((t *)s.ptr, 0, subslice_end_pos)
+#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _) \
+  EURYDICE_SLICE((t *)s.ptr, subslice_start_pos, s.len)
+#define Eurydice_array_to_slice(end, x, t) \
+  EURYDICE_SLICE(x, 0,                     \
+                 end) /* x is already at an array type, no need for cast */
+#define Eurydice_array_to_subslice(_arraylen, x, r, t, _) \
+  EURYDICE_SLICE((t *)x, r.start, r.end)
+// Same as above, variant for when start and end are statically known
+#define Eurydice_array_to_subslice2(x, start, end, t) \
+  EURYDICE_SLICE((t *)x, start, end)
+#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t) \
+  EURYDICE_SLICE((t *)x, 0, r)
+#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t) \
+  EURYDICE_SLICE((t *)x, r, size)
+#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t)
+#define Eurydice_slice_copy(dst, src, t) \
+  memcpy(dst.ptr, src.ptr, dst.len * sizeof(t))
+#define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \
+  (CLITERAL(Eurydice_slice){.ptr = ptr_, .len = len_})
+
+#define core_array___core__clone__Clone_for__Array_T__N___20__clone( \
+    len, src, dst, elem_type, _ret_t)                                \
+  (memcpy(dst, src, len * sizeof(elem_type)))
+#define TryFromSliceError uint8_t
+
+#define Eurydice_array_eq(sz, a1, a2, t, _) \
+  (memcmp(a1, a2, sz * sizeof(t)) == 0)
+#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( \
+    sz, a1, a2, t, _, _ret_t)                                                           \
+  Eurydice_array_eq(sz, a1, a2, t, _)
+#define core_array_equality___core__cmp__PartialEq__0___Slice_U____for__Array_T__N___3__eq( \
+    sz, a1, a2, t, _, _ret_t)                                                               \
+  Eurydice_array_eq(sz, a1, ((a2)->ptr), t, _)
+
+#define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \
+  (CLITERAL(ret_t){                                              \
+      .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid),  \
+      .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)})
+#define Eurydice_slice_split_at_mut(slice, mid, element_type, ret_t) \
+  (CLITERAL(ret_t){                                                  \
+      .fst = {.ptr = slice.ptr, .len = mid},                         \
+      .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \
+              .len = slice.len - mid}})
+
+// Conversion of slice to an array, rewritten (by Eurydice) to name the
+// destination array, since arrays are not values in C.
+// N.B.: see note in karamel/lib/Inlining.ml if you change this.
+#define Eurydice_slice_to_array2(dst, src, _, t_arr)                      \
+  Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \
+                           sizeof(t_arr))
+
+static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
+                                            Eurydice_slice src, size_t sz) {
+  *dst_tag = 0;
+  memcpy(dst_ok, src.ptr, sz);
+}
+
+// CORE STUFF (conversions, endianness, ...)
+
+static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+  store64_le(buf, v);
+}
+static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
+  return load64_le(buf);
+}
+
+static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
+  return load32_le(buf);
+}
+
+static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
+#ifdef _MSC_VER
+  return __popcnt(x0);
+#else
+  return __builtin_popcount(x0);
+#endif
+}
+
+// unsigned overflow wraparound semantics in C
+static inline uint16_t core_num__u16_7__wrapping_add(uint16_t x, uint16_t y) {
+  return x + y;
+}
+static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) {
+  return x - y;
+}
+
+#define core_option__core__option__Option_T__TraitClause_0___is_some(o, _t,  \
+                                                                     _ret_t) \
+  (o)->tag
+
+static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) {
+  return (*p) & v;
+}
+
+static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) {
+  return (*p) >> v;
+}
+
+// ITERATORS
+
+#define Eurydice_range_iter_next(iter_ptr, t, ret_t) \
+  (((iter_ptr)->start >= (iter_ptr)->end)            \
+       ? (CLITERAL(ret_t){.tag = None, .f0 = 0})     \
+       : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++}))
+
+#define core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next \
+  Eurydice_range_iter_next
+
+// See note in karamel/lib/Inlining.ml if you change this
+#define Eurydice_into_iter(x, t, _ret_t) (x)
+#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter \
+  Eurydice_into_iter
+
+#if defined(__cplusplus)
+}
+#endif
diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt
index cd14c7d06..c0b53bd40 100644
--- a/libcrux-ml-dsa/cg/header.txt
+++ b/libcrux-ml-dsa/cg/header.txt
@@ -4,9 +4,9 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
- * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: ef3ee2539580595003c62a749034ae0c76d22a0d
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
  */
diff --git a/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h b/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h
new file mode 100644
index 000000000..b51a17c1d
--- /dev/null
+++ b/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h
@@ -0,0 +1,216 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef __libcrux_intrinsics_avx2_H
+#define __libcrux_intrinsics_avx2_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "../eurydice_glue.h"
+#include "immintrin.h"
+
+typedef __m128i core_core_arch_x86___m128i;
+typedef __m256i core_core_arch_x86___m256i;
+
+// Cast and Convert
+
+#define libcrux_intrinsics_avx2_mm256_castsi256_si128(a) \
+  (_mm256_castsi256_si128(a))
+
+#define libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(a) \
+  (_mm256_cvtepi16_epi32(a))
+
+#define libcrux_intrinsics_avx2_mm256_castsi128_si256(a) \
+  (_mm256_castsi128_si256(a))
+
+// Initialize, Load, Store
+
+#define libcrux_intrinsics_avx2_mm256_setzero_si256(void) \
+  (_mm256_setzero_si256())
+
+#define libcrux_intrinsics_avx2_mm256_set1_epi16(a) (_mm256_set1_epi16(a))
+
+#define libcrux_intrinsics_avx2_mm256_set1_epi32(a) (_mm256_set1_epi32(a))
+
+#define libcrux_intrinsics_avx2_mm256_set1_epi64x(a) (_mm256_set1_epi64x(a))
+
+#define libcrux_intrinsics_avx2_mm_set1_epi16(a) (_mm_set1_epi16(a))
+
+#define libcrux_intrinsics_avx2_mm256_set_epi16(                           \
+    x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15)  \
+  (_mm256_set_epi16(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, \
+                    x13, x14, x15))
+
+#define libcrux_intrinsics_avx2_mm256_set_epi8(                                \
+    x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, \
+    x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31) \
+  (_mm256_set_epi8(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, \
+                   x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, \
+                   x26, x27, x28, x29, x30, x31))
+
+#define libcrux_intrinsics_avx2_mm_set_epi8(                                \
+    x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15)   \
+  (_mm_set_epi8(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, \
+                x14, x15))
+
+#define libcrux_intrinsics_avx2_mm256_set_epi32(x0, x1, x2, x3, x4, x5, x6, \
+                                                x7)                         \
+  (_mm256_set_epi32(x0, x1, x2, x3, x4, x5, x6, x7))
+
+#define libcrux_intrinsics_avx2_mm256_loadu_si256_i16(a) \
+  (_mm256_loadu_si256((const __m256i *)a.ptr))
+
+#define libcrux_intrinsics_avx2_mm256_loadu_si256_u8(a) \
+  (_mm256_loadu_si256((const __m256i *)a.ptr))
+
+#define libcrux_intrinsics_avx2_mm_loadu_si128(a) \
+  (_mm_loadu_si128((const __m128i *)a.ptr))
+
+#define libcrux_intrinsics_avx2_mm_storeu_bytes_si128(a, b) \
+  (_mm_storeu_si128((__m128i *)a.ptr, b))
+
+#define libcrux_intrinsics_avx2_mm256_storeu_si256_i16(a, b) \
+  (_mm256_storeu_si256((__m256i *)a.ptr, b))
+
+#define libcrux_intrinsics_avx2_mm256_storeu_si256_u8(a, b) \
+  (_mm256_storeu_si256((__m256i *)a.ptr, b))
+
+#define libcrux_intrinsics_avx2_mm_storeu_si128(a, b) \
+  (_mm_storeu_si128((__m128i *)a.ptr, b))
+
+// Arithmetic: Add, Sub
+
+#define libcrux_intrinsics_avx2_mm256_add_epi16(a, b) (_mm256_add_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_add_epi32(a, b) (_mm256_add_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm_add_epi16(a, b) (_mm_add_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_sub_epi16(a, b) (_mm256_sub_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm_sub_epi16(a, b) (_mm_sub_epi16(a, b))
+
+// Arithmetic: Mul low and high, Mul-Add combinations
+
+#define libcrux_intrinsics_avx2_mm256_mullo_epi16(a, b) \
+  (_mm256_mullo_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_mulhi_epi16(a, b) \
+  (_mm256_mulhi_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_mul_epu32(a, b) (_mm256_mul_epu32(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_mullo_epi32(a, b) \
+  (_mm256_mullo_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm_mullo_epi16(a, b) (_mm_mullo_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm_mulhi_epi16(a, b) (_mm_mulhi_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_madd_epi16(a, b) (_mm256_madd_epi16(a, b))
+
+// Comparison
+
+#define libcrux_intrinsics_avx2_mm256_cmpgt_epi16(a, b) \
+  (_mm256_cmpgt_epi16(a, b))
+
+// Bitwise operations
+
+#define libcrux_intrinsics_avx2_mm256_and_si256(a, b) (_mm256_and_si256(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_andnot_si256(a, b) \
+  (_mm256_andnot_si256(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_xor_si256(a, b) (_mm256_xor_si256(a, b))
+
+#define libcrux_intrinsics_avx2_mm_movemask_epi8(a) (_mm_movemask_epi8(a))
+
+// Shift operations
+#define libcrux_intrinsics_avx2_mm256_srai_epi16(a, b, _) \
+  (_mm256_srai_epi16(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_srli_epi16(a, b, _) \
+  (_mm256_srli_epi16(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_slli_epi16(a, b, _) \
+  (_mm256_slli_epi16(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_slli_epi32(a, b, _) \
+  (_mm256_slli_epi32(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b) \
+  (_mm256_slli_epi64(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_slli_epi64(a, b, c) \
+  (libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_srai_epi32(a, b, _) \
+  (_mm256_srai_epi32(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_srli_epi32(a, b, _) \
+  (_mm256_srli_epi32(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_sllv_epi32(a, b) (_mm256_sllv_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b) \
+  (_mm256_srli_epi64(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_srli_epi64(a, b, c) \
+  (libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b))
+
+// Shuffle and Vector Interleaving
+
+#define libcrux_intrinsics_avx2_mm256_unpacklo_epi32(a, b) \
+  (_mm256_unpacklo_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b) \
+  (_mm256_unpacklo_epi64(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_unpackhi_epi32(a, b) \
+  (_mm256_unpackhi_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b) \
+  (_mm256_unpackhi_epi64(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_packs_epi32(a, b) \
+  (_mm256_packs_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm_packs_epi16(a, b) (_mm_packs_epi16(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_shuffle_epi32(a, b, _) \
+  (_mm256_shuffle_epi32(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_extracti128_si256(a, b, _) \
+  (_mm256_extracti128_si256(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_permute4x64_epi64(a, b, _) \
+  (_mm256_permute4x64_epi64(b, a))
+
+#define libcrux_intrinsics_avx2_mm256_permute2x128_si256(a, b, c, d) \
+  (_mm256_permute2x128_si256(b, c, a))
+
+#define libcrux_intrinsics_avx2_mm256_inserti128_si256(a, b, c, _) \
+  (_mm256_inserti128_si256(b, c, a))
+
+#define libcrux_intrinsics_avx2_mm256_blend_epi16(a, b, c, _) \
+  (_mm256_blend_epi16(b, c, a))
+
+#define libcrux_intrinsics_avx2_mm256_shuffle_epi8(a, b) \
+  (_mm256_shuffle_epi8(a, b))
+
+#define libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(a, b) \
+  (_mm256_permutevar8x32_epi32(a, b))
+
+#define libcrux_intrinsics_avx2_mm_shuffle_epi8(a, b) (_mm_shuffle_epi8(a, b))
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_intrinsics_avx2_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/karamel/endianness.h b/libcrux-ml-dsa/cg/karamel/endianness.h
new file mode 100644
index 000000000..d59d9854d
--- /dev/null
+++ b/libcrux-ml-dsa/cg/karamel/endianness.h
@@ -0,0 +1,228 @@
+/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
+   Licensed under the Apache 2.0 and MIT Licenses. */
+
+#ifndef __LOWSTAR_ENDIANNESS_H
+#define __LOWSTAR_ENDIANNESS_H
+
+#include <inttypes.h>
+#include <string.h>
+
+/******************************************************************************/
+/* Implementing C.fst (part 2: endian-ness macros)                            */
+/******************************************************************************/
+
+/* ... for Linux */
+#if defined(__linux__) || defined(__CYGWIN__) || \
+    defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__)
+#include <endian.h>
+
+/* ... for OSX */
+#elif defined(__APPLE__)
+#include <libkern/OSByteOrder.h>
+#define htole64(x) OSSwapHostToLittleInt64(x)
+#define le64toh(x) OSSwapLittleToHostInt64(x)
+#define htobe64(x) OSSwapHostToBigInt64(x)
+#define be64toh(x) OSSwapBigToHostInt64(x)
+
+#define htole16(x) OSSwapHostToLittleInt16(x)
+#define le16toh(x) OSSwapLittleToHostInt16(x)
+#define htobe16(x) OSSwapHostToBigInt16(x)
+#define be16toh(x) OSSwapBigToHostInt16(x)
+
+#define htole32(x) OSSwapHostToLittleInt32(x)
+#define le32toh(x) OSSwapLittleToHostInt32(x)
+#define htobe32(x) OSSwapHostToBigInt32(x)
+#define be32toh(x) OSSwapBigToHostInt32(x)
+
+/* ... for Solaris */
+#elif defined(__sun__)
+#include <sys/byteorder.h>
+#define htole64(x) LE_64(x)
+#define le64toh(x) LE_64(x)
+#define htobe64(x) BE_64(x)
+#define be64toh(x) BE_64(x)
+
+#define htole16(x) LE_16(x)
+#define le16toh(x) LE_16(x)
+#define htobe16(x) BE_16(x)
+#define be16toh(x) BE_16(x)
+
+#define htole32(x) LE_32(x)
+#define le32toh(x) LE_32(x)
+#define htobe32(x) BE_32(x)
+#define be32toh(x) BE_32(x)
+
+/* ... for the BSDs */
+#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
+#include <sys/endian.h>
+#elif defined(__OpenBSD__)
+#include <endian.h>
+
+/* ... for Windows (MSVC)... not targeting XBOX 360! */
+#elif defined(_MSC_VER)
+
+#include <stdlib.h>
+#define htobe16(x) _byteswap_ushort(x)
+#define htole16(x) (x)
+#define be16toh(x) _byteswap_ushort(x)
+#define le16toh(x) (x)
+
+#define htobe32(x) _byteswap_ulong(x)
+#define htole32(x) (x)
+#define be32toh(x) _byteswap_ulong(x)
+#define le32toh(x) (x)
+
+#define htobe64(x) _byteswap_uint64(x)
+#define htole64(x) (x)
+#define be64toh(x) _byteswap_uint64(x)
+#define le64toh(x) (x)
+
+/* ... for Windows (GCC-like, e.g. mingw or clang) */
+#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \
+    (defined(__GNUC__) || defined(__clang__))
+
+#define htobe16(x) __builtin_bswap16(x)
+#define htole16(x) (x)
+#define be16toh(x) __builtin_bswap16(x)
+#define le16toh(x) (x)
+
+#define htobe32(x) __builtin_bswap32(x)
+#define htole32(x) (x)
+#define be32toh(x) __builtin_bswap32(x)
+#define le32toh(x) (x)
+
+#define htobe64(x) __builtin_bswap64(x)
+#define htole64(x) (x)
+#define be64toh(x) __builtin_bswap64(x)
+#define le64toh(x) (x)
+
+/* ... generic big-endian fallback code */
+/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always
+ * big-endian */
+#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \
+    defined(_AIX)
+
+/* byte swapping code inspired by:
+ * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h
+ * */
+
+#define htobe32(x) (x)
+#define be32toh(x) (x)
+#define htole32(x)                                                  \
+  (__extension__({                                                  \
+    uint32_t _temp = (x);                                           \
+    ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) |    \
+        ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
+  }))
+#define le32toh(x) (htole32((x)))
+
+#define htobe64(x) (x)
+#define be64toh(x) (x)
+#define htole64(x)                                       \
+  (__extension__({                                       \
+    uint64_t __temp = (x);                               \
+    uint32_t __low = htobe32((uint32_t)__temp);          \
+    uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
+    (((uint64_t)__low) << 32) | __high;                  \
+  }))
+#define le64toh(x) (htole64((x)))
+
+/* ... generic little-endian fallback code */
+#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+
+#define htole32(x) (x)
+#define le32toh(x) (x)
+#define htobe32(x)                                                  \
+  (__extension__({                                                  \
+    uint32_t _temp = (x);                                           \
+    ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) |    \
+        ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
+  }))
+#define be32toh(x) (htobe32((x)))
+
+#define htole64(x) (x)
+#define le64toh(x) (x)
+#define htobe64(x)                                       \
+  (__extension__({                                       \
+    uint64_t __temp = (x);                               \
+    uint32_t __low = htobe32((uint32_t)__temp);          \
+    uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
+    (((uint64_t)__low) << 32) | __high;                  \
+  }))
+#define be64toh(x) (htobe64((x)))
+
+/* ... couldn't determine endian-ness of the target platform */
+#else
+#error "Please define __BYTE_ORDER__!"
+
+#endif /* defined(__linux__) || ... */
+
+/* Loads and stores. These avoid undefined behavior due to unaligned memory
+ * accesses, via memcpy. */
+
+inline static uint16_t load16(uint8_t *b) {
+  uint16_t x;
+  memcpy(&x, b, 2);
+  return x;
+}
+
+inline static uint32_t load32(uint8_t *b) {
+  uint32_t x;
+  memcpy(&x, b, 4);
+  return x;
+}
+
+inline static uint64_t load64(uint8_t *b) {
+  uint64_t x;
+  memcpy(&x, b, 8);
+  return x;
+}
+
+inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); }
+
+inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); }
+
+inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); }
+
+/* Legacy accessors so that this header can serve as an implementation of
+ * C.Endianness */
+#define load16_le(b) (le16toh(load16(b)))
+#define store16_le(b, i) (store16(b, htole16(i)))
+#define load16_be(b) (be16toh(load16(b)))
+#define store16_be(b, i) (store16(b, htobe16(i)))
+
+#define load32_le(b) (le32toh(load32(b)))
+#define store32_le(b, i) (store32(b, htole32(i)))
+#define load32_be(b) (be32toh(load32(b)))
+#define store32_be(b, i) (store32(b, htobe32(i)))
+
+#define load64_le(b) (le64toh(load64(b)))
+#define store64_le(b, i) (store64(b, htole64(i)))
+#define load64_be(b) (be64toh(load64(b)))
+#define store64_be(b, i) (store64(b, htobe64(i)))
+
+/* Co-existence of LowStar.Endianness and FStar.Endianness generates name
+ * conflicts, because of course both insist on having no prefixes. Until a
+ * prefix is added, or until we truly retire FStar.Endianness, solve this issue
+ * in an elegant way. */
+#define load16_le0 load16_le
+#define store16_le0 store16_le
+#define load16_be0 load16_be
+#define store16_be0 store16_be
+
+#define load32_le0 load32_le
+#define store32_le0 store32_le
+#define load32_be0 load32_be
+#define store32_be0 store32_be
+
+#define load64_le0 load64_le
+#define store64_le0 store64_le
+#define load64_be0 load64_be
+#define store64_be0 store64_be
+
+#define load128_le0 load128_le
+#define store128_le0 store128_le
+#define load128_be0 load128_be
+#define store128_be0 store128_be
+
+#endif
diff --git a/libcrux-ml-dsa/cg/karamel/target.h b/libcrux-ml-dsa/cg/karamel/target.h
new file mode 100644
index 000000000..f34539303
--- /dev/null
+++ b/libcrux-ml-dsa/cg/karamel/target.h
@@ -0,0 +1,55 @@
+/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
+ * Licensed under the Apache 2.0 and MIT Licenses.
+ *
+ * SPDX-FileCopyrightText: 2024 INRIA and Microsoft Corporation
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ */
+
+#ifndef __KRML_TARGET_H
+#define __KRML_TARGET_H
+
+#ifndef KRML_HOST_PRINTF
+#define KRML_HOST_PRINTF printf
+#endif
+
+#if ((defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) || \
+     (defined(__cplusplus) && __cplusplus > 199711L)) &&           \
+    (!defined(KRML_HOST_EPRINTF))
+#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
+#elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER)
+#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
+#endif
+
+#ifndef KRML_HOST_EXIT
+#define KRML_HOST_EXIT exit
+#endif
+
+// This does not actually force inline.
+// Forcing inline increases stack usage beyond acceptable limits
+#define KRML_MUSTINLINE inline
+
+#ifndef KRML_NOINLINE
+#if defined(_MSC_VER)
+#define KRML_NOINLINE __declspec(noinline)
+#elif defined(__GNUC__)
+#define KRML_NOINLINE __attribute__((noinline, unused))
+#else
+#define KRML_NOINLINE
+#warning "The KRML_NOINLINE macro is not defined for this toolchain!"
+#warning "The compiler may defeat side-channel resistance with optimizations."
+#warning \
+    "Please locate target.h and try to fill it out with a suitable definition for this compiler."
+#endif
+#endif
+
+#ifndef KRML_ATTRIBUTE_TARGET
+#if defined(__GNUC__)
+#define KRML_ATTRIBUTE_TARGET(x) __attribute__((target(x)))
+#else
+#define KRML_ATTRIBUTE_TARGET(x)
+#endif
+#endif
+
+#endif
diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h
new file mode 100644
index 000000000..cb97a4566
--- /dev/null
+++ b/libcrux-ml-dsa/cg/libcrux_core.h
@@ -0,0 +1,565 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ *
+ * This code was generated with the following revisions:
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
+ */
+
+#ifndef __libcrux_core_H
+#define __libcrux_core_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+
+/**
+A monomorphic instance of core.ops.range.Range
+with types size_t
+
+*/
+typedef struct core_ops_range_Range_08_s {
+  size_t start;
+  size_t end;
+} core_ops_range_Range_08;
+
+static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *x, uint8_t y);
+
+static inline uint8_t Eurydice_shr_pv_u8(uint8_t *x, int32_t y);
+
+#define Ok 0
+#define Err 1
+
+typedef uint8_t Result_a9_tags;
+
+#define None 0
+#define Some 1
+
+typedef uint8_t Option_d8_tags;
+
+/**
+A monomorphic instance of core.option.Option
+with types size_t
+
+*/
+typedef struct Option_08_s {
+  Option_d8_tags tag;
+  size_t f0;
+} Option_08;
+
+static inline uint32_t core_num__i32_2__count_ones(int32_t x0);
+
+static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]);
+
+static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]);
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[10size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_9d_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[10U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_9d;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[10size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_ce(Result_9d self, uint8_t ret[10U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[10U];
+    memcpy(f0, self.val.case_Ok, (size_t)10U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)10U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[13size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_b0_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[13U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_b0;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[13size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_23(Result_b0 self, uint8_t ret[13U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[13U];
+    memcpy(f0, self.val.case_Ok, (size_t)13U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)13U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature_s {
+  uint8_t value[3309U];
+} libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature;
+
+/**
+ A reference to the raw byte array.
+*/
+/**
+This function found in impl {libcrux_ml_dsa::types::MLDSASignature<SIZE>#4}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.as_ref_8f
+with const generics
+- SIZE= 3309
+*/
+static inline uint8_t *libcrux_ml_dsa_types_as_ref_8f_fa(
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *self) {
+  return self->value;
+}
+
+#define libcrux_ml_dsa_types_MalformedHintError 0
+#define libcrux_ml_dsa_types_SignerResponseExceedsBoundError 1
+#define libcrux_ml_dsa_types_CommitmentHashesDontMatchError 2
+#define libcrux_ml_dsa_types_VerificationContextTooLongError 3
+
+typedef uint8_t libcrux_ml_dsa_types_VerificationError;
+
+/**
+A monomorphic instance of core.result.Result
+with types (), libcrux_ml_dsa_types_VerificationError
+
+*/
+typedef struct Result_41_s {
+  Result_a9_tags tag;
+  libcrux_ml_dsa_types_VerificationError f0;
+} Result_41;
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[48size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_ae_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[48U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_ae;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[48size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_28(Result_ae self, uint8_t ret[48U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[48U];
+    memcpy(f0, self.val.case_Ok, (size_t)48U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)48U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey
+with const generics
+- $1952size_t
+*/
+typedef struct libcrux_ml_dsa_types_MLDSAVerificationKey_ea_s {
+  uint8_t value[1952U];
+} libcrux_ml_dsa_types_MLDSAVerificationKey_ea;
+
+/**
+ A reference to the raw byte array.
+*/
+/**
+This function found in impl
+{libcrux_ml_dsa::types::MLDSAVerificationKey<SIZE>#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.as_ref_66
+with const generics
+- SIZE= 1952
+*/
+static inline uint8_t *libcrux_ml_dsa_types_as_ref_66_97(
+    libcrux_ml_dsa_types_MLDSAVerificationKey_ea *self) {
+  return self->value;
+}
+
+/**
+A monomorphic instance of core.option.Option
+with types int32_t[256size_t][6size_t]
+
+*/
+typedef struct Option_f0_s {
+  Option_d8_tags tag;
+  int32_t f0[6U][256U];
+} Option_f0;
+
+/**
+A monomorphic instance of core.option.Option
+with types uint8_t[48size_t]
+
+*/
+typedef struct Option_67_s {
+  Option_d8_tags tag;
+  uint8_t f0[48U];
+} Option_67;
+
+#define libcrux_ml_dsa_types_RejectionSamplingError 0
+#define libcrux_ml_dsa_types_ContextTooLongError 1
+
+typedef uint8_t libcrux_ml_dsa_types_SigningError;
+
+/**
+A monomorphic instance of core.result.Result
+with types libcrux_ml_dsa_types_MLDSASignature[[$3309size_t]],
+libcrux_ml_dsa_types_SigningError
+
+*/
+typedef struct Result_2e_s {
+  Result_a9_tags tag;
+  union {
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature case_Ok;
+    libcrux_ml_dsa_types_SigningError case_Err;
+  } val;
+} Result_2e;
+
+/**
+ Build
+*/
+/**
+This function found in impl {libcrux_ml_dsa::types::MLDSASignature<SIZE>#4}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.new_8f
+with const generics
+- SIZE= 3309
+*/
+static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature
+libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_value[3309U];
+  memcpy(copy_of_value, value, (size_t)3309U * sizeof(uint8_t));
+  libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature lit;
+  memcpy(lit.value, copy_of_value, (size_t)3309U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[64size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_f2_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[64U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_f2;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[64size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_4b(Result_f2 self, uint8_t ret[64U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[64U];
+    memcpy(f0, self.val.case_Ok, (size_t)64U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)64U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[32size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_fb_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[32U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_fb;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[32size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_b3(Result_fb self, uint8_t ret[32U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[32U];
+    memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)32U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey
+with const generics
+- $4032size_t
+*/
+typedef struct libcrux_ml_dsa_types_MLDSASigningKey_22_s {
+  uint8_t value[4032U];
+} libcrux_ml_dsa_types_MLDSASigningKey_22;
+
+/**
+ A reference to the raw byte array.
+*/
+/**
+This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey<SIZE>}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.as_ref_9b
+with const generics
+- SIZE= 4032
+*/
+static inline uint8_t *libcrux_ml_dsa_types_as_ref_9b_09(
+    libcrux_ml_dsa_types_MLDSASigningKey_22 *self) {
+  return self->value;
+}
+
+/**
+ Build
+*/
+/**
+This function found in impl
+{libcrux_ml_dsa::types::MLDSAVerificationKey<SIZE>#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.new_66
+with const generics
+- SIZE= 1952
+*/
+static inline libcrux_ml_dsa_types_MLDSAVerificationKey_ea
+libcrux_ml_dsa_types_new_66_97(uint8_t value[1952U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_value[1952U];
+  memcpy(copy_of_value, value, (size_t)1952U * sizeof(uint8_t));
+  libcrux_ml_dsa_types_MLDSAVerificationKey_ea lit;
+  memcpy(lit.value, copy_of_value, (size_t)1952U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+ Build
+*/
+/**
+This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey<SIZE>}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.types.new_9b
+with const generics
+- SIZE= 4032
+*/
+static inline libcrux_ml_dsa_types_MLDSASigningKey_22
+libcrux_ml_dsa_types_new_9b_09(uint8_t value[4032U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_value[4032U];
+  memcpy(copy_of_value, value, (size_t)4032U * sizeof(uint8_t));
+  libcrux_ml_dsa_types_MLDSASigningKey_22 lit;
+  memcpy(lit.value, copy_of_value, (size_t)4032U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+ Pad the `slice` with `0`s at the end.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array
+with const generics
+- LEN= 66
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_20(
+    Eurydice_slice slice, uint8_t ret[66U]) {
+  uint8_t out[66U] = {0U};
+  uint8_t *uu____0 = out;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(uu____0, (size_t)0U,
+                                  Eurydice_slice_len(slice, uint8_t), uint8_t),
+      slice, uint8_t);
+  memcpy(ret, out, (size_t)66U * sizeof(uint8_t));
+}
+
+/**
+ Pad the `slice` with `0`s at the end.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array
+with const generics
+- LEN= 34
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_b6(
+    Eurydice_slice slice, uint8_t ret[34U]) {
+  uint8_t out[34U] = {0U};
+  uint8_t *uu____0 = out;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(uu____0, (size_t)0U,
+                                  Eurydice_slice_len(slice, uint8_t), uint8_t),
+      slice, uint8_t);
+  memcpy(ret, out, (size_t)34U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types int32_t[8size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_6c_s {
+  Result_a9_tags tag;
+  union {
+    int32_t case_Ok[8U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_6c;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types int32_t[8size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) {
+  if (self.tag == Ok) {
+    int32_t f0[8U];
+    memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(int32_t));
+    memcpy(ret, f0, (size_t)8U * sizeof(int32_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+/**
+A monomorphic instance of core.option.Option
+with types uint8_t[11size_t]
+
+*/
+typedef struct Option_30_s {
+  Option_d8_tags tag;
+  uint8_t f0[11U];
+} Option_30;
+
+typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s {
+  libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key;
+  libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key;
+} libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair;
+
+typedef struct Eurydice_slice_uint8_t_4size_t__x2_s {
+  Eurydice_slice fst[4U];
+  Eurydice_slice snd[4U];
+} Eurydice_slice_uint8_t_4size_t__x2;
+
+/**
+A monomorphic instance of core.result.Result
+with types uint8_t[8size_t], core_array_TryFromSliceError
+
+*/
+typedef struct Result_15_s {
+  Result_a9_tags tag;
+  union {
+    uint8_t case_Ok[8U];
+    TryFromSliceError case_Err;
+  } val;
+} Result_15;
+
+/**
+This function found in impl {core::result::Result<T, E>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of core.result.unwrap_26
+with types uint8_t[8size_t], core_array_TryFromSliceError
+
+*/
+static inline void unwrap_26_68(Result_15 self, uint8_t ret[8U]) {
+  if (self.tag == Ok) {
+    uint8_t f0[8U];
+    memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(uint8_t));
+    memcpy(ret, f0, (size_t)8U * sizeof(uint8_t));
+  } else {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                      "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+typedef struct Eurydice_slice_uint8_t_x2_s {
+  Eurydice_slice fst;
+  Eurydice_slice snd;
+} Eurydice_slice_uint8_t_x2;
+
+typedef struct Eurydice_slice_uint8_t_1size_t__x2_s {
+  Eurydice_slice fst[1U];
+  Eurydice_slice snd[1U];
+} Eurydice_slice_uint8_t_1size_t__x2;
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_core_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h
new file mode 100644
index 000000000..a79e5a218
--- /dev/null
+++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h
@@ -0,0 +1,8107 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ *
+ * This code was generated with the following revisions:
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
+ */
+
+#ifndef __libcrux_mldsa65_avx2_H
+#define __libcrux_mldsa65_avx2_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+#include "intrinsics/libcrux_intrinsics_avx2.h"
+#include "libcrux_core.h"
+#include "libcrux_mldsa65_portable.h"
+#include "libcrux_sha3_avx2.h"
+#include "libcrux_sha3_portable.h"
+
+typedef libcrux_sha3_avx2_x4_incremental_KeccakState
+    libcrux_ml_dsa_hash_functions_simd256_Shake128x4;
+
+/**
+ Init the state and absorb 4 blocks in parallel.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb(Eurydice_slice input0,
+                                                  Eurydice_slice input1,
+                                                  Eurydice_slice input2,
+                                                  Eurydice_slice input3) {
+  libcrux_sha3_generic_keccak_KeccakState_55 state =
+      libcrux_sha3_avx2_x4_incremental_init();
+  libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(&state, input0, input1,
+                                                         input2, input3);
+  return state;
+}
+
+typedef libcrux_sha3_portable_KeccakState
+    libcrux_ml_dsa_hash_functions_simd256_Shake256;
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_shake256(
+    Eurydice_slice input) {
+  libcrux_sha3_generic_keccak_KeccakState_17 state =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state, input);
+  return state;
+}
+
+typedef libcrux_sha3_avx2_x4_incremental_KeccakState
+    libcrux_ml_dsa_hash_functions_simd256_Shake256x4;
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4(Eurydice_slice input0,
+                                                     Eurydice_slice input1,
+                                                     Eurydice_slice input2,
+                                                     Eurydice_slice input3) {
+  libcrux_sha3_generic_keccak_KeccakState_55 state =
+      libcrux_sha3_avx2_x4_incremental_init();
+  libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(&state, input0, input1,
+                                                         input2, input3);
+  return state;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_shake256(
+    libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) {
+  uint8_t out[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      state, Eurydice_array_to_slice((size_t)136U, out, uint8_t));
+  memcpy(ret, out, (size_t)136U * sizeof(uint8_t));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *state) {
+  uint8_t out0[136U] = {0U};
+  uint8_t out1[136U] = {0U};
+  uint8_t out2[136U] = {0U};
+  uint8_t out3[136U] = {0U};
+  libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
+      state, Eurydice_array_to_slice((size_t)136U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[136U];
+  memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[136U];
+  memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[136U];
+  memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[136U];
+  memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t));
+  uint8_t_136size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t));
+  return lit;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *state, uint8_t *out0,
+    uint8_t *out1, uint8_t *out2, uint8_t *out3) {
+  libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
+      state, Eurydice_array_to_slice((size_t)840U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)840U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)840U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)840U, out3, uint8_t));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_168size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *state) {
+  uint8_t out0[168U] = {0U};
+  uint8_t out1[168U] = {0U};
+  uint8_t out2[168U] = {0U};
+  uint8_t out3[168U] = {0U};
+  libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+      state, Eurydice_array_to_slice((size_t)168U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)168U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)168U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)168U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[168U];
+  memcpy(copy_of_out0, out0, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[168U];
+  memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[168U];
+  memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[168U];
+  memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t));
+  uint8_t_168size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)168U * sizeof(uint8_t));
+  return lit;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_shake256(
+    libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) {
+  uint8_t out[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      state, Eurydice_array_to_slice((size_t)136U, out, uint8_t));
+  memcpy(ret, out, (size_t)136U * sizeof(uint8_t));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *state) {
+  uint8_t out0[136U] = {0U};
+  uint8_t out1[136U] = {0U};
+  uint8_t out2[136U] = {0U};
+  uint8_t out3[136U] = {0U};
+  libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+      state, Eurydice_array_to_slice((size_t)136U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)136U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[136U];
+  memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[136U];
+  memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[136U];
+  memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[136U];
+  memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t));
+  uint8_t_136size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+ Init the state and absorb 4 blocks in parallel.
+*/
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b(Eurydice_slice input0,
+                                                     Eurydice_slice input1,
+                                                     Eurydice_slice input2,
+                                                     Eurydice_slice input3) {
+  return libcrux_ml_dsa_hash_functions_simd256_init_absorb(input0, input1,
+                                                           input2, input3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks_7b(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t *out0,
+    uint8_t *out1, uint8_t *out2, uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks(
+      self, out0, out1, out2, out3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_168size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *self) {
+  return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block(self);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9(
+    Eurydice_slice input) {
+  return libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_shake256(
+      input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_d9(
+    libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) {
+  libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_shake256(self, ret);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_d9(
+    libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) {
+  libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_shake256(self, ret);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
+libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb(Eurydice_slice input0,
+                                                        Eurydice_slice input1,
+                                                        Eurydice_slice input2,
+                                                        Eurydice_slice input3) {
+  return libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4(input0, input1,
+                                                              input2, input3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *self) {
+  return libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4(self);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb(
+    libcrux_sha3_avx2_x4_incremental_KeccakState *self) {
+  return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4(self);
+}
+
+typedef __m256i libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit;
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_ZERO(void) {
+  return libcrux_intrinsics_avx2_mm256_setzero_si256();
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_ZERO_a2(void) {
+  return libcrux_ml_dsa_simd_avx2_vector_type_ZERO();
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i
+libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array(
+    Eurydice_slice coefficient_array) {
+  return libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2(
+    Eurydice_slice coefficient_array) {
+  return libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array(
+      coefficient_array);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(
+    __m256i *x, int32_t ret[8U]) {
+  int32_t coefficient_array[8U] = {0U};
+  libcrux_intrinsics_avx2_mm256_storeu_si256_i32(
+      Eurydice_array_to_slice((size_t)8U, coefficient_array, int32_t), x[0U]);
+  memcpy(ret, coefficient_array, (size_t)8U * sizeof(int32_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2(
+    __m256i *self, int32_t ret[8U]) {
+  libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(self, ret);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_add(__m256i lhs, __m256i rhs) {
+  return libcrux_intrinsics_avx2_mm256_add_epi32(lhs, rhs);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_add_a2(__m256i *lhs,
+                                                               __m256i *rhs) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs[0U], rhs[0U]);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_subtract(__m256i lhs, __m256i rhs) {
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(lhs, rhs);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_subtract_a2(__m256i *lhs, __m256i *rhs) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs[0U], rhs[0U]);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i simd_unit,
+                                                          int32_t bound) {
+  __m256i absolute_values = libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit);
+  __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1);
+  __m256i compare_with_bound =
+      libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0);
+  int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256(
+      compare_with_bound, compare_with_bound);
+  bool uu____0;
+  if (result == (int32_t)1) {
+    uu____0 = false;
+  } else {
+    uu____0 = true;
+  }
+  return uu____0;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2(
+    __m256i simd_unit, int32_t bound) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit,
+                                                                   bound);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i t) {
+  __m256i signs =
+      libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, t, __m256i);
+  __m256i conditional_add_field_modulus =
+      libcrux_intrinsics_avx2_mm256_and_si256(
+          signs, libcrux_intrinsics_avx2_mm256_set1_epi32(
+                     LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS));
+  return libcrux_intrinsics_avx2_mm256_add_epi32(t,
+                                                 conditional_add_field_modulus);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i lhs,
+                                                        __m256i rhs) {
+  __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  __m256i inverse_of_modulus_mod_montgomery_r =
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          (int32_t)
+              LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R);
+  __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs, rhs);
+  __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs, __m256i),
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs, __m256i));
+  __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod02, inverse_of_modulus_mod_montgomery_r);
+  __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod13, inverse_of_modulus_mod_montgomery_r);
+  __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus);
+  __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus);
+  __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02);
+  __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13);
+  __m256i res02_shifted =
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i);
+  return libcrux_intrinsics_avx2_mm256_blend_epi32((int32_t)170, res02_shifted,
+                                                   res13, __m256i);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2(__m256i lhs, __m256i rhs) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs);
+}
+
+typedef struct core_core_arch_x86___m256i_x2_s {
+  __m256i fst;
+  __m256i snd;
+} core_core_arch_x86___m256i_x2;
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_arithmetic_power2round(__m256i r) {
+  __m256i r2 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r);
+  __m256i r1 = libcrux_intrinsics_avx2_mm256_add_epi32(
+      r2, libcrux_intrinsics_avx2_mm256_set1_epi32(
+              ((int32_t)1
+               << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T -
+                             (size_t)1U)) -
+              (int32_t)1));
+  __m256i r10 =
+      libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)13, r1, __m256i);
+  __m256i r0 =
+      libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, r10, __m256i);
+  __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r00, .snd = r10});
+}
+
+typedef struct libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2_s {
+  __m256i fst;
+  __m256i snd;
+} libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2;
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2
+libcrux_ml_dsa_simd_avx2_power2round_a2(__m256i simd_unit) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_power2round(simd_unit);
+  __m256i lower = uu____0.fst;
+  __m256i upper = uu____0.snd;
+  return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){
+      .fst = lower, .snd = upper});
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \
+  (((int32_t)1 << 23U) - (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients(
+    Eurydice_slice serialized) {
+  uint8_t serialized_extended[32U] = {0U};
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice_to(
+      (size_t)32U, serialized_extended, (size_t)24U, uint8_t, size_t);
+  Eurydice_slice_copy(uu____0, serialized, uint8_t);
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+      Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t));
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi32(
+                        (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3,
+                        (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      coefficients0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8,
+          (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3,
+          (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11,
+          (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6,
+          (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2,
+          (int8_t)1, (int8_t)0));
+  return libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients1,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK));
+}
+
+static const uint8_t
+    libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE
+        [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U},
+                      {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U},
+                      {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U},
+                      {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U,
+                       255U, 255U, 255U},
+                      {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U},
+                      {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U,
+                       255U, 255U, 255U},
+                      {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
+                       255U, 255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
+                       255U, 255U, 255U, 255U},
+                      {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
+                       255U, 255U, 255U, 255U},
+                      {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U,
+                       13U, 14U, 15U}};
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample(
+    Eurydice_slice input, Eurydice_slice output) {
+  __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  __m256i potential_coefficients =
+      libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients(
+          input);
+  __m256i compare_with_field_modulus =
+      libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus,
+                                                potential_coefficients);
+  int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps(
+      libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus));
+  int32_t good_lower_half = good & (int32_t)15;
+  int32_t good_upper_half = good >> 4U;
+  uint8_t lower_shuffles[16U];
+  memcpy(lower_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_lower_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t));
+  __m128i lower_coefficients =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients);
+  __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      lower_coefficients, lower_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t),
+      lower_coefficients0);
+  size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half);
+  uint8_t upper_shuffles[16U];
+  memcpy(upper_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_upper_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t));
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, potential_coefficients, __m128i);
+  __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      upper_coefficients, upper_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, sampled_count,
+                               sampled_count + (size_t)4U, int32_t),
+      upper_coefficients0);
+  size_t uu____0 = sampled_count;
+  return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample(
+      randomness, out);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK \
+  (((int32_t)1 << 3U) - (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_2(
+    Eurydice_slice bytes) {
+  __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32(
+      (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *)
+              << 8U |
+          (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)
+              << 8U |
+          (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32(
+                              (int32_t)5, (int32_t)2, (int32_t)7, (int32_t)4,
+                              (int32_t)1, (int32_t)6, (int32_t)3, (int32_t)0));
+  return libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK));
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK \
+  (((int32_t)1 << 4U) - (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4(
+    Eurydice_slice bytes) {
+  __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32(
+      (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32(
+                              (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0,
+                              (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0));
+  return libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.encoding.error.deserialize_to_unsigned with const
+generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4(
+      serialized);
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with
+const generics
+- ETA= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd(
+    __m256i coefficients) {
+  __m256i uu____0;
+  __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26));
+  __m256i quotient0 =
+      libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i);
+  __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32(
+      quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5));
+  __m256i coefficients_mod_5 =
+      libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1);
+  uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U),
+      coefficients_mod_5);
+  return uu____0;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const
+generics
+- ETA= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd(
+    Eurydice_slice input, Eurydice_slice output) {
+  __m256i potential_coefficients =
+      libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input);
+  int32_t interval_boundary;
+  interval_boundary = (int32_t)15;
+  __m256i compare_with_interval_boundary =
+      libcrux_intrinsics_avx2_mm256_cmpgt_epi32(
+          libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary),
+          potential_coefficients);
+  int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps(
+      libcrux_intrinsics_avx2_mm256_castsi256_ps(
+          compare_with_interval_boundary));
+  int32_t good_lower_half = good & (int32_t)15;
+  int32_t good_upper_half = good >> 4U;
+  __m256i shifted =
+      libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd(
+          potential_coefficients);
+  uint8_t lower_shuffles[16U];
+  memcpy(lower_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_lower_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t));
+  __m128i lower_coefficients =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted);
+  __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      lower_coefficients, lower_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t),
+      lower_coefficients0);
+  size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half);
+  uint8_t upper_shuffles[16U];
+  memcpy(upper_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_upper_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t));
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, shifted, __m128i);
+  __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      upper_coefficients, upper_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, sampled_count,
+                               sampled_count + (size_t)4U, int32_t),
+      upper_coefficients0);
+  size_t uu____0 = sampled_count;
+  return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd(
+      randomness, out);
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with
+const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac(
+    __m256i coefficients) {
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U),
+      coefficients);
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const
+generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac(
+    Eurydice_slice input, Eurydice_slice output) {
+  __m256i potential_coefficients =
+      libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input);
+  int32_t interval_boundary;
+  interval_boundary = (int32_t)9;
+  __m256i compare_with_interval_boundary =
+      libcrux_intrinsics_avx2_mm256_cmpgt_epi32(
+          libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary),
+          potential_coefficients);
+  int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps(
+      libcrux_intrinsics_avx2_mm256_castsi256_ps(
+          compare_with_interval_boundary));
+  int32_t good_lower_half = good & (int32_t)15;
+  int32_t good_upper_half = good >> 4U;
+  __m256i shifted =
+      libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac(
+          potential_coefficients);
+  uint8_t lower_shuffles[16U];
+  memcpy(lower_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_lower_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t));
+  __m128i lower_coefficients =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted);
+  __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      lower_coefficients, lower_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t),
+      lower_coefficients0);
+  size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half);
+  uint8_t upper_shuffles[16U];
+  memcpy(upper_shuffles,
+         libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[(
+             size_t)good_upper_half],
+         (size_t)16U * sizeof(uint8_t));
+  __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t));
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, shifted, __m128i);
+  __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      upper_coefficients, upper_shuffles0);
+  libcrux_intrinsics_avx2_mm_storeu_si128_i32(
+      Eurydice_slice_subslice2(output, sampled_count,
+                               sampled_count + (size_t)4U, int32_t),
+      upper_coefficients0);
+  size_t uu____0 = sampled_count;
+  return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac(
+      randomness, out);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \
+  ((int32_t)1 << 17U)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_17(
+    __m256i simd_unit, Eurydice_slice out) {
+  uint8_t serialized[32U] = {0U};
+  __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1),
+      simd_unit);
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32(
+                             (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14,
+                             (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)14, adjacent_2_combined, __m256i);
+  __m256i every_second_element = libcrux_intrinsics_avx2_mm256_bsrli_epi128(
+      (int32_t)8, adjacent_2_combined0, __m256i);
+  __m256i every_second_element_shifted =
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36,
+                                               every_second_element, __m256i);
+  __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_add_epi64(
+      adjacent_2_combined0, every_second_element_shifted);
+  __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_srlv_epi64(
+      adjacent_4_combined,
+      libcrux_intrinsics_avx2_mm256_set_epi64x((int64_t)28, (int64_t)0,
+                                               (int64_t)28, (int64_t)0));
+  __m128i lower_4 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined0);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
+      lower_4);
+  __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, adjacent_4_combined0, __m128i);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)9U, (size_t)25U, uint8_t),
+      upper_4);
+  Eurydice_slice uu____0 = out;
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)18U, uint8_t),
+      uint8_t);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \
+  ((int32_t)1 << 19U)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19(
+    __m256i simd_unit, Eurydice_slice out) {
+  uint8_t serialized[32U] = {0U};
+  __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1),
+      simd_unit);
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32(
+                             (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12,
+                             (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)12, adjacent_2_combined, __m256i);
+  __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      adjacent_2_combined0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8,
+          (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)4,
+          (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0));
+  __m128i lower_4 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
+      lower_4);
+  __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, adjacent_4_combined, __m128i);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U,
+                                  uint8_t),
+      upper_4);
+  Eurydice_slice uu____0 = out;
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t),
+      uint8_t);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \
+  ((int32_t)1 << 17U)
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \
+  ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1                  \
+    << 1U) -                                                                                             \
+   (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17(
+    Eurydice_slice serialized) {
+  __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t));
+  __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(serialized, (size_t)2U, (size_t)18U, uint8_t));
+  __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i(
+      serialized_upper, serialized_lower);
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      serialized0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1,
+          (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)11,
+          (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)7,
+          (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)6,
+          (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2,
+          (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0));
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi32(
+                        (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0,
+                        (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients0,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK));
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1),
+      coefficients1);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \
+  ((int32_t)1 << 19U)
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK \
+  ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1                  \
+    << 1U) -                                                                                             \
+   (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19(
+    Eurydice_slice serialized) {
+  __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t));
+  __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(serialized, (size_t)4U, (size_t)20U, uint8_t));
+  __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i(
+      serialized_upper, serialized_lower);
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      serialized0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1,
+          (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)10, (int8_t)9,
+          (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1,
+          (int8_t)9, (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)7, (int8_t)6,
+          (int8_t)5, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)-1,
+          (int8_t)2, (int8_t)1, (int8_t)0));
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi32(
+                        (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0,
+                        (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients0,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK));
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1),
+      coefficients1);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i simd_unit,
+                                                       Eurydice_slice out) {
+  uint8_t serialized[19U] = {0U};
+  switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) {
+    case 4U: {
+      __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+          simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32(
+                         (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28,
+                         (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28));
+      __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+          (int32_t)28, adjacent_2_combined, __m256i);
+      __m256i adjacent_4_combined =
+          libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+              adjacent_2_combined0,
+              libcrux_intrinsics_avx2_mm256_set_epi32(
+                  (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6,
+                  (int32_t)2, (int32_t)4, (int32_t)0));
+      __m128i adjacent_4_combined0 =
+          libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined);
+      __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+          adjacent_4_combined0,
+          libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U,
+                                              240U, 240U, 240U, 240U, 240U,
+                                              240U, 240U, 12U, 4U, 8U, 0U));
+      libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+          Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U,
+                                      uint8_t),
+          adjacent_4_combined1);
+      Eurydice_slice uu____0 = out;
+      Eurydice_slice_copy(uu____0,
+                          Eurydice_array_to_subslice2(serialized, (size_t)0U,
+                                                      (size_t)4U, uint8_t),
+                          uint8_t);
+      break;
+    }
+    case 6U: {
+      __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+          simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32(
+                         (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26,
+                         (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26));
+      __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+          (int32_t)26, adjacent_2_combined, __m256i);
+      __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+          adjacent_2_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi8(
+              (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+              (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+              (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1,
+              (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+              (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+              (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8,
+              (int8_t)1, (int8_t)0));
+      __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16(
+          adjacent_3_combined,
+          libcrux_intrinsics_avx2_mm256_set_epi16(
+              (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1,
+              (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1,
+              (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1,
+              (int16_t)1 << 4U));
+      __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+          adjacent_3_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi32(
+              (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0,
+              (int32_t)0, (int32_t)0, (int32_t)4));
+      __m128i lower_3 =
+          libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1);
+      libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+          Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U,
+                                      uint8_t),
+          lower_3);
+      __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+          (int32_t)1, adjacent_3_combined1, __m128i);
+      libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+          Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U,
+                                      uint8_t),
+          upper_3);
+      Eurydice_slice uu____1 = out;
+      Eurydice_slice_copy(uu____1,
+                          Eurydice_array_to_subslice2(serialized, (size_t)0U,
+                                                      (size_t)6U, uint8_t),
+                          uint8_t);
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                        "panic!");
+      KRML_HOST_EXIT(255U);
+    }
+  }
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_a2(
+    __m256i simd_unit, Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \
+  ((int32_t)2)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2(
+    __m256i simd_unit, Eurydice_slice out) {
+  uint8_t serialized[16U] = {0U};
+  __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA),
+      simd_unit);
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32(
+                             (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29,
+                             (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)29, adjacent_2_combined, __m256i);
+  __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      adjacent_2_combined0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
+          (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1,
+          (int8_t)0));
+  __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16(
+      adjacent_4_combined,
+      libcrux_intrinsics_avx2_mm256_set_epi16(
+          (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0,
+          (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0,
+          (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U,
+          (int16_t)1));
+  __m256i adjacent_6_combined =
+      libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+          adjacent_4_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi32(
+              (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0,
+              (int32_t)0, (int32_t)4, (int32_t)0));
+  __m128i adjacent_6_combined0 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined);
+  __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32(
+      adjacent_6_combined0,
+      libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0,
+                                           (int32_t)20));
+  __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64(
+      (int32_t)20, adjacent_6_combined1, __m128i);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
+      adjacent_6_combined2);
+  Eurydice_slice uu____0 = out;
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t),
+      uint8_t);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \
+  ((int32_t)4)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4(
+    __m256i simd_unit, Eurydice_slice out) {
+  uint8_t serialized[16U] = {0U};
+  __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA),
+      simd_unit);
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32(
+                             (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28,
+                             (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)28, adjacent_2_combined, __m256i);
+  __m256i adjacent_4_combined =
+      libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+          adjacent_2_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi32(
+              (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6,
+              (int32_t)2, (int32_t)4, (int32_t)0));
+  __m128i adjacent_4_combined0 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined);
+  __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8(
+                                240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U,
+                                240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U));
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
+      adjacent_4_combined1);
+  Eurydice_slice uu____0 = out;
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t),
+      uint8_t);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i simd_unit) {
+  __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      (int32_t)1
+      << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T -
+                    (size_t)1U));
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(
+    __m256i simd_unit, uint8_t ret[13U]) {
+  uint8_t serialized[16U] = {0U};
+  __m256i simd_unit0 =
+      libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit);
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32(
+                      (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19,
+                      (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)19, adjacent_2_combined, __m256i);
+  __m256i adjacent_4_combined =
+      libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+          adjacent_2_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi32(
+              (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6,
+              (int32_t)4, (int32_t)2, (int32_t)0));
+  __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32(
+                               (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6,
+                               (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6));
+  __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)6, adjacent_4_combined0, __m256i);
+  __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128(
+      (int32_t)8, adjacent_4_combined1, __m256i);
+  __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64(
+      (int32_t)52, second_4_combined, __m256i);
+  __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64(
+      adjacent_4_combined1, least_12_bits_shifted_up);
+  __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64(
+      bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x(
+                           (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0));
+  __m128i bits_sequential1 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_slice((size_t)16U, serialized, uint8_t),
+      bits_sequential1);
+  uint8_t ret0[13U];
+  Result_b0 dst;
+  Eurydice_slice_to_array2(
+      &dst,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t),
+      Eurydice_slice, uint8_t[13U]);
+  unwrap_26_23(dst, ret0);
+  memcpy(ret, ret0, (size_t)13U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_a2(
+    __m256i simd_unit, uint8_t ret[13U]) {
+  libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, ret);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \
+  (((int32_t)1 << 13U) - (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(Eurydice_slice serialized) {
+  uint8_t serialized_extended[16U] = {0U};
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U,
+                                  uint8_t),
+      serialized, uint8_t);
+  __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t));
+  __m256i serialized1 =
+      libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0);
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      serialized1,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1,
+          (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9,
+          (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1,
+          (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4,
+          (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1,
+          (int8_t)-1, (int8_t)1, (int8_t)0));
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi32(
+                        (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4,
+                        (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients0,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK));
+  return libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(coefficients1);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(
+    __m256i simd_unit, uint8_t ret[10U]) {
+  uint8_t serialized[24U] = {0U};
+  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32(
+                     (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22,
+                     (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22));
+  __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)22, adjacent_2_combined, __m256i);
+  __m256i adjacent_4_combined =
+      libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(
+          adjacent_2_combined0,
+          libcrux_intrinsics_avx2_mm256_set_epi32(
+              (int32_t)0, (int32_t)0, (int32_t)6, (int32_t)4, (int32_t)0,
+              (int32_t)0, (int32_t)2, (int32_t)0));
+  __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32(
+      adjacent_4_combined,
+      libcrux_intrinsics_avx2_mm256_set_epi32(
+          (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, (int32_t)0,
+          (int32_t)12, (int32_t)0, (int32_t)12));
+  __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64(
+      (int32_t)12, adjacent_4_combined0, __m256i);
+  __m128i lower_4 =
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined1);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
+      lower_4);
+  __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, adjacent_4_combined1, __m128i);
+  libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
+      Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t),
+      upper_4);
+  uint8_t ret0[10U];
+  Result_9d dst;
+  Eurydice_slice_to_array2(
+      &dst,
+      Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t),
+      Eurydice_slice, uint8_t[10U]);
+  unwrap_26_ce(dst, ret0);
+  memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_a2(
+    __m256i simd_unit, uint8_t ret[10U]) {
+  libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, ret);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \
+  (((int32_t)1 << 10U) - (int32_t)1)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(Eurydice_slice bytes) {
+  uint8_t bytes_extended[16U] = {0U};
+  Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U,
+                                                  (size_t)10U, uint8_t),
+                      bytes, uint8_t);
+  __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t));
+  __m256i bytes_loaded0 =
+      libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded);
+  __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
+      bytes_loaded0,
+      libcrux_intrinsics_avx2_mm256_set_epi8(
+          (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1,
+          (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6,
+          (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1,
+          (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2,
+          (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1,
+          (int8_t)1, (int8_t)0));
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi32(
+                        (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0,
+                        (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0));
+  return libcrux_intrinsics_avx2_mm256_and_si256(
+      coefficients0,
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \
+  ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT)
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+    __m256i *re, size_t index, __m256i zeta, size_t step_by,
+    __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) {
+  __m256i prod02 =
+      libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta);
+  __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245,
+                                                  re[index + step_by], __m256i),
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i));
+  __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod02, inverse_of_modulus_mod_montgomery_r);
+  __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod13, inverse_of_modulus_mod_montgomery_r);
+  __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus);
+  __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus);
+  __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02);
+  __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13);
+  __m256i res02_shifted =
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i);
+  __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32(
+      (int32_t)170, res02_shifted, res13, __m256i);
+  re[index + step_by] =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[index], t);
+  re[index] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[index], t);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \
+  (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT)
+
+/**
+ This is equivalent to the pqclean 0 and 1
+
+ This does 32 Montgomery multiplications (192 multiplications).
+ This is the same as in pqclean. The only difference is locality of registers.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(
+    __m256i *re) {
+  __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  __m256i inverse_of_modulus_mod_montgomery_r =
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          (int32_t)
+              LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R);
+  __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847);
+  __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894);
+  __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)1U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)2U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)3U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)8U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)8U + (size_t)1U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)8U + (size_t)2U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)8U + (size_t)3U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)1U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)2U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)0U + (size_t)3U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)16U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)16U + (size_t)1U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)16U + (size_t)2U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)16U + (size_t)3U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)1U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)2U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)3U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)12U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)12U + (size_t)1U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)12U + (size_t)2U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)12U + (size_t)3U, zeta7,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)1U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)2U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)4U + (size_t)3U, zeta60,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)20U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)20U + (size_t)1U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)20U + (size_t)2U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul(
+      re, (size_t)20U + (size_t)3U, zeta61,
+      LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6,
+      field_modulus, inverse_of_modulus_mod_montgomery_r);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round
+with const generics
+- STEP= 32
+- STEP_BY= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re,
+                                                          size_t index,
+                                                          int32_t zeta) {
+  __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta);
+  size_t offset = index * (size_t)32U * (size_t)2U /
+                  LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT;
+  for (size_t i = offset; i < offset + (size_t)4U; i++) {
+    size_t j = i;
+    __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+        re[j + (size_t)4U], rhs);
+    re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round
+with const generics
+- STEP= 16
+- STEP_BY= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re,
+                                                          size_t index,
+                                                          int32_t zeta) {
+  __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta);
+  size_t offset = index * (size_t)16U * (size_t)2U /
+                  LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT;
+  for (size_t i = offset; i < offset + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+        re[j + (size_t)2U], rhs);
+    re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round
+with const generics
+- STEP= 8
+- STEP_BY= 1
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re,
+                                                          size_t index,
+                                                          int32_t zeta) {
+  __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta);
+  size_t offset = index * (size_t)8U * (size_t)2U /
+                  LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT;
+  for (size_t i = offset; i < offset + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+        re[j + (size_t)1U], rhs);
+    re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t);
+  }
+}
+
+/**
+ Layer 5, 4, 3
+
+ Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
+ pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time
+ (48)
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U,
+                                                            (int32_t)237124);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U,
+                                                            (int32_t)-777960);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U,
+                                                            (int32_t)-876248);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U,
+                                                            (int32_t)466468);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U,
+                                                            (int32_t)1826347);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U,
+                                                            (int32_t)2353451);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U,
+                                                            (int32_t)-359251);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U,
+                                                            (int32_t)-2091905);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U,
+                                                            (int32_t)3119733);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U,
+                                                            (int32_t)-2884855);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U,
+                                                            (int32_t)3111497);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U,
+                                                            (int32_t)2680103);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U,
+                                                            (int32_t)2725464);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U,
+                                                            (int32_t)1024112);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U,
+                                                            (int32_t)-1079900);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U,
+                                                            (int32_t)3585928);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U,
+                                                            (int32_t)-549488);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U,
+                                                            (int32_t)-1119584);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U,
+                                                            (int32_t)2619752);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U,
+                                                            (int32_t)-2108549);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U,
+                                                            (int32_t)-2118186);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U,
+                                                            (int32_t)-3859737);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U,
+                                                            (int32_t)-1399561);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U,
+                                                            (int32_t)-3277672);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U,
+                                                            (int32_t)1757237);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U,
+                                                            (int32_t)-19422);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U,
+                                                            (int32_t)4010497);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U,
+                                                            (int32_t)280005);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(__m256i a, __m256i b, int32_t zeta0,
+                                         int32_t zeta1) {
+  __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i(
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(b),
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(a));
+  __m256i zeta_multiplicands = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)19, b, a, __m256i);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0);
+  __m256i zeta_products =
+      libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+          zeta_multiplicands, zetas);
+  __m256i add_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products);
+  __m256i sub_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products);
+  __m256i a_out = libcrux_intrinsics_avx2_mm256_set_m128i(
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms),
+      libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms));
+  __m256i b_out = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)19, sub_terms, add_terms, __m256i);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+    __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(
+          re[index], re[index + (size_t)1U], zeta_0, zeta_1);
+  __m256i a = uu____0.fst;
+  __m256i b = uu____0.snd;
+  re[index] = a;
+  re[index + (size_t)1U] = b;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) {
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)0U, (int32_t)2706023, (int32_t)95776);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)2U, (int32_t)3077325, (int32_t)3530437);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)4U, (int32_t)-1661693, (int32_t)-3592148);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)6U, (int32_t)-2537516, (int32_t)3915439);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)8U, (int32_t)-3861115, (int32_t)-3043716);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)10U, (int32_t)3574422, (int32_t)-2867647);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)12U, (int32_t)3539968, (int32_t)-300467);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)14U, (int32_t)2348700, (int32_t)-539299);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)16U, (int32_t)-1699267, (int32_t)-1643818);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)18U, (int32_t)3505694, (int32_t)-3821735);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)20U, (int32_t)3507263, (int32_t)-2140649);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)22U, (int32_t)-1600420, (int32_t)3699596);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)24U, (int32_t)811944, (int32_t)531354);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)26U, (int32_t)954230, (int32_t)3881043);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)28U, (int32_t)3900724, (int32_t)-2556880);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round(
+      re, (size_t)30U, (int32_t)2071892, (int32_t)-2797779);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(__m256i a, __m256i b, int32_t zeta_a0,
+                                         int32_t zeta_a1, int32_t zeta_b0,
+                                         int32_t zeta_b1) {
+  __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b);
+  __m256i zeta_multiplicands =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0);
+  __m256i zeta_products =
+      libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+          zeta_multiplicands, zetas);
+  __m256i add_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products);
+  __m256i sub_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products);
+  __m256i a_out =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms);
+  __m256i b_out =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+    __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2,
+    int32_t zeta_3) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(
+          re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3);
+  __m256i a = uu____0.fst;
+  __m256i b = uu____0.snd;
+  re[index] = a;
+  re[index + (size_t)1U] = b;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) {
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703, (int32_t)-3677745,
+      (int32_t)-3041255);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950, (int32_t)2176455,
+      (int32_t)-1585221);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314, (int32_t)-4083598,
+      (int32_t)-1000202);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330, (int32_t)-3632928,
+      (int32_t)126922);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)8U, (int32_t)3412210, (int32_t)-983419, (int32_t)2147896,
+      (int32_t)2715295);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493, (int32_t)-411027,
+      (int32_t)-2477047);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525, (int32_t)-22981,
+      (int32_t)-1308169);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)14U, (int32_t)-381987, (int32_t)1349076, (int32_t)1852771,
+      (int32_t)-1430430);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)16U, (int32_t)-3343383, (int32_t)264944, (int32_t)508951,
+      (int32_t)3097992);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)18U, (int32_t)44288, (int32_t)-1100098, (int32_t)904516,
+      (int32_t)3958618);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578, (int32_t)1653064,
+      (int32_t)-3249728);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)22U, (int32_t)2389356, (int32_t)-210977, (int32_t)759969,
+      (int32_t)-1316856);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)24U, (int32_t)189548, (int32_t)-3553272, (int32_t)3159746,
+      (int32_t)-1851402);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440, (int32_t)1315589,
+      (int32_t)1341330);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928, (int32_t)-812732,
+      (int32_t)-1439742);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round(
+      re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060, (int32_t)-3628969,
+      (int32_t)3839961);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(__m256i a, __m256i b, int32_t zeta_a0,
+                                         int32_t zeta_a1, int32_t zeta_a2,
+                                         int32_t zeta_a3, int32_t zeta_b0,
+                                         int32_t zeta_b1, int32_t zeta_b2,
+                                         int32_t zeta_b3) {
+  __m256i a_shuffled =
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, a, __m256i);
+  __m256i b_shuffled =
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b, __m256i);
+  __m256i summands =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled);
+  __m256i zeta_multiplicands =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0);
+  __m256i zeta_products =
+      libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+          zeta_multiplicands, zetas);
+  __m256i add_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products);
+  __m256i sub_terms =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products);
+  __m256i a_terms_shuffled =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms);
+  __m256i b_terms_shuffled =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms);
+  __m256i a_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32(
+      (int32_t)216, a_terms_shuffled, __m256i);
+  __m256i b_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32(
+      (int32_t)216, b_terms_shuffled, __m256i);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+    __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2,
+    int32_t zeta_3, int32_t zeta_4, int32_t zeta_5, int32_t zeta_6,
+    int32_t zeta_7) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(
+          re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3,
+          zeta_4, zeta_5, zeta_6, zeta_7);
+  __m256i a = uu____0.fst;
+  __m256i b = uu____0.snd;
+  re[index] = a;
+  re[index + (size_t)1U] = b;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) {
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500,
+      (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433,
+      (int32_t)-3562462);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728,
+      (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226,
+      (int32_t)-3193378);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542,
+      (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260,
+      (int32_t)-522500);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748,
+      (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622,
+      (int32_t)-3595838);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823,
+      (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879,
+      (int32_t)203044);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150,
+      (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353,
+      (int32_t)1595974);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921,
+      (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435,
+      (int32_t)-1050970);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210,
+      (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115,
+      (int32_t)-1962642);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312,
+      (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880,
+      (int32_t)3406031);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176,
+      (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136,
+      (int32_t)-3776993);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455,
+      (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531,
+      (int32_t)-1207385);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392,
+      (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233,
+      (int32_t)-1799107);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901,
+      (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735,
+      (int32_t)472078);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090,
+      (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646,
+      (int32_t)-3833893);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899,
+      (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842,
+      (int32_t)-3545687);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round(
+      re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306,
+      (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154,
+      (int32_t)1976782);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i re[32U],
+                                                             __m256i ret[32U]) {
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re);
+  libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re);
+  memcpy(ret, re, (size_t)32U * sizeof(__m256i));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_ml_dsa_simd_avx2_ntt_closure_a2(__m256i **state,
+                                                              size_t i) {
+  KRML_HOST_EPRINTF(
+      "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+      "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_a2(
+    __m256i simd_units[32U], __m256i ret[32U]) {
+  __m256i re[32U];
+  for (size_t i = (size_t)0U; i < (size_t)32U; i++) {
+    re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256();
+  }
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    re[i0] = simd_units[i0];
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  __m256i copy_of_re[32U];
+  memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i));
+  __m256i result[32U];
+  libcrux_ml_dsa_simd_avx2_ntt_ntt(copy_of_re, result);
+  __m256i ret0[32U];
+  for (size_t i = (size_t)0U; i < (size_t)32U; i++) {
+    ret0[i] = KRML_EABORT(
+        __m256i,
+        "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n");
+  }
+  memcpy(ret, ret0, (size_t)32U * sizeof(__m256i));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0(
+    __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01,
+    int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11,
+    int32_t zeta12, int32_t zeta13) {
+  __m256i a_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32(
+      (int32_t)216, simd_unit0, __m256i);
+  __m256i b_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32(
+      (int32_t)216, simd_unit1, __m256i);
+  __m256i lo_values =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled0, b_shuffled0);
+  __m256i hi_values =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled0, b_shuffled0);
+  __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values);
+  __m256i differences =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00);
+  __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+      differences, zetas);
+  __m256i a_shuffled =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products);
+  __m256i b_shuffled =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products);
+  __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216,
+                                                          a_shuffled, __m256i);
+  __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216,
+                                                          b_shuffled, __m256i);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+    __m256i *re, size_t index, int32_t zeta00, int32_t zeta01, int32_t zeta02,
+    int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12,
+    int32_t zeta13) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0(
+          re[index], re[index + (size_t)1U], zeta00, zeta01, zeta02, zeta03,
+          zeta10, zeta11, zeta12, zeta13);
+  __m256i lhs0 = uu____0.fst;
+  __m256i lhs = uu____0.snd;
+  re[index] = lhs0;
+  re[index + (size_t)1U] = lhs;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424,
+      (int32_t)3937738, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660,
+      (int32_t)-554416);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891,
+      (int32_t)183443, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985,
+      (int32_t)-2939036);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333,
+      (int32_t)-1667432, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600,
+      (int32_t)-426683);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884,
+      (int32_t)2213111, (int32_t)269760, (int32_t)3866901, (int32_t)3523897,
+      (int32_t)-3038916);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634,
+      (int32_t)810149, (int32_t)3014001, (int32_t)1616392, (int32_t)162844,
+      (int32_t)-3183426);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112,
+      (int32_t)1957272, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395,
+      (int32_t)-2013608);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270,
+      (int32_t)-2584293, (int32_t)-1846953, (int32_t)-1671176,
+      (int32_t)-2831860, (int32_t)-542412);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191,
+      (int32_t)1500165, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081,
+      (int32_t)-1279661);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455,
+      (int32_t)-451100, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275,
+      (int32_t)-1333058);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119,
+      (int32_t)-2994039, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494,
+      (int32_t)-3767016);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620,
+      (int32_t)4055324, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481,
+      (int32_t)2842341);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277,
+      (int32_t)3437287, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988,
+      (int32_t)342297);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098,
+      (int32_t)-3556995, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442,
+      (int32_t)-655327);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174,
+      (int32_t)495491, (int32_t)819034, (int32_t)909542, (int32_t)1859098,
+      (int32_t)900702);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364,
+      (int32_t)-3520352, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439,
+      (int32_t)266997);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091,
+      (int32_t)-3342478, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706,
+      (int32_t)2091667);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1(
+    __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01,
+    int32_t zeta10, int32_t zeta11) {
+  __m256i lo_values =
+      libcrux_intrinsics_avx2_mm256_unpacklo_epi64(simd_unit0, simd_unit1);
+  __m256i hi_values =
+      libcrux_intrinsics_avx2_mm256_unpackhi_epi64(simd_unit0, simd_unit1);
+  __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values);
+  __m256i differences =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00);
+  __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+      differences, zetas);
+  __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products);
+  __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+    __m256i *re, size_t index, int32_t zeta_00, int32_t zeta_01,
+    int32_t zeta_10, int32_t zeta_11) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1(
+          re[index], re[index + (size_t)1U], zeta_00, zeta_01, zeta_10,
+          zeta_11);
+  __m256i lhs0 = uu____0.fst;
+  __m256i lhs = uu____0.snd;
+  re[index] = lhs0;
+  re[index + (size_t)1U] = lhs;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969, (int32_t)-3881060,
+      (int32_t)-3019102);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732, (int32_t)-1584928,
+      (int32_t)1285669);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)4U, (int32_t)1341330, (int32_t)1315589, (int32_t)-177440,
+      (int32_t)-2409325);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746, (int32_t)-3553272,
+      (int32_t)189548);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)8U, (int32_t)-1316856, (int32_t)759969, (int32_t)-210977,
+      (int32_t)2389356);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064, (int32_t)-8578,
+      (int32_t)-3724342);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)12U, (int32_t)3958618, (int32_t)904516, (int32_t)-1100098,
+      (int32_t)44288);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)14U, (int32_t)3097992, (int32_t)508951, (int32_t)264944,
+      (int32_t)-3343383);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771, (int32_t)1349076,
+      (int32_t)-381987);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981, (int32_t)-1228525,
+      (int32_t)-671102);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027, (int32_t)-3693493,
+      (int32_t)-2967645);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)22U, (int32_t)2715295, (int32_t)2147896, (int32_t)-983419,
+      (int32_t)3412210);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)24U, (int32_t)126922, (int32_t)-3632928, (int32_t)-3157330,
+      (int32_t)-3190144);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598, (int32_t)1939314,
+      (int32_t)-1257611);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455, (int32_t)3475950,
+      (int32_t)-1452451);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745, (int32_t)-1528703,
+      (int32_t)-3930395);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2(
+    __m256i simd_unit0, __m256i simd_unit1, int32_t zeta0, int32_t zeta1) {
+  __m256i lo_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)32, simd_unit0, simd_unit1, __m256i);
+  __m256i hi_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)49, simd_unit0, simd_unit1, __m256i);
+  __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values);
+  __m256i differences =
+      libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values);
+  __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32(
+      zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0);
+  __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(
+      differences, zetas);
+  __m256i a = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)32, sums, products, __m256i);
+  __m256i b = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+      (int32_t)49, sums, products, __m256i);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(__m256i *re,
+                                                            size_t index,
+                                                            int32_t zeta1,
+                                                            int32_t zeta2) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2(
+          re[index], re[index + (size_t)1U], zeta1, zeta2);
+  __m256i lhs0 = uu____0.fst;
+  __m256i lhs = uu____0.snd;
+  re[index] = lhs0;
+  re[index + (size_t)1U] = lhs;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)0U, (int32_t)-2797779, (int32_t)2071892);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)2U, (int32_t)-2556880, (int32_t)3900724);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)4U, (int32_t)3881043, (int32_t)954230);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)6U, (int32_t)531354, (int32_t)811944);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)8U, (int32_t)3699596, (int32_t)-1600420);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)10U, (int32_t)-2140649, (int32_t)3507263);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)12U, (int32_t)-3821735, (int32_t)3505694);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)14U, (int32_t)-1643818, (int32_t)-1699267);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)16U, (int32_t)-539299, (int32_t)2348700);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)18U, (int32_t)-300467, (int32_t)3539968);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)20U, (int32_t)-2867647, (int32_t)3574422);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)22U, (int32_t)-3043716, (int32_t)-3861115);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)24U, (int32_t)3915439, (int32_t)-2537516);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)26U, (int32_t)-3592148, (int32_t)-1661693);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)28U, (int32_t)3530437, (int32_t)3077325);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)30U, (int32_t)95776, (int32_t)2706023);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+    __m256i lhs, int32_t constant) {
+  __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(constant);
+  __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  __m256i inverse_of_modulus_mod_montgomery_r =
+      libcrux_intrinsics_avx2_mm256_set1_epi32(
+          (int32_t)
+              LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R);
+  __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs, rhs);
+  __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs, __m256i),
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs, __m256i));
+  __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod02, inverse_of_modulus_mod_montgomery_r);
+  __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32(
+      prod13, inverse_of_modulus_mod_montgomery_r);
+  __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus);
+  __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus);
+  __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02);
+  __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13);
+  __m256i res02_shifted =
+      libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i);
+  return libcrux_intrinsics_avx2_mm256_blend_epi32((int32_t)170, res02_shifted,
+                                                   res13, __m256i);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 1
+- ZETA= 280005
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99(
+    __m256i *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)280005);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 2
+- STEP_BY= 1
+- ZETA= 4010497
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c(
+    __m256i *re) {
+  for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)4010497);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 1
+- ZETA= -19422
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b(
+    __m256i *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-19422);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 6
+- STEP_BY= 1
+- ZETA= 1757237
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44(
+    __m256i *re) {
+  for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1757237);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 1
+- ZETA= -3277672
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8(
+    __m256i *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-3277672);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 10
+- STEP_BY= 1
+- ZETA= -1399561
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f(
+    __m256i *re) {
+  for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1399561);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 1
+- ZETA= -3859737
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95(
+    __m256i *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-3859737);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 14
+- STEP_BY= 1
+- ZETA= -2118186
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b(
+    __m256i *re) {
+  for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2118186);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 1
+- ZETA= -2108549
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a(
+    __m256i *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2108549);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 18
+- STEP_BY= 1
+- ZETA= 2619752
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4(
+    __m256i *re) {
+  for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2619752);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 1
+- ZETA= -1119584
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de(
+    __m256i *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1119584);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 22
+- STEP_BY= 1
+- ZETA= -549488
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05(
+    __m256i *re) {
+  for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-549488);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 1
+- ZETA= 3585928
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9(
+    __m256i *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3585928);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 26
+- STEP_BY= 1
+- ZETA= -1079900
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a(
+    __m256i *re) {
+  for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1079900);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 1
+- ZETA= 1024112
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0(
+    __m256i *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1024112);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 30
+- STEP_BY= 1
+- ZETA= 2725464
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0(
+    __m256i *re) {
+  for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2725464);
+  }
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 2
+- ZETA= 2680103
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990(
+    __m256i *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2680103);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 2
+- ZETA= 3111497
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0(
+    __m256i *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3111497);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 2
+- ZETA= -2884855
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80(
+    __m256i *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2884855);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 2
+- ZETA= 3119733
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950(
+    __m256i *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3119733);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 2
+- ZETA= -2091905
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0(
+    __m256i *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2091905);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 2
+- ZETA= -359251
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0(
+    __m256i *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-359251);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 2
+- ZETA= 2353451
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90(
+    __m256i *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2353451);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 2
+- ZETA= 1826347
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1(
+    __m256i *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1826347);
+  }
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 4
+- ZETA= 466468
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991(
+    __m256i *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)466468);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 4
+- ZETA= -876248
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81(
+    __m256i *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-876248);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 4
+- ZETA= -777960
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1(
+    __m256i *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-777960);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 4
+- ZETA= 237124
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91(
+    __m256i *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)237124);
+  }
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 8
+- ZETA= -518909
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992(
+    __m256i *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]);
+    re[j + (size_t)8U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-518909);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 8
+- ZETA= -2608894
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2(
+    __m256i *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) {
+    size_t j = i;
+    __m256i a_minus_b =
+        libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]);
+    re[j + (size_t)8U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2608894);
+  }
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992(re);
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 16
+- ZETA= 25847
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(
+    __m256i *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) {
+    size_t j = i;
+    __m256i a_minus_b = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(
+        re[j + (size_t)16U], re[j]);
+    re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)16U]);
+    re[j + (size_t)16U] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)25847);
+  }
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7(
+    __m256i *re) {
+  libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(re);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i re[32U],
+                                                      __m256i ret[32U]) {
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6(re);
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7(re);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    re[i0] =
+        libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant(
+            re[i0], (int32_t)41978);
+  }
+  memcpy(ret, re, (size_t)32U * sizeof(__m256i));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_closure_a2(
+    __m256i **state, size_t i) {
+  KRML_HOST_EPRINTF(
+      "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+      "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2(
+    __m256i simd_units[32U], __m256i ret[32U]) {
+  __m256i re[32U];
+  for (size_t i = (size_t)0U; i < (size_t)32U; i++) {
+    re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256();
+  }
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    re[i0] = simd_units[i0];
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  __m256i copy_of_re[32U];
+  memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i));
+  __m256i result[32U];
+  libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(copy_of_re, result);
+  __m256i ret0[32U];
+  for (size_t i = (size_t)0U; i < (size_t)32U; i++) {
+    ret0[i] = KRML_EABORT(
+        __m256i,
+        "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n");
+  }
+  memcpy(ret, ret0, (size_t)32U * sizeof(__m256i));
+}
+
+typedef struct libcrux_ml_dsa_samplex4_avx2_AVX2Sampler_s {
+} libcrux_ml_dsa_samplex4_avx2_AVX2Sampler;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+
+*/
+typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_24_s {
+  __m256i simd_units[32U];
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_24;
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_polynomial_ZERO_ff_ea(void) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit;
+  lit.simd_units[0U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[1U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[2U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[3U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[4U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[5U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[6U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[7U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[8U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[9U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[10U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[11U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[12U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[13U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[14U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[15U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[16U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[17U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[18U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[19U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[20U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[21U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[22U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[23U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[24U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[25U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[26U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[27U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[28U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[29U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[30U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  lit.simd_units[31U] = libcrux_ml_dsa_simd_avx2_ZERO_a2();
+  return lit;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U,
+                                 _cloop_i * (size_t)24U + (size_t)24U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.update_matrix
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_sample_update_matrix_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*m)[5U], size_t i,
+    size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 v) {
+  m[i][j] = v;
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    result.simd_units[i0] = libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2(
+        Eurydice_slice_subslice2(
+            array, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+            (i0 + (size_t)1U) *
+                LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+            int32_t));
+  }
+  return result;
+}
+
+/**
+ Sample and write out up to four ring elements.
+
+ If i <= `elements_requested`, a field element with domain separated
+ seed according to the provided index is generated in
+ `tmp_stack[i]`. After successful rejection sampling in
+ `tmp_stack[i]`, the ring element is written to `matrix` at the
+ provided index in `indices[i]`.
+ `rand_stack` is a working buffer that holds initial Shake output.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+    uint8_t seed0[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U],
+    uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2,
+    uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices,
+    size_t elements_requested) {
+  uint16_t domain_separator0 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]);
+  uint16_t domain_separator1 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]);
+  uint16_t domain_separator2 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]);
+  uint16_t domain_separator3 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]);
+  seed0[32U] = (uint8_t)domain_separator0;
+  seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U);
+  uint8_t seed1[34U];
+  memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t));
+  seed1[32U] = (uint8_t)domain_separator1;
+  seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U);
+  uint8_t seed2[34U];
+  memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t));
+  seed2[32U] = (uint8_t)domain_separator2;
+  seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U);
+  uint8_t seed3[34U];
+  memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t));
+  seed3[32U] = (uint8_t)domain_separator3;
+  seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U);
+  libcrux_sha3_avx2_x4_incremental_KeccakState state =
+      libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b(
+          Eurydice_array_to_slice((size_t)34U, seed0, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed1, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed2, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed3, uint8_t));
+  libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks_7b(
+      &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3);
+  size_t sampled0 = (size_t)0U;
+  size_t sampled1 = (size_t)0U;
+  size_t sampled2 = (size_t)0U;
+  size_t sampled3 = (size_t)0U;
+  bool done0 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+          Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t),
+          &sampled0,
+          Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done1 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+          Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t),
+          &sampled1,
+          Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done2 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+          Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t),
+          &sampled2,
+          Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done3 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+          Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t),
+          &sampled3,
+          Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                               int32_t(*)[263U]));
+  while (true) {
+    if (done0) {
+      if (done1) {
+        if (done2) {
+          if (done3) {
+            break;
+          } else {
+            uint8_t_168size_t__x4 randomnesses =
+                libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(
+                    &state);
+            if (!done0) {
+              done0 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                              uint8_t),
+                      &sampled0,
+                      Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done1) {
+              done1 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                              uint8_t),
+                      &sampled1,
+                      Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done2) {
+              done2 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                              uint8_t),
+                      &sampled2,
+                      Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done3) {
+              done3 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                              uint8_t),
+                      &sampled3,
+                      Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+          }
+        } else {
+          uint8_t_168size_t__x4 randomnesses =
+              libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(
+                  &state);
+          if (!done0) {
+            done0 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                            uint8_t),
+                    &sampled0,
+                    Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done1) {
+            done1 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                            uint8_t),
+                    &sampled1,
+                    Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done2) {
+            done2 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                            uint8_t),
+                    &sampled2,
+                    Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done3) {
+            done3 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                            uint8_t),
+                    &sampled3,
+                    Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+        }
+      } else {
+        uint8_t_168size_t__x4 randomnesses =
+            libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state);
+        if (!done0) {
+          done0 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                          uint8_t),
+                  &sampled0,
+                  Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done1) {
+          done1 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                          uint8_t),
+                  &sampled1,
+                  Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done2) {
+          done2 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                          uint8_t),
+                  &sampled2,
+                  Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done3) {
+          done3 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                          uint8_t),
+                  &sampled3,
+                  Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+      }
+    } else {
+      uint8_t_168size_t__x4 randomnesses =
+          libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state);
+      if (!done0) {
+        done0 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                        uint8_t),
+                &sampled0,
+                Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done1) {
+        done1 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                        uint8_t),
+                &sampled1,
+                Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done2) {
+        done2 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                        uint8_t),
+                &sampled2,
+                Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done3) {
+        done3 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t),
+                &sampled3,
+                Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+    }
+  }
+  for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) {
+    size_t k = i0;
+    size_t uu____0 = k;
+    uint8_t i = indices[uu____0].fst;
+    uint8_t j = indices[uu____0].snd;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____1)[5U] = matrix;
+    size_t uu____2 = (size_t)i;
+    size_t uu____3 = (size_t)j;
+    libcrux_ml_dsa_sample_update_matrix_fe(
+        uu____1, uu____2, uu____3,
+        libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_array_to_slice(
+            (size_t)263U,
+            Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]),
+            int32_t)));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+    A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+    A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+    A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+    A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  uint8_t rand_stack0[840U] = {0U};
+  uint8_t rand_stack1[840U] = {0U};
+  uint8_t rand_stack2[840U] = {0U};
+  uint8_t rand_stack3[840U] = {0U};
+  int32_t tmp_stack[4U][263U] = {{0U}};
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed[34U];
+  memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed0[34U];
+  memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed1[34U];
+  memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed2[34U];
+  memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed3[34U];
+  memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed4[34U];
+  memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed5[34U];
+  memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed6[34U];
+  memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4(
+      copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf,
+      (size_t)2U);
+  memcpy(ret, A,
+         (size_t)6U *
+             sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_avx2
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) {
+  uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U};
+  switch (uu____0.fst) {
+    case 6U: {
+      switch (uu____0.snd) {
+        case 5U: {
+          /* Passing arrays by value in Rust generates a copy in C */
+          uint8_t copy_of_seed[34U];
+          memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U];
+          libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4(copy_of_seed, ret0);
+          memcpy(
+              ret, ret0,
+              (size_t)6U *
+                  sizeof(
+                      libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]));
+          return;
+        }
+        default: {
+        }
+      }
+      break;
+    }
+    default: {
+    }
+  }
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for
+libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_b8
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed[34U];
+  memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U];
+  libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe(copy_of_seed, ret0);
+  memcpy(ret, ret0,
+         (size_t)6U *
+             sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]));
+}
+
+/**
+A monomorphic instance of K.
+with types libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t]
+
+*/
+typedef struct tuple_ce0_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[5U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U];
+} tuple_ce0;
+
+typedef struct
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 thd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3;
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4;
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ea(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U,
+                                 _cloop_i * (size_t)4U + (size_t)4U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U,
+                                 _cloop_i * (size_t)4U + (size_t)4U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+    Eurydice_slice randomness, size_t *sampled, int32_t *out) {
+  return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea(
+      randomness, sampled, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4
+    libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(
+        uint8_t seed_base[66U], uint16_t domain_separator0,
+        uint16_t domain_separator1, uint16_t domain_seperator2,
+        uint16_t domain_separator3) {
+  uint8_t seed0[66U];
+  memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t));
+  seed0[64U] = (uint8_t)domain_separator0;
+  seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U);
+  uint8_t seed1[66U];
+  memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t));
+  seed1[64U] = (uint8_t)domain_separator1;
+  seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U);
+  uint8_t seed2[66U];
+  memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t));
+  seed2[64U] = (uint8_t)domain_seperator2;
+  seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U);
+  uint8_t seed3[66U];
+  memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t));
+  seed3[64U] = (uint8_t)domain_separator3;
+  seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U);
+  libcrux_sha3_avx2_x4_incremental_KeccakState state =
+      libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb(
+          Eurydice_array_to_slice((size_t)66U, seed0, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed1, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed2, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed3, uint8_t));
+  uint8_t_136size_t__x4 randomnesses0 =
+      libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb(&state);
+  int32_t out0[263U] = {0U};
+  int32_t out1[263U] = {0U};
+  int32_t out2[263U] = {0U};
+  int32_t out3[263U] = {0U};
+  size_t sampled0 = (size_t)0U;
+  size_t sampled1 = (size_t)0U;
+  size_t sampled2 = (size_t)0U;
+  size_t sampled3 = (size_t)0U;
+  bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t),
+      &sampled0, out0);
+  bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t),
+      &sampled1, out1);
+  bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t),
+      &sampled2, out2);
+  bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t),
+      &sampled3, out3);
+  while (true) {
+    if (done0) {
+      if (done1) {
+        if (done2) {
+          if (done3) {
+            break;
+          } else {
+            uint8_t_136size_t__x4 randomnesses =
+                libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb(
+                    &state);
+            if (!done0) {
+              done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.fst,
+                                          uint8_t),
+                  &sampled0, out0);
+            }
+            if (!done1) {
+              done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.snd,
+                                          uint8_t),
+                  &sampled1, out1);
+            }
+            if (!done2) {
+              done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.thd,
+                                          uint8_t),
+                  &sampled2, out2);
+            }
+            if (!done3) {
+              done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.f3,
+                                          uint8_t),
+                  &sampled3, out3);
+            }
+          }
+        } else {
+          uint8_t_136size_t__x4 randomnesses =
+              libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb(
+                  &state);
+          if (!done0) {
+            done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.fst,
+                                        uint8_t),
+                &sampled0, out0);
+          }
+          if (!done1) {
+            done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.snd,
+                                        uint8_t),
+                &sampled1, out1);
+          }
+          if (!done2) {
+            done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.thd,
+                                        uint8_t),
+                &sampled2, out2);
+          }
+          if (!done3) {
+            done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+                &sampled3, out3);
+          }
+        }
+      } else {
+        uint8_t_136size_t__x4 randomnesses =
+            libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb(
+                &state);
+        if (!done0) {
+          done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t),
+              &sampled0, out0);
+        }
+        if (!done1) {
+          done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t),
+              &sampled1, out1);
+        }
+        if (!done2) {
+          done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t),
+              &sampled2, out2);
+        }
+        if (!done3) {
+          done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+              &sampled3, out3);
+        }
+      }
+    } else {
+      uint8_t_136size_t__x4 randomnesses =
+          libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb(
+              &state);
+      if (!done0) {
+        done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t),
+            &sampled0, out0);
+      }
+      if (!done1) {
+        done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t),
+            &sampled1, out1);
+      }
+      if (!done2) {
+        done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t),
+            &sampled2, out2);
+      }
+      if (!done3) {
+        done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+            &sampled3, out3);
+      }
+    }
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+          Eurydice_array_to_slice((size_t)263U, out0, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+          Eurydice_array_to_slice((size_t)263U, out1, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+          Eurydice_array_to_slice((size_t)263U, out2, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4
+      lit;
+  lit.fst = uu____0;
+  lit.snd = uu____1;
+  lit.thd = uu____2;
+  lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+      Eurydice_array_to_slice((size_t)263U, out3, int32_t));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ETA= 4
+- S1_DIMENSION= 5
+- S2_DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_ce0
+libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d(uint8_t seed_base[66U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base[66U];
+  memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4
+      four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(
+          copy_of_seed_base, 0U, 1U, 2U, 3U);
+  s1[0U] = four.fst;
+  s1[1U] = four.snd;
+  s1[2U] = four.thd;
+  s1[3U] = four.f3;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base0[66U];
+  memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4
+      four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(
+          copy_of_seed_base0, 4U, 5U, 6U, 7U);
+  s1[4U] = four0.fst;
+  s2[0U] = four0.snd;
+  s2[1U] = four0.thd;
+  s2[2U] = four0.f3;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base1[66U];
+  memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4
+      four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(
+          copy_of_seed_base1, 8U, 9U, 10U, 11U);
+  s2[3U] = four1.fst;
+  s2[4U] = four1.snd;
+  s2[5U] = four1.thd;
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U];
+  memcpy(
+      copy_of_s2, s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  tuple_ce0 lit;
+  memcpy(
+      lit.fst, copy_of_s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  memcpy(
+      lit.snd, copy_of_s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ETA= 4
+- S1_DIMENSION= 5
+- S2_DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_ce0
+libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) {
+  uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U};
+  switch (uu____0.fst) {
+    case 5U: {
+      switch (uu____0.snd) {
+        case 6U: {
+          /* Passing arrays by value in Rust generates a copy in C */
+          uint8_t copy_of_seed[66U];
+          memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t));
+          return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d(
+              copy_of_seed);
+        }
+        default: {
+        }
+      }
+      break;
+    }
+    default: {
+    }
+  }
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.ntt
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_ntt_ntt_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) {
+  __m256i uu____0[32U];
+  memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit;
+  __m256i ret[32U];
+  libcrux_ml_dsa_simd_avx2_ntt_a2(uu____0, ret);
+  memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) {
+  return libcrux_ml_dsa_ntt_ntt_ea(s);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, out.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    out.simd_units[i0] = libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2(
+        lhs->simd_units[i0], rhs->simd_units[i0]);
+  }
+  return out;
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_polynomial_add_ff_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 sum =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, sum.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    sum.simd_units[i0] = libcrux_ml_dsa_simd_avx2_add_a2(&self->simd_units[i0],
+                                                         &rhs->simd_units[i0]);
+  }
+  return sum;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) {
+  __m256i uu____0[32U];
+  memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit;
+  __m256i ret[32U];
+  libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2(uu____0, ret);
+  memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i));
+  return lit;
+}
+
+/**
+ Compute InvertNTT(Â ◦ ŝ₁) + s₂
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s2,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_ntt[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    s1_ntt[i] =
+        libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(copy_of_s1[i]);
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element,
+                                                        &s1_ntt[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 =
+        libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &s2[i1]);
+    result[i1] = uu____3;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+typedef struct
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[6U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U];
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+    libcrux_ml_dsa_arithmetic_power2round_vector_a3(
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, t,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t[i1];
+    for (size_t i = (size_t)0U;
+         i <
+         Eurydice_slice_len(Eurydice_array_to_slice(
+                                (size_t)32U, ring_element->simd_units, __m256i),
+                            __m256i);
+         i++) {
+      size_t j = i;
+      __m256i *simd_unit = &ring_element->simd_units[j];
+      libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 =
+          libcrux_ml_dsa_simd_avx2_power2round_a2(simd_unit[0U]);
+      __m256i t0_unit = uu____0.fst;
+      __m256i t1_unit = uu____0.snd;
+      t0[i1].simd_units[j] = t0_unit;
+      t1[i1].simd_units[j] = t1_unit;
+    }
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U];
+  memcpy(
+      copy_of_t0, t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+      lit;
+  memcpy(
+      lit.fst, copy_of_t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  memcpy(
+      lit.snd, copy_of_t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[320U]) {
+  uint8_t serialized[320U] = {0U};
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        serialized,
+        i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT,
+        uint8_t);
+    uint8_t ret0[10U];
+    libcrux_ml_dsa_simd_avx2_t1_serialize_a2(simd_unit[0U], ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t);
+  }
+  memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.verification_key.generate_serialized with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+- ROWS_IN_A= 6
+- VERIFICATION_KEY_SIZE= 1952
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe(
+    Eurydice_slice seed_for_A,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U],
+    uint8_t ret[1952U]) {
+  uint8_t verification_key_serialized[1952U] = {0U};
+  Eurydice_slice_copy(Eurydice_array_to_subslice2(
+                          verification_key_serialized, (size_t)0U,
+                          LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t),
+                      seed_for_A, uint8_t);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, t1,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t1[i0];
+    size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE +
+                    i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE;
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        verification_key_serialized, offset,
+        offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t);
+    uint8_t ret0[320U];
+    libcrux_ml_dsa_encoding_t1_serialize_ea(ring_element[0U], ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t);
+  }
+  memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256
+with const generics
+- OUTPUT_LENGTH= 64
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_24(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)64U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9
+with const generics
+- OUTPUT_LENGTH= 64
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(Eurydice_slice input,
+                                                     uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_simd256_shake256_24(input, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.serialize
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac(
+    __m256i simd_unit, Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4(simd_unit,
+                                                                  serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_serialize_a2
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac(
+    __m256i simd_unit, Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac(simd_unit, serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ETA= 4
+- OUTPUT_SIZE= 128
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re,
+    Eurydice_slice serialized) {
+  size_t output_bytes_per_simd_unit;
+  output_bytes_per_simd_unit = (size_t)4U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit,
+                                 (i0 + (size_t)1U) * output_bytes_per_simd_unit,
+                                 uint8_t));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+        uint8_t);
+    uint8_t ret[13U];
+    libcrux_ml_dsa_simd_avx2_t0_serialize_a2(simd_unit[0U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.signing_key.generate_serialized with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9(
+    Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing,
+    Eurydice_slice verification_key,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U],
+    uint8_t ret[4032U]) {
+  uint8_t signing_key_serialized[4032U] = {0U};
+  size_t offset = (size_t)0U;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(
+          signing_key_serialized, offset,
+          offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t),
+      seed_for_A, uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(
+          signing_key_serialized, offset,
+          offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t),
+      seed_for_signing, uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE;
+  uint8_t verification_key_hash[64U] = {0U};
+  libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(verification_key,
+                                                       verification_key_hash);
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+      signing_key_serialized, offset,
+      offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH,
+      uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t),
+      uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, s1,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &s1[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_error_serialize_a8(
+        uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, s2,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &s2[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_error_serialize_a8(
+        uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, t0,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &t0[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_t0_serialize_ea(
+        uu____3, Eurydice_array_to_subslice2(
+                     signing_key_serialized, offset,
+                     offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+                     uint8_t));
+    offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE;
+  }
+  memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t));
+}
+
+/**
+ Generate a key pair.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+- VERIFICATION_KEY_SIZE= 1952
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_a0
+libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) {
+  uint8_t seed_expanded0[128U] = {0U};
+  libcrux_sha3_portable_incremental_Shake256Xof shake =
+      libcrux_ml_dsa_hash_functions_portable_init_83();
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t));
+  uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U};
+  libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+      &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+      &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t));
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_a = uu____0.fst;
+  Eurydice_slice seed_expanded = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
+      seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_error_vectors = uu____1.fst;
+  Eurydice_slice seed_for_signing = uu____1.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 a_as_ntt[6U][5U];
+  uint8_t ret[34U];
+  libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret);
+  libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, a_as_ntt);
+  uint8_t ret0[66U];
+  libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0);
+  tuple_ce0 uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(ret0);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U];
+  memcpy(
+      s1, uu____2.fst,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U];
+  memcpy(
+      s2, uu____2.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U];
+  libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe(a_as_ntt, s1, s2, t);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t[6U];
+  memcpy(
+      copy_of_t, t,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+      uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_a3(copy_of_t);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U];
+  memcpy(
+      t0, uu____4.fst,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U];
+  memcpy(
+      t1, uu____4.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  Eurydice_slice uu____5 = seed_for_a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  uint8_t verification_key_serialized[1952U];
+  libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe(
+      uu____5, copy_of_t1, verification_key_serialized);
+  Eurydice_slice uu____7 = seed_for_a;
+  Eurydice_slice uu____8 = seed_for_signing;
+  Eurydice_slice uu____9 = Eurydice_array_to_slice(
+      (size_t)1952U, verification_key_serialized, uint8_t);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U];
+  memcpy(
+      copy_of_s2, s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U];
+  memcpy(
+      copy_of_t0, t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  uint8_t signing_key_serialized[4032U];
+  libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9(
+      uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0,
+      signing_key_serialized);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_signing_key_serialized[4032U];
+  memcpy(copy_of_signing_key_serialized, signing_key_serialized,
+         (size_t)4032U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_verification_key_serialized[1952U];
+  memcpy(copy_of_verification_key_serialized, verification_key_serialized,
+         (size_t)1952U * sizeof(uint8_t));
+  tuple_a0 lit;
+  memcpy(lit.fst, copy_of_signing_key_serialized,
+         (size_t)4032U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_verification_key_serialized,
+         (size_t)1952U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+ Generate key pair.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+- VERIFICATION_KEY_SIZE= 1952
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline tuple_a0
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52(
+    uint8_t randomness[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(copy_of_randomness);
+}
+
+/**
+ Generate key pair.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const
+generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+- VERIFICATION_KEY_SIZE= 1952
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline tuple_a0
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52(
+    uint8_t randomness[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52(
+      copy_of_randomness);
+}
+
+/**
+ Generate an ML-DSA-65 Key Pair
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair
+libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  tuple_a0 uu____1 =
+      libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52(
+          copy_of_randomness);
+  uint8_t signing_key[4032U];
+  memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t));
+  uint8_t verification_key[1952U];
+  memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_signing_key[4032U];
+  memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t));
+  libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 =
+      libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_verification_key[1952U];
+  memcpy(copy_of_verification_key, verification_key,
+         (size_t)1952U * sizeof(uint8_t));
+  libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit;
+  lit.signing_key = uu____3;
+  lit.verification_key =
+      libcrux_ml_dsa_types_new_66_97(copy_of_verification_key);
+  return lit;
+}
+
+/**
+A monomorphic instance of K.
+with types size_t, core_core_arch_x86___m256i
+
+*/
+typedef struct tuple_bb_s {
+  size_t fst;
+  __m256i snd;
+} tuple_bb;
+
+/**
+A monomorphic instance of K.
+with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t]
+
+*/
+typedef struct tuple_f00_s {
+  uint8_t fst[32U];
+  uint8_t snd[32U];
+  uint8_t thd[64U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3[5U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f4[6U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f5[6U];
+} tuple_f00;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.deserialize
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac(
+    Eurydice_slice serialized) {
+  __m256i unsigned =
+      libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(
+          serialized);
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(
+      libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), unsigned);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_deserialize_a2
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac(serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ETA= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_4d(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) {
+  size_t chunk_size;
+  chunk_size = (size_t)4U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)32U, result->simd_units, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i uu____0 = libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac(
+        Eurydice_slice_subslice2(serialized, i0 * chunk_size,
+                                 (i0 + (size_t)1U) * chunk_size, uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+- DIMENSION= 5
+- ETA= 4
+- RING_ELEMENT_SIZE= 128
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes =
+        Eurydice_slice_subslice2(serialized, i0 * (size_t)128U,
+                                 i0 * (size_t)128U + (size_t)128U, uint8_t);
+    libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+- DIMENSION= 6
+- ETA= 4
+- RING_ELEMENT_SIZE= 128
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes =
+        Eurydice_slice_subslice2(serialized, i0 * (size_t)128U,
+                                 i0 * (size_t)128U + (size_t)128U, uint8_t);
+    libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ea(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)32U, result->simd_units, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i uu____0 =
+        libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice_subslice2(
+            serialized,
+            i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+            (i0 + (size_t)1U) *
+                LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+            uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) /
+               LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes = Eurydice_slice_subslice2(
+        serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+        i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE +
+            LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+        uint8_t);
+    libcrux_ml_dsa_encoding_t0_deserialize_ea(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_f00
+libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6(
+    uint8_t *serialized) {
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice remaining_serialized0 = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
+      remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_signing = uu____1.fst;
+  Eurydice_slice remaining_serialized1 = uu____1.snd;
+  Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at(
+      remaining_serialized1,
+      LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice verification_key_hash = uu____2.fst;
+  Eurydice_slice remaining_serialized2 = uu____2.snd;
+  Eurydice_slice_uint8_t_x2 uu____3 =
+      Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice s1_serialized = uu____3.fst;
+  Eurydice_slice remaining_serialized = uu____3.snd;
+  Eurydice_slice_uint8_t_x2 uu____4 =
+      Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice s2_serialized = uu____4.fst;
+  Eurydice_slice t0_serialized = uu____4.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U];
+  libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b(s1_serialized,
+                                                                  s1_as_ntt);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U];
+  libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef(s2_serialized,
+                                                                  s2_as_ntt);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U];
+  libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3(t0_serialized,
+                                                               t0_as_ntt);
+  uint8_t uu____5[32U];
+  Result_fb dst0;
+  Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]);
+  unwrap_26_b3(dst0, uu____5);
+  uint8_t uu____6[32U];
+  Result_fb dst1;
+  Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice,
+                           uint8_t[32U]);
+  unwrap_26_b3(dst1, uu____6);
+  uint8_t uu____7[64U];
+  Result_f2 dst;
+  Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice,
+                           uint8_t[64U]);
+  unwrap_26_4b(dst, uu____7);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1_as_ntt[5U];
+  memcpy(
+      copy_of_s1_as_ntt, s1_as_ntt,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2_as_ntt[6U];
+  memcpy(
+      copy_of_s2_as_ntt, s2_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0_as_ntt[6U];
+  memcpy(
+      copy_of_t0_as_ntt, t0_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  tuple_f00 lit;
+  memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t));
+  memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t));
+  memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t));
+  memcpy(
+      lit.f3, copy_of_s1_as_ntt,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  memcpy(
+      lit.f4, copy_of_s2_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  memcpy(
+      lit.f5, copy_of_t0_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  return lit;
+}
+
+/**
+A monomorphic instance of core.option.Option
+with types libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t]
+
+*/
+typedef struct Option_a4_s {
+  Option_d8_tags tag;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f0[5U];
+} Option_a4;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4
+with const generics
+- OUT_LEN= 576
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_x4_1b(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_sha3_avx2_x4_shake256(
+      input0, input1, input2, input3,
+      Eurydice_array_to_slice((size_t)576U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)576U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)576U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)576U, out3, uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4_fb
+with const generics
+- OUT_LEN= 576
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_1b(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_simd256_shake256_x4_1b(
+      input0, input1, input2, input3, out0, out1, out2, out3);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.deserialize
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19(
+      serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_deserialize_a2
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36(serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)32U, result->simd_units, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i uu____0 = libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36(
+        Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U),
+                                 (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U),
+                                 uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4
+with const generics
+- OUT_LEN= 640
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_x4_c8(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_sha3_avx2_x4_shake256(
+      input0, input1, input2, input3,
+      Eurydice_array_to_slice((size_t)640U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)640U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)640U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)640U, out3, uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4_fb
+with const generics
+- OUT_LEN= 640
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_simd256_shake256_x4_c8(
+      input0, input1, input2, input3, out0, out1, out2, out3);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256
+with const generics
+- OUTPUT_LENGTH= 576
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_1b(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)576U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9
+with const generics
+- OUTPUT_LENGTH= 576
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_d9_1b(Eurydice_slice input,
+                                                     uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_simd256_shake256_1b(input, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256
+with const generics
+- OUTPUT_LENGTH= 640
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_c8(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)640U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9
+with const generics
+- OUTPUT_LENGTH= 640
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8(Eurydice_slice input,
+                                                     uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_simd256_shake256_c8(input, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_d9(
+    uint8_t seed[66U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) {
+  uint8_t out[640U] = {0U};
+  libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8(
+      Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+      Eurydice_array_to_slice((size_t)640U, out, uint8_t), result);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- DIMENSION= 5
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_51(
+    uint8_t seed[66U], uint16_t *domain_separator,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed0[66U];
+  memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed0[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed1[66U];
+  memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed1[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed2[66U];
+  memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed2[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed3[66U];
+  memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed3[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3);
+  uint8_t out0[640U] = {0U};
+  uint8_t out1[640U] = {0U};
+  uint8_t out2[640U] = {0U};
+  uint8_t out3[640U] = {0U};
+  libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8(
+      Eurydice_array_to_slice((size_t)66U, seed0, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed1, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed2, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2,
+      out3);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+      Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+      Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+      Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+      Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]);
+  for (size_t i = (size_t)4U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    seed[64U] = (uint8_t)domain_separator[0U];
+    seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U);
+    domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+    /* Passing arrays by value in Rust generates a copy in C */
+    uint8_t copy_of_seed[66U];
+    memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t));
+    libcrux_ml_dsa_sample_sample_mask_ring_element_d9(copy_of_seed, &mask[i0]);
+  }
+  memcpy(
+      ret, mask,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) {
+  return libcrux_ml_dsa_ntt_ntt_ea(s);
+}
+
+/**
+ Compute InvertNTT(Â ◦ ŷ)
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *mask,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_mask[5U];
+  memcpy(
+      copy_of_mask, mask,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask_ntt[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    mask_ntt[i] =
+        libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe(copy_of_mask[i]);
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element,
+                                                        &mask_ntt[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]);
+    result[i1] = uu____2;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.decompose
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE core_core_arch_x86___m256i_x2
+libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(__m256i r) {
+  __m256i r2 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r);
+  __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32(
+      (LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2);
+  int32_t ALPHA = (int32_t)261888 * (int32_t)2;
+  __m256i ceil_of_r_by_128 = libcrux_intrinsics_avx2_mm256_add_epi32(
+      r2, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)127));
+  __m256i ceil_of_r_by_1280 = libcrux_intrinsics_avx2_mm256_srai_epi32(
+      (int32_t)7, ceil_of_r_by_128, __m256i);
+  __m256i r1;
+  switch (ALPHA) {
+    case 190464: {
+      __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32(
+          ceil_of_r_by_1280,
+          libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)11275));
+      __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32(
+          result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 23U));
+      __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32(
+          (int32_t)24, result0, __m256i);
+      __m256i mask = libcrux_intrinsics_avx2_mm256_sub_epi32(
+          libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)43), result1);
+      __m256i mask0 =
+          libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i);
+      __m256i not_result =
+          libcrux_intrinsics_avx2_mm256_xor_si256(result1, mask0);
+      r1 = libcrux_intrinsics_avx2_mm256_and_si256(result1, not_result);
+      break;
+    }
+    case 523776: {
+      __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32(
+          ceil_of_r_by_1280,
+          libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1025));
+      __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32(
+          result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 21U));
+      __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32(
+          (int32_t)22, result0, __m256i);
+      r1 = libcrux_intrinsics_avx2_mm256_and_si256(
+          result1, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15));
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                        "panic!");
+      KRML_HOST_EXIT(255U);
+    }
+  }
+  __m256i r0 = libcrux_intrinsics_avx2_mm256_mullo_epi32(
+      r1, libcrux_intrinsics_avx2_mm256_set1_epi32(ALPHA));
+  __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0);
+  __m256i mask =
+      libcrux_intrinsics_avx2_mm256_sub_epi32(field_modulus_halved, r00);
+  __m256i mask0 =
+      libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i);
+  __m256i field_modulus_and_mask = libcrux_intrinsics_avx2_mm256_and_si256(
+      mask0, libcrux_intrinsics_avx2_mm256_set1_epi32(
+                 LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS));
+  __m256i r01 =
+      libcrux_intrinsics_avx2_mm256_sub_epi32(r00, field_modulus_and_mask);
+  return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r01, .snd = r1});
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.decompose_a2
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2
+libcrux_ml_dsa_simd_avx2_decompose_a2_80(__m256i simd_unit) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(simd_unit);
+  __m256i lower = uu____0.fst;
+  __m256i upper = uu____0.snd;
+  return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){
+      .fst = lower, .snd = upper});
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+    libcrux_ml_dsa_arithmetic_decompose_vector_fe(
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_low[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_high[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U;
+         i <
+         Eurydice_slice_len(Eurydice_array_to_slice(
+                                (size_t)32U, vector_low->simd_units, __m256i),
+                            __m256i);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 =
+          libcrux_ml_dsa_simd_avx2_decompose_a2_80(t[i1].simd_units[j]);
+      __m256i low = uu____0.fst;
+      __m256i high = uu____0.snd;
+      vector_low[i1].simd_units[j] = low;
+      vector_high[i1].simd_units[j] = high;
+    }
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_low[6U];
+  memcpy(
+      copy_of_vector_low, vector_low,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_high[6U];
+  memcpy(
+      copy_of_vector_high, vector_high,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+      lit;
+  memcpy(
+      lit.fst, copy_of_vector_low,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  memcpy(
+      lit.snd, copy_of_vector_high,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re,
+    Eurydice_slice serialized) {
+  size_t output_bytes_per_simd_unit =
+      Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    libcrux_ml_dsa_simd_avx2_commitment_serialize_a2(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit,
+                                 (i0 + (size_t)1U) * output_bytes_per_simd_unit,
+                                 uint8_t));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+- RING_ELEMENT_SIZE= 128
+- OUTPUT_SIZE= 768
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_commitment_serialize_vector_ef(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U],
+    uint8_t ret[768U]) {
+  uint8_t serialized[768U] = {0U};
+  size_t offset = (size_t)0U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &vector[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_commitment_serialize_ea(
+        uu____0, Eurydice_array_to_subslice2(serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics
+- NUMBER_OF_ONES= 49
+- SEED_SIZE= 48
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uint8_t seed[48U]) {
+  libcrux_sha3_portable_KeccakState state =
+      libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9(
+          Eurydice_array_to_slice((size_t)48U, seed, uint8_t));
+  uint8_t randomness0[136U];
+  libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_d9(&state,
+                                                               randomness0);
+  uint8_t ret[8U];
+  Result_15 dst;
+  Eurydice_slice_to_array2(
+      &dst,
+      Eurydice_array_to_subslice2(randomness0, (size_t)0U, (size_t)8U, uint8_t),
+      Eurydice_slice, uint8_t[8U]);
+  unwrap_26_68(dst, ret);
+  uint64_t signs = core_num__u64_9__from_le_bytes(ret);
+  int32_t result[256U] = {0U};
+  size_t out_index =
+      Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t),
+                         int32_t) -
+      (size_t)49U;
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
+      (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t);
+  bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index,
+                                                       &signs, result);
+  while (true) {
+    if (done) {
+      break;
+    } else {
+      uint8_t randomness[136U];
+      libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_d9(&state,
+                                                                  randomness);
+      done = libcrux_ml_dsa_sample_inside_out_shuffle(
+          Eurydice_array_to_slice((size_t)136U, randomness, uint8_t),
+          &out_index, &signs, result);
+    }
+  }
+  return libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+      Eurydice_array_to_slice((size_t)256U, result, int32_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_1f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element =
+        &vector[i0];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element,
+                                                          ring_element));
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_a3(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element =
+        &vector[i0];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element,
+                                                          ring_element));
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_1f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_polynomial_subtract_ff_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 difference =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)32U, difference.simd_units, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    difference.simd_units[i0] = libcrux_ml_dsa_simd_avx2_subtract_a2(
+        &self->simd_units[i0], &rhs->simd_units[i0]);
+  }
+  return difference;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_a3(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_polynomial_subtract_ff_ea(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2(
+          self->simd_units[i0], bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[5U],
+    int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &vector[_cloop_j];
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea(
+          ring_element, bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U],
+    int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+        &vector[_cloop_j];
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea(
+          ring_element, bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_a3(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of K.
+with types size_t, libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+
+*/
+typedef struct tuple_25_s {
+  size_t fst;
+  __m256i snd;
+} tuple_25;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.compute_hint
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_bb
+libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(__m256i low, __m256i high) {
+  __m256i gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)261888);
+  __m256i minus_gamma2 =
+      libcrux_intrinsics_avx2_mm256_set1_epi32(-(int32_t)261888);
+  __m256i low_within_bound = libcrux_intrinsics_avx2_mm256_cmpgt_epi32(
+      libcrux_intrinsics_avx2_mm256_abs_epi32(low), gamma2);
+  __m256i low_equals_minus_gamma2 =
+      libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low, minus_gamma2);
+  __m256i low_equals_minus_gamma2_and_high_is_nonzero =
+      libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, high);
+  __m256i hints = libcrux_intrinsics_avx2_mm256_or_si256(
+      low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero);
+  int32_t hints_mask = libcrux_intrinsics_avx2_mm256_movemask_ps(
+      libcrux_intrinsics_avx2_mm256_castsi256_ps(hints));
+  uint32_t uu____0 = core_num__i32_2__count_ones(hints_mask);
+  return (CLITERAL(tuple_bb){
+      .fst = (size_t)uu____0,
+      .snd = libcrux_intrinsics_avx2_mm256_and_si256(
+          hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1))});
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.compute_hint_a2
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_25
+libcrux_ml_dsa_simd_avx2_compute_hint_a2_80(__m256i low, __m256i high) {
+  tuple_bb uu____0 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(low, high);
+  size_t count = uu____0.fst;
+  __m256i hint = uu____0.snd;
+  return (CLITERAL(tuple_25){.fst = count, .snd = hint});
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self,
+    int32_t ret[256U]) {
+  int32_t result[256U] = {0U};
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &self->simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+        int32_t);
+    int32_t ret0[8U];
+    libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2(simd_unit, ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t);
+  }
+  memcpy(ret, result, (size_t)256U * sizeof(int32_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 low[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 high[6U]) {
+  int32_t hint[6U][256U] = {{0U}};
+  size_t true_hints = (size_t)0U;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd =
+        libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                    (size_t)32U, hint_simd.simd_units, __m256i),
+                                __m256i);
+         i++) {
+      size_t j = i;
+      tuple_25 uu____0 = libcrux_ml_dsa_simd_avx2_compute_hint_a2_80(
+          low[i1].simd_units[j], high[i1].simd_units[j]);
+      size_t one_hints_count = uu____0.fst;
+      __m256i current_hint = uu____0.snd;
+      hint_simd.simd_units[j] = current_hint;
+      true_hints = true_hints + one_hints_count;
+    }
+    int32_t uu____1[256U];
+    libcrux_ml_dsa_polynomial_to_i32_array_ff_ea(&hint_simd, uu____1);
+    memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t));
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  int32_t copy_of_hint[6U][256U];
+  memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+  tuple_e6 lit;
+  memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U]));
+  lit.snd = true_hints;
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- $48size_t
+- $5size_t
+- $6size_t
+*/
+typedef struct libcrux_ml_dsa_encoding_signature_Signature_ca_s {
+  uint8_t commitment_hash[48U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U];
+  int32_t hint[6U][256U];
+} libcrux_ml_dsa_encoding_signature_Signature_ca;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.serialize
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36(
+    __m256i simd_unit, Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19(
+      simd_unit, serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_serialize_a2
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36(
+    __m256i simd_unit, Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36(simd_unit, serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_05(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U),
+                                 (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U),
+                                 uint8_t));
+  }
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::encoding::signature::Signature<SIMDUnit, COMMITMENT_HASH_SIZE,
+COLUMNS_IN_A, ROWS_IN_A>[TraitClause@0, TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- COMMITMENT_HASH_SIZE= 48
+- COLUMNS_IN_A= 5
+- ROWS_IN_A= 6
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- MAX_ONES_IN_HINT= 55
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_cc(
+    libcrux_ml_dsa_encoding_signature_Signature_ca *self, uint8_t ret[3309U]) {
+  uint8_t signature[3309U] = {0U};
+  size_t offset = (size_t)0U;
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+      signature, offset, offset + (size_t)48U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t),
+      uint8_t);
+  offset = offset + (size_t)48U;
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+        self->signer_response[i0];
+    libcrux_ml_dsa_encoding_gamma1_serialize_05(
+        uu____1, Eurydice_array_to_subslice2(signature, offset,
+                                             offset + (size_t)640U, uint8_t));
+    offset = offset + (size_t)640U;
+  }
+  size_t true_hints_seen = (size_t)0U;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t),
+                 int32_t);
+         i++) {
+      size_t j = i;
+      if (self->hint[i1][j] == (int32_t)1) {
+        signature[offset + true_hints_seen] = (uint8_t)j;
+        true_hints_seen++;
+      }
+    }
+    signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen;
+  }
+  memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t));
+}
+
+/**
+ The internal signing API.
+
+ If no `domain_separation_context` is supplied, it is assumed that
+ `message` already contains the domain separation.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b(
+    uint8_t *signing_key, Eurydice_slice message,
+    Option_84 domain_separation_context, uint8_t randomness[32U]) {
+  tuple_f00 uu____0 =
+      libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6(signing_key);
+  uint8_t seed_for_A[32U];
+  memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t));
+  uint8_t seed_for_signing[32U];
+  memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t));
+  uint8_t verification_key_hash[64U];
+  memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U];
+  memcpy(
+      s1_as_ntt, uu____0.f3,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U];
+  memcpy(
+      s2_as_ntt, uu____0.f4,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U];
+  memcpy(
+      t0_as_ntt, uu____0.f5,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U];
+  uint8_t ret[34U];
+  libcrux_ml_dsa_utils_into_padded_array_b6(
+      Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret);
+  libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt);
+  uint8_t message_representative[64U] = {0U};
+  uint8_t uu____1[64U];
+  memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t));
+  libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b(
+      uu____1, domain_separation_context, message, message_representative);
+  uint8_t mask_seed[64U] = {0U};
+  libcrux_sha3_portable_incremental_Shake256Xof shake0 =
+      libcrux_ml_dsa_hash_functions_portable_init_83();
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+      &shake0,
+      Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+      &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t));
+  uint16_t domain_separator_for_mask = 0U;
+  int32_t BETA = (int32_t)((size_t)49U * (size_t)4U);
+  size_t attempt = (size_t)0U;
+  Option_67 commitment_hash0 = {.tag = None};
+  Option_a4 signer_response0 = {.tag = None};
+  Option_f0 hint0 = {.tag = None};
+  while (true) {
+    if (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) {
+      attempt++;
+      uint8_t uu____2[66U];
+      libcrux_ml_dsa_utils_into_padded_array_20(
+          Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U];
+      libcrux_ml_dsa_sample_sample_mask_vector_51(
+          uu____2, &domain_separator_for_mask, mask);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_times_mask[6U];
+      libcrux_ml_dsa_matrix_compute_A_times_mask_fe(A_as_ntt, mask,
+                                                    A_times_mask);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          copy_of_A_times_mask[6U];
+      memcpy(copy_of_A_times_mask, A_times_mask,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2
+          uu____4 = libcrux_ml_dsa_arithmetic_decompose_vector_fe(
+              copy_of_A_times_mask);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w0[6U];
+      memcpy(w0, uu____4.fst,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U];
+      memcpy(commitment, uu____4.snd,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      uint8_t commitment_hash_candidate[48U] = {0U};
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          copy_of_commitment0[6U];
+      memcpy(copy_of_commitment0, commitment,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      uint8_t commitment_serialized[768U];
+      libcrux_ml_dsa_encoding_commitment_serialize_vector_ef(
+          copy_of_commitment0, commitment_serialized);
+      libcrux_sha3_portable_incremental_Shake256Xof shake =
+          libcrux_ml_dsa_hash_functions_portable_init_83();
+      libcrux_ml_dsa_hash_functions_portable_absorb_83(
+          &shake, Eurydice_array_to_slice((size_t)64U, message_representative,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+          &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+          &shake, Eurydice_array_to_slice((size_t)48U,
+                                          commitment_hash_candidate, uint8_t));
+      /* Passing arrays by value in Rust generates a copy in C */
+      uint8_t copy_of_commitment_hash_candidate[48U];
+      memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate,
+             (size_t)48U * sizeof(uint8_t));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea(
+              libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(
+                  copy_of_commitment_hash_candidate));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s1[5U];
+      libcrux_ml_dsa_matrix_vector_times_ring_element_1f(
+          s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s2[6U];
+      libcrux_ml_dsa_matrix_vector_times_ring_element_a3(
+          s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          signer_response_candidate[5U];
+      libcrux_ml_dsa_matrix_add_vectors_1f(mask, challenge_times_s1,
+                                           signer_response_candidate);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          w0_minus_challenge_times_s2[6U];
+      libcrux_ml_dsa_matrix_subtract_vectors_a3(w0, challenge_times_s2,
+                                                w0_minus_challenge_times_s2);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          copy_of_signer_response_candidate[5U];
+      memcpy(copy_of_signer_response_candidate, signer_response_candidate,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f(
+              copy_of_signer_response_candidate,
+              ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) {
+        /* Passing arrays by value in Rust generates a copy in C */
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+            copy_of_w0_minus_challenge_times_s2[6U];
+        memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2,
+               (size_t)6U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+        if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3(
+                copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) {
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+              challenge_times_t0[6U];
+          libcrux_ml_dsa_matrix_vector_times_ring_element_a3(
+              t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0);
+          /* Passing arrays by value in Rust generates a copy in C */
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+              copy_of_challenge_times_t0[6U];
+          memcpy(
+              copy_of_challenge_times_t0, challenge_times_t0,
+              (size_t)6U *
+                  sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+          if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3(
+                  copy_of_challenge_times_t0, (int32_t)261888)) {
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+                w0_minus_c_times_s2_plus_c_times_t0[6U];
+            libcrux_ml_dsa_matrix_add_vectors_a3(
+                w0_minus_challenge_times_s2, challenge_times_t0,
+                w0_minus_c_times_s2_plus_c_times_t0);
+            /* Passing arrays by value in Rust generates a copy in C */
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U];
+            memcpy(
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0,
+                w0_minus_c_times_s2_plus_c_times_t0,
+                (size_t)6U *
+                    sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+            /* Passing arrays by value in Rust generates a copy in C */
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+                copy_of_commitment[6U];
+            memcpy(
+                copy_of_commitment, commitment,
+                (size_t)6U *
+                    sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+            tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_fe(
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0,
+                copy_of_commitment);
+            int32_t hint_candidate[6U][256U];
+            memcpy(hint_candidate, uu____12.fst,
+                   (size_t)6U * sizeof(int32_t[256U]));
+            size_t ones_in_hint = uu____12.snd;
+            if (!(ones_in_hint > (size_t)55U)) {
+              attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN;
+              /* Passing arrays by value in Rust generates a copy in C */
+              uint8_t copy_of_commitment_hash_candidate0[48U];
+              memcpy(copy_of_commitment_hash_candidate0,
+                     commitment_hash_candidate, (size_t)48U * sizeof(uint8_t));
+              Option_67 lit0;
+              lit0.tag = Some;
+              memcpy(lit0.f0, copy_of_commitment_hash_candidate0,
+                     (size_t)48U * sizeof(uint8_t));
+              commitment_hash0 = lit0;
+              /* Passing arrays by value in Rust generates a copy in C */
+              libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+                  copy_of_signer_response_candidate0[5U];
+              memcpy(
+                  copy_of_signer_response_candidate0, signer_response_candidate,
+                  (size_t)5U *
+                      sizeof(
+                          libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+              Option_a4 lit1;
+              lit1.tag = Some;
+              memcpy(
+                  lit1.f0, copy_of_signer_response_candidate0,
+                  (size_t)5U *
+                      sizeof(
+                          libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+              signer_response0 = lit1;
+              /* Passing arrays by value in Rust generates a copy in C */
+              int32_t copy_of_hint_candidate[6U][256U];
+              memcpy(copy_of_hint_candidate, hint_candidate,
+                     (size_t)6U * sizeof(int32_t[256U]));
+              Option_f0 lit;
+              lit.tag = Some;
+              memcpy(lit.f0, copy_of_hint_candidate,
+                     (size_t)6U * sizeof(int32_t[256U]));
+              hint0 = lit;
+            }
+          }
+        }
+      }
+    } else {
+      break;
+    }
+  }
+  Result_2e uu____16;
+  if (commitment_hash0.tag == None) {
+    uu____16 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+  } else {
+    uint8_t commitment_hash1[48U];
+    memcpy(commitment_hash1, commitment_hash0.f0,
+           (size_t)48U * sizeof(uint8_t));
+    uint8_t commitment_hash[48U];
+    memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t));
+    if (signer_response0.tag == None) {
+      uu____16 = (CLITERAL(Result_2e){
+          .tag = Err,
+          .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+    } else {
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response1[5U];
+      memcpy(signer_response1, signer_response0.f0,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U];
+      memcpy(signer_response, signer_response1,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      if (hint0.tag == None) {
+        uu____16 = (CLITERAL(Result_2e){
+            .tag = Err,
+            .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+      } else {
+        int32_t hint1[6U][256U];
+        memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U]));
+        int32_t hint[6U][256U];
+        memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U]));
+        /* Passing arrays by value in Rust generates a copy in C */
+        uint8_t copy_of_commitment_hash[48U];
+        memcpy(copy_of_commitment_hash, commitment_hash,
+               (size_t)48U * sizeof(uint8_t));
+        /* Passing arrays by value in Rust generates a copy in C */
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+            copy_of_signer_response[5U];
+        memcpy(copy_of_signer_response, signer_response,
+               (size_t)5U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+        /* Passing arrays by value in Rust generates a copy in C */
+        int32_t copy_of_hint[6U][256U];
+        memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+        uint8_t signature[3309U];
+        libcrux_ml_dsa_encoding_signature_Signature_ca lit0;
+        memcpy(lit0.commitment_hash, copy_of_commitment_hash,
+               (size_t)48U * sizeof(uint8_t));
+        memcpy(lit0.signer_response, copy_of_signer_response,
+               (size_t)5U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+        memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U]));
+        libcrux_ml_dsa_encoding_signature_serialize_92_cc(&lit0, signature);
+        /* Passing arrays by value in Rust generates a copy in C */
+        uint8_t copy_of_signature[3309U];
+        memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t));
+        Result_2e lit;
+        lit.tag = Ok;
+        lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature);
+        uu____16 = lit;
+        return uu____16;
+      }
+    }
+  }
+  return uu____16;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_6b(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45(
+      context, (CLITERAL(Option_30){.tag = None}));
+  Result_2e uu____1;
+  if (uu____0.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uint8_t *uu____2 = signing_key;
+    Eurydice_slice uu____3 = message;
+    Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context};
+    /* Passing arrays by value in Rust generates a copy in C */
+    uint8_t copy_of_randomness[32U];
+    memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+    uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b(
+        uu____2, uu____3, uu____4, copy_of_randomness);
+  } else {
+    uu____1 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+  }
+  return uu____1;
+}
+
+/**
+ Sign.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign with const
+generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_sign_6b(uu____0, uu____1, uu____2,
+                                               copy_of_randomness);
+}
+
+/**
+ Sign.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+ Generate an ML-DSA-65 Signature
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign(
+    libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key,
+    Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) {
+  uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key);
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_simd256_Shake256x4,
+libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics
+- PH_DIGEST_LEN= 256
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_2e
+libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(uint8_t *signing_key,
+                                                 Eurydice_slice message,
+                                                 Eurydice_slice context,
+                                                 uint8_t randomness[32U]) {
+  Result_2e uu____0;
+  if (Eurydice_slice_len(context, uint8_t) >
+      LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) {
+    uu____0 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+  } else {
+    uint8_t pre_hashed_message[256U];
+    libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message);
+    Eurydice_slice uu____1 = context;
+    Option_30 lit;
+    lit.tag = Some;
+    uint8_t ret[11U];
+    libcrux_ml_dsa_pre_hash_oid_bd(ret);
+    memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t));
+    Result_a8 uu____2 = libcrux_ml_dsa_pre_hash_new_45(uu____1, lit);
+    if (uu____2.tag == Ok) {
+      libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____2.val.case_Ok;
+      libcrux_ml_dsa_pre_hash_DomainSeparationContext
+          domain_separation_context = dsc;
+      uint8_t *uu____3 = signing_key;
+      Eurydice_slice uu____4 =
+          Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t);
+      Option_84 uu____5 = {.tag = Some, .f0 = domain_separation_context};
+      /* Passing arrays by value in Rust generates a copy in C */
+      uint8_t copy_of_randomness[32U];
+      memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+      uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b(
+          uu____3, uu____4, uu____5, copy_of_randomness);
+    } else {
+      uu____0 = (CLITERAL(Result_2e){
+          .tag = Err,
+          .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+    }
+  }
+  return uu____0;
+}
+
+/**
+ Sign (pre-hashed).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign_pre_hashed_shake128
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+ Sign (pre-hashed).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign_pre_hashed_shake128 with
+const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+ Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128(
+    libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key,
+    Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) {
+  uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key);
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+A monomorphic instance of K.
+with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t]
+
+*/
+typedef struct tuple_930_s {
+  uint8_t fst[32U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U];
+} tuple_930;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_dsa_encoding_t1_deserialize_ea(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)32U, result->simd_units, __m256i),
+                              __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i uu____0 =
+        libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice_subslice2(
+            serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW,
+            (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW,
+            uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- VERIFICATION_KEY_SIZE= 1952
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE tuple_930
+libcrux_ml_dsa_encoding_verification_key_deserialize_fe(uint8_t *serialized) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice serialized_remaining = uu____0.snd;
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_encoding_t1_deserialize_ea(
+        Eurydice_slice_subslice2(
+            serialized_remaining,
+            i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE,
+            (i0 + (size_t)1U) *
+                LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE,
+            uint8_t),
+        &t1[i0]);
+  }
+  uint8_t uu____1[32U];
+  Result_fb dst;
+  Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]);
+  unwrap_26_b3(dst, uu____1);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  tuple_930 lit;
+  memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t));
+  memcpy(
+      lit.snd, copy_of_t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  return lit;
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types libcrux_ml_dsa_encoding_signature_Signature
+libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]],
+libcrux_ml_dsa_types_VerificationError
+
+*/
+typedef struct Result_ef0_s {
+  Result_a9_tags tag;
+  union {
+    libcrux_ml_dsa_encoding_signature_Signature_ca case_Ok;
+    libcrux_ml_dsa_types_VerificationError case_Err;
+  } val;
+} Result_ef0;
+
+/**
+This function found in impl
+{libcrux_ml_dsa::encoding::signature::Signature<SIMDUnit, COMMITMENT_HASH_SIZE,
+COLUMNS_IN_A, ROWS_IN_A>[TraitClause@0, TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- COMMITMENT_HASH_SIZE= 48
+- COLUMNS_IN_A= 5
+- ROWS_IN_A= 6
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- MAX_ONES_IN_HINT= 55
+- SIGNATURE_SIZE= 3309
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_ef0
+libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) {
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice commitment_hash = uu____0.fst;
+  Eurydice_slice rest_of_serialized = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 =
+      Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice signer_response_serialized = uu____1.fst;
+  Eurydice_slice hint_serialized = uu____1.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_encoding_gamma1_deserialize_05(
+        Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U,
+                                 (i0 + (size_t)1U) * (size_t)640U, uint8_t),
+        &signer_response[i0]);
+  }
+  int32_t hint[6U][256U] = {{0U}};
+  size_t previous_true_hints_seen = (size_t)0U;
+  size_t i = (size_t)0U;
+  bool malformed_hint = false;
+  while (true) {
+    if (i < (size_t)6U) {
+      if (malformed_hint) {
+        break;
+      } else {
+        size_t current_true_hints_seen = (size_t)Eurydice_slice_index(
+            hint_serialized, (size_t)55U + i, uint8_t, uint8_t *);
+        size_t j;
+        bool uu____2;
+        bool uu____3;
+        size_t uu____4;
+        size_t uu____5;
+        bool uu____6;
+        size_t uu____7;
+        size_t uu____8;
+        bool uu____9;
+        uint8_t uu____10;
+        size_t uu____11;
+        uint8_t uu____12;
+        size_t uu____13;
+        size_t uu____14;
+        bool uu____15;
+        size_t uu____16;
+        size_t uu____17;
+        uint8_t uu____18;
+        size_t uu____19;
+        bool uu____20;
+        size_t uu____21;
+        if (!(current_true_hints_seen < previous_true_hints_seen)) {
+          if (!(previous_true_hints_seen > (size_t)55U)) {
+            j = previous_true_hints_seen;
+            while (true) {
+              uu____2 = malformed_hint;
+              if (uu____2) {
+                break;
+              } else {
+                uu____4 = j;
+                uu____5 = current_true_hints_seen;
+                uu____3 = uu____4 < uu____5;
+                if (uu____3) {
+                  uu____7 = j;
+                  uu____8 = previous_true_hints_seen;
+                  uu____6 = uu____7 > uu____8;
+                  if (uu____6) {
+                    uu____11 = j;
+                    uu____10 = Eurydice_slice_index(hint_serialized, uu____11,
+                                                    uint8_t, uint8_t *);
+                    uu____14 = j;
+                    uu____13 = uu____14 - (size_t)1U;
+                    uu____12 = Eurydice_slice_index(hint_serialized, uu____13,
+                                                    uint8_t, uint8_t *);
+                    uu____9 = uu____10 <= uu____12;
+                    if (uu____9) {
+                      malformed_hint = true;
+                      uu____15 = malformed_hint;
+                      if (!uu____15) {
+                        uu____16 = i;
+                        uu____19 = j;
+                        uu____18 = Eurydice_slice_index(
+                            hint_serialized, uu____19, uint8_t, uint8_t *);
+                        uu____17 = (size_t)uu____18;
+                        hint[uu____16][uu____17] = (int32_t)1;
+                        j++;
+                      }
+                      continue;
+                    }
+                  }
+                  uu____15 = malformed_hint;
+                  if (!uu____15) {
+                    uu____16 = i;
+                    uu____19 = j;
+                    uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                    uint8_t, uint8_t *);
+                    uu____17 = (size_t)uu____18;
+                    hint[uu____16][uu____17] = (int32_t)1;
+                    j++;
+                  }
+                } else {
+                  break;
+                }
+              }
+            }
+            uu____20 = malformed_hint;
+            if (!uu____20) {
+              uu____21 = current_true_hints_seen;
+              previous_true_hints_seen = uu____21;
+              i++;
+            }
+            continue;
+          }
+        }
+        malformed_hint = true;
+        j = previous_true_hints_seen;
+        while (true) {
+          uu____2 = malformed_hint;
+          if (uu____2) {
+            break;
+          } else {
+            uu____4 = j;
+            uu____5 = current_true_hints_seen;
+            uu____3 = uu____4 < uu____5;
+            if (uu____3) {
+              uu____7 = j;
+              uu____8 = previous_true_hints_seen;
+              uu____6 = uu____7 > uu____8;
+              if (uu____6) {
+                uu____11 = j;
+                uu____10 = Eurydice_slice_index(hint_serialized, uu____11,
+                                                uint8_t, uint8_t *);
+                uu____14 = j;
+                uu____13 = uu____14 - (size_t)1U;
+                uu____12 = Eurydice_slice_index(hint_serialized, uu____13,
+                                                uint8_t, uint8_t *);
+                uu____9 = uu____10 <= uu____12;
+                if (uu____9) {
+                  malformed_hint = true;
+                  uu____15 = malformed_hint;
+                  if (!uu____15) {
+                    uu____16 = i;
+                    uu____19 = j;
+                    uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                    uint8_t, uint8_t *);
+                    uu____17 = (size_t)uu____18;
+                    hint[uu____16][uu____17] = (int32_t)1;
+                    j++;
+                  }
+                  continue;
+                }
+              }
+              uu____15 = malformed_hint;
+              if (!uu____15) {
+                uu____16 = i;
+                uu____19 = j;
+                uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                uint8_t, uint8_t *);
+                uu____17 = (size_t)uu____18;
+                hint[uu____16][uu____17] = (int32_t)1;
+                j++;
+              }
+            } else {
+              break;
+            }
+          }
+        }
+        uu____20 = malformed_hint;
+        if (!uu____20) {
+          uu____21 = current_true_hints_seen;
+          previous_true_hints_seen = uu____21;
+          i++;
+        }
+      }
+    } else {
+      break;
+    }
+  }
+  i = previous_true_hints_seen;
+  while (true) {
+    if (i < (size_t)55U) {
+      if (malformed_hint) {
+        break;
+      } else {
+        if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) !=
+            0U) {
+          malformed_hint = true;
+        }
+        i++;
+      }
+    } else {
+      break;
+    }
+  }
+  Result_ef0 uu____22;
+  if (malformed_hint) {
+    uu____22 = (CLITERAL(Result_ef0){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_MalformedHintError}});
+  } else {
+    uint8_t uu____23[48U];
+    Result_ae dst;
+    Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice,
+                             uint8_t[48U]);
+    unwrap_26_28(dst, uu____23);
+    /* Passing arrays by value in Rust generates a copy in C */
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+        copy_of_signer_response[5U];
+    memcpy(copy_of_signer_response, signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+    /* Passing arrays by value in Rust generates a copy in C */
+    int32_t copy_of_hint[6U][256U];
+    memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+    Result_ef0 lit;
+    lit.tag = Ok;
+    memcpy(lit.val.case_Ok.commitment_hash, uu____23,
+           (size_t)48U * sizeof(uint8_t));
+    memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+    memcpy(lit.val.case_Ok.hint, copy_of_hint,
+           (size_t)6U * sizeof(int32_t[256U]));
+    uu____22 = lit;
+  }
+  return uu____22;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.avx2.arithmetic.shift_left_then_reduce with const generics
+- SHIFT_BY= 13
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84(
+    __m256i simd_unit) {
+  __m256i shifted =
+      libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, simd_unit, __m256i);
+  __m256i quotient = libcrux_intrinsics_avx2_mm256_add_epi32(
+      shifted, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 22U));
+  __m256i quotient0 =
+      libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)23, quotient, __m256i);
+  __m256i quotient_times_field_modulus =
+      libcrux_intrinsics_avx2_mm256_mullo_epi32(
+          quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32(
+                         LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS));
+  return libcrux_intrinsics_avx2_mm256_sub_epi32(shifted,
+                                                 quotient_times_field_modulus);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.shift_left_then_reduce_a2
+with const generics
+- SHIFT_BY= 13
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(__m256i simd_unit) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84(
+      simd_unit);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- SHIFT_BY= 13
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i),
+               __m256i);
+       i++) {
+    size_t i0 = i;
+    __m256i *simd_unit = &re.simd_units[i0];
+    out.simd_units[i0] =
+        libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(simd_unit[0U]);
+  }
+  return out;
+}
+
+/**
+ Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ))
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_fe(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+        verifier_challenge_as_ntt,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, signer_response,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ea(signer_response[i0]);
+    signer_response[i0] = uu____0;
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_24),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_24);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element,
+                                                        &signer_response[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted =
+        libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68(t1[i1]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted0 =
+        libcrux_ml_dsa_ntt_ntt_ea(t1_shifted);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+        challenge_times_t1_shifted =
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(
+                &verifier_challenge_as_ntt, &t1_shifted0);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(
+            libcrux_ml_dsa_polynomial_subtract_ff_ea(
+                &result[i1], &challenge_times_t1_shifted));
+    result[i1] = uu____2;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.use_hint
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(__m256i r, __m256i hint) {
+  core_core_arch_x86___m256i_x2 uu____0 =
+      libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(r);
+  __m256i r0 = uu____0.fst;
+  __m256i r1 = uu____0.snd;
+  __m256i all_zeros = libcrux_intrinsics_avx2_mm256_setzero_si256();
+  __m256i negate_hints =
+      libcrux_intrinsics_avx2_vec256_blendv_epi32(all_zeros, hint, r0);
+  __m256i negate_hints0 = libcrux_intrinsics_avx2_mm256_slli_epi32(
+      (int32_t)1, negate_hints, __m256i);
+  __m256i hints = libcrux_intrinsics_avx2_mm256_sub_epi32(hint, negate_hints0);
+  __m256i r1_plus_hints = libcrux_intrinsics_avx2_mm256_add_epi32(r1, hints);
+  return libcrux_intrinsics_avx2_mm256_and_si256(
+      r1_plus_hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.avx2.use_hint_a2
+with const generics
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_dsa_simd_avx2_use_hint_a2_80(__m256i simd_unit, __m256i hint) {
+  return libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(simd_unit, hint);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_fe(
+    int32_t hint[6U][256U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re_vector[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea();
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd =
+        libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(
+            Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t));
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                    (size_t)32U, result->simd_units, __m256i),
+                                __m256i);
+         i++) {
+      size_t j = i;
+      __m256i uu____0 = libcrux_ml_dsa_simd_avx2_use_hint_a2_80(
+          re_vector[i1].simd_units[j], hint_simd.simd_units[j]);
+      result[i1].simd_units[j] = uu____0;
+    }
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+}
+
+/**
+ The internal verification API.
+
+ If no `domain_separation_context` is supplied, it is assumed that
+ `message` already contains the domain separation.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_41
+libcrux_ml_dsa_ml_dsa_generic_verify_internal_44(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Option_84 domain_separation_context, uint8_t *signature_serialized) {
+  tuple_930 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_fe(
+      verification_key_serialized);
+  uint8_t seed_for_A[32U];
+  memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U];
+  memcpy(
+      t1, uu____0.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+  Result_ef0 uu____1 =
+      libcrux_ml_dsa_encoding_signature_deserialize_92_cc(signature_serialized);
+  Result_41 uu____2;
+  if (uu____1.tag == Ok) {
+    libcrux_ml_dsa_encoding_signature_Signature_ca s = uu____1.val.case_Ok;
+    libcrux_ml_dsa_encoding_signature_Signature_ca signature = s;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3[5U];
+    memcpy(uu____3, signature.signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+    if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f(
+            uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) {
+      uu____2 = (CLITERAL(Result_41){
+          .tag = Err,
+          .f0 = libcrux_ml_dsa_types_SignerResponseExceedsBoundError});
+    } else {
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U];
+      uint8_t ret[34U];
+      libcrux_ml_dsa_utils_into_padded_array_b6(
+          Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret);
+      libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt);
+      uint8_t verification_key_hash[64U] = {0U};
+      libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(
+          Eurydice_array_to_slice((size_t)1952U, verification_key_serialized,
+                                  uint8_t),
+          verification_key_hash);
+      uint8_t message_representative[64U] = {0U};
+      uint8_t uu____4[64U];
+      memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t));
+      libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b(
+          uu____4, domain_separation_context, message, message_representative);
+      uint8_t uu____5[48U];
+      memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24
+          verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea(
+              libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uu____5));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____6)[5U] =
+          A_as_ntt;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____7[5U];
+      memcpy(uu____7, signature.signer_response,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____8 =
+          verifier_challenge_as_ntt;
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U];
+      memcpy(copy_of_t1, t1,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w_approx[6U];
+      libcrux_ml_dsa_matrix_compute_w_approx_fe(uu____6, uu____7, uu____8,
+                                                copy_of_t1, w_approx);
+      uint8_t commitment_hash[48U] = {0U};
+      int32_t uu____10[6U][256U];
+      memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U]));
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_w_approx[6U];
+      memcpy(copy_of_w_approx, w_approx,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U];
+      libcrux_ml_dsa_arithmetic_use_hint_fe(uu____10, copy_of_w_approx,
+                                            commitment);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_commitment[6U];
+      memcpy(copy_of_commitment, commitment,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24));
+      uint8_t commitment_serialized[768U];
+      libcrux_ml_dsa_encoding_commitment_serialize_vector_ef(
+          copy_of_commitment, commitment_serialized);
+      libcrux_sha3_portable_incremental_Shake256Xof shake =
+          libcrux_ml_dsa_hash_functions_portable_init_83();
+      libcrux_ml_dsa_hash_functions_portable_absorb_83(
+          &shake, Eurydice_array_to_slice((size_t)64U, message_representative,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+          &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+          &shake,
+          Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t));
+      if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq(
+              (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t,
+              uint8_t, bool)) {
+        uu____2 = (CLITERAL(Result_41){.tag = Ok});
+      } else {
+        uu____2 = (CLITERAL(Result_41){
+            .tag = Err,
+            .f0 = libcrux_ml_dsa_types_CommitmentHashesDontMatchError});
+      }
+    }
+  } else {
+    libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err;
+    uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e});
+  }
+  return uu____2;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_44(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Eurydice_slice context, uint8_t *signature_serialized) {
+  Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45(
+      context, (CLITERAL(Option_30){.tag = None}));
+  Result_41 uu____1;
+  if (uu____0.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_44(
+        verification_key_serialized, message,
+        (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}),
+        signature_serialized);
+  } else {
+    uu____1 = (CLITERAL(Result_41){
+        .tag = Err,
+        .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError});
+  }
+  return uu____1;
+}
+
+/**
+ Verify.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify with const
+generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_verify_44(verification_key, message,
+                                                 context, signature);
+}
+
+/**
+ Verify.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01(
+      verification_key, message, context, signature);
+}
+
+/**
+ Verify an ML-DSA-65 Signature
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify(
+    libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key,
+    Eurydice_slice message, Eurydice_slice context,
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01(
+      libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context,
+      libcrux_ml_dsa_types_as_ref_8f_fa(signature));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed
+with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit,
+libcrux_ml_dsa_samplex4_avx2_AVX2Sampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128,
+libcrux_ml_dsa_hash_functions_simd256_Shake128x4,
+libcrux_ml_dsa_hash_functions_simd256_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics
+- PH_DIGEST_LEN= 256
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Result_41
+libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Eurydice_slice context, uint8_t *signature_serialized) {
+  uint8_t pre_hashed_message[256U];
+  libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message);
+  Eurydice_slice uu____0 = context;
+  Option_30 lit;
+  lit.tag = Some;
+  uint8_t ret[11U];
+  libcrux_ml_dsa_pre_hash_oid_bd(ret);
+  memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t));
+  Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit);
+  Result_41 uu____2;
+  if (uu____1.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_44(
+        verification_key_serialized,
+        Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t),
+        (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}),
+        signature_serialized);
+  } else {
+    uu____2 = (CLITERAL(Result_41){
+        .tag = Err,
+        .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError});
+  }
+  return uu____2;
+}
+
+/**
+ Verify (pre-hashed with SHAKE-128).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify_pre_hashed_shake128
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8(
+      verification_key, message, context, signature);
+}
+
+/**
+ Verify (pre-hashed with SHAKE-128).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify_pre_hashed_shake128
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01(
+      verification_key, message, context, signature);
+}
+
+/**
+ Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128(
+    libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key,
+    Eurydice_slice message, Eurydice_slice context,
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01(
+      libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context,
+      libcrux_ml_dsa_types_as_ref_8f_fa(signature));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline bool
+libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set(
+    size_t number, uint8_t bit_position) {
+  return (number & (size_t)1U << (uint32_t)bit_position) >>
+             (uint32_t)bit_position ==
+         (size_t)1U;
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void
+libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_generate_shuffle_table(
+    uint8_t ret[16U][16U]) {
+  uint8_t byte_shuffles[16U][16U] = {
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U},
+      {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
+       255U, 255U, 255U, 255U}};
+  for (size_t i0 = (size_t)0U; i0 < (size_t)1U << 4U; i0++) {
+    size_t bit_pattern = i0;
+    size_t byte_shuffles_index = (size_t)0U;
+    for (uint8_t i = 0U; i < 4U; i = (uint32_t)i + 1U) {
+      uint8_t bit_position = i;
+      if (libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set(
+              bit_pattern, bit_position)) {
+        byte_shuffles[bit_pattern][byte_shuffles_index] =
+            (uint32_t)bit_position * 4U;
+        byte_shuffles_index++;
+        byte_shuffles[bit_pattern][byte_shuffles_index] =
+            (uint32_t)bit_position * 4U + 1U;
+        byte_shuffles_index++;
+        byte_shuffles[bit_pattern][byte_shuffles_index] =
+            (uint32_t)bit_position * 4U + 2U;
+        byte_shuffles_index++;
+        byte_shuffles[bit_pattern][byte_shuffles_index] =
+            (uint32_t)bit_position * 4U + 3U;
+        byte_shuffles_index++;
+      }
+    }
+  }
+  memcpy(ret, byte_shuffles, (size_t)16U * sizeof(uint8_t[16U]));
+}
+
+/**
+This function found in impl {(core::clone::Clone for
+libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)#1}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_clone_0f(
+    __m256i *self) {
+  return self[0U];
+}
+
+/**
+This function found in impl {(core::convert::From<core::core_arch::x86::__m256i>
+for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_from_af(
+    __m256i coefficients) {
+  return coefficients;
+}
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_mldsa65_avx2_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h
new file mode 100644
index 000000000..13e99f9fc
--- /dev/null
+++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h
@@ -0,0 +1,8963 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ *
+ * This code was generated with the following revisions:
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
+ */
+
+#ifndef __libcrux_mldsa65_portable_H
+#define __libcrux_mldsa65_portable_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+#include "libcrux_core.h"
+#include "libcrux_sha3_portable.h"
+
+#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U)
+
+#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \
+  (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT /    \
+   LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T ((size_t)13U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH \
+  ((size_t)23U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T         \
+  (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - \
+   LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH ((size_t)64U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN ((size_t)255U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS ((int32_t)8380417)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_KEY_GENERATION_RANDOMNESS_SIZE ((size_t)32U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_MASK_SEED_SIZE ((size_t)64U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_MESSAGE_REPRESENTATIVE_SIZE ((size_t)64U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN ((size_t)814U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE \
+  (LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T *     \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE \
+  (LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T *     \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE ((size_t)32U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE ((size_t)64U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE ((size_t)32U)
+
+#define LIBCRUX_ML_DSA_CONSTANTS_SIGNING_RANDOMNESS_SIZE ((size_t)32U)
+
+#define LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT ((size_t)13U)
+
+#define LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW ((size_t)10U)
+
+#define LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \
+  ((size_t)10U)
+
+typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128X4_s {
+  libcrux_sha3_generic_keccak_KeccakState_17 state0;
+  libcrux_sha3_generic_keccak_KeccakState_17 state1;
+  libcrux_sha3_generic_keccak_KeccakState_17 state2;
+  libcrux_sha3_generic_keccak_KeccakState_17 state3;
+} libcrux_ml_dsa_hash_functions_portable_Shake128X4;
+
+static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake128X4
+libcrux_ml_dsa_hash_functions_portable_init_absorb(Eurydice_slice input0,
+                                                   Eurydice_slice input1,
+                                                   Eurydice_slice input2,
+                                                   Eurydice_slice input3) {
+  libcrux_sha3_generic_keccak_KeccakState_17 state0 =
+      libcrux_sha3_portable_incremental_shake128_init();
+  libcrux_sha3_portable_incremental_shake128_absorb_final(&state0, input0);
+  libcrux_sha3_generic_keccak_KeccakState_17 state1 =
+      libcrux_sha3_portable_incremental_shake128_init();
+  libcrux_sha3_portable_incremental_shake128_absorb_final(&state1, input1);
+  libcrux_sha3_generic_keccak_KeccakState_17 state2 =
+      libcrux_sha3_portable_incremental_shake128_init();
+  libcrux_sha3_portable_incremental_shake128_absorb_final(&state2, input2);
+  libcrux_sha3_generic_keccak_KeccakState_17 state3 =
+      libcrux_sha3_portable_incremental_shake128_init();
+  libcrux_sha3_portable_incremental_shake128_absorb_final(&state3, input3);
+  return (CLITERAL(libcrux_ml_dsa_hash_functions_portable_Shake128X4){
+      .state0 = state0, .state1 = state1, .state2 = state2, .state3 = state3});
+}
+
+typedef libcrux_sha3_portable_KeccakState
+    libcrux_ml_dsa_hash_functions_portable_Shake256;
+
+static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState
+libcrux_ml_dsa_hash_functions_portable_init_absorb_final_shake256(
+    Eurydice_slice input) {
+  libcrux_sha3_generic_keccak_KeccakState_17 state =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state, input);
+  return state;
+}
+
+typedef struct libcrux_ml_dsa_hash_functions_portable_Shake256X4_s {
+  libcrux_sha3_generic_keccak_KeccakState_17 state0;
+  libcrux_sha3_generic_keccak_KeccakState_17 state1;
+  libcrux_sha3_generic_keccak_KeccakState_17 state2;
+  libcrux_sha3_generic_keccak_KeccakState_17 state3;
+} libcrux_ml_dsa_hash_functions_portable_Shake256X4;
+
+static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake256X4
+libcrux_ml_dsa_hash_functions_portable_init_absorb_x4(Eurydice_slice input0,
+                                                      Eurydice_slice input1,
+                                                      Eurydice_slice input2,
+                                                      Eurydice_slice input3) {
+  libcrux_sha3_generic_keccak_KeccakState_17 state0 =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state0, input0);
+  libcrux_sha3_generic_keccak_KeccakState_17 state1 =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state1, input1);
+  libcrux_sha3_generic_keccak_KeccakState_17 state2 =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state2, input2);
+  libcrux_sha3_generic_keccak_KeccakState_17 state3 =
+      libcrux_sha3_portable_incremental_shake256_init();
+  libcrux_sha3_portable_incremental_shake256_absorb_final(&state3, input3);
+  return (CLITERAL(libcrux_ml_dsa_hash_functions_portable_Shake256X4){
+      .state0 = state0, .state1 = state1, .state2 = state2, .state3 = state3});
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_shake256(
+    libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) {
+  uint8_t out[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      state, Eurydice_array_to_slice((size_t)136U, out, uint8_t));
+  memcpy(ret, out, (size_t)136U * sizeof(uint8_t));
+}
+
+typedef struct uint8_t_136size_t__x4_s {
+  uint8_t fst[136U];
+  uint8_t snd[136U];
+  uint8_t thd[136U];
+  uint8_t f3[136U];
+} uint8_t_136size_t__x4;
+
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4(
+    libcrux_ml_dsa_hash_functions_portable_Shake256X4 *state) {
+  uint8_t out0[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      &state->state0, Eurydice_array_to_slice((size_t)136U, out0, uint8_t));
+  uint8_t out1[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      &state->state1, Eurydice_array_to_slice((size_t)136U, out1, uint8_t));
+  uint8_t out2[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      &state->state2, Eurydice_array_to_slice((size_t)136U, out2, uint8_t));
+  uint8_t out3[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+      &state->state3, Eurydice_array_to_slice((size_t)136U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[136U];
+  memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[136U];
+  memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[136U];
+  memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[136U];
+  memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t));
+  uint8_t_136size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t));
+  return lit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks(
+    libcrux_ml_dsa_hash_functions_portable_Shake128X4 *state, uint8_t *out0,
+    uint8_t *out1, uint8_t *out2, uint8_t *out3) {
+  libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
+      &state->state0, Eurydice_array_to_slice((size_t)840U, out0, uint8_t));
+  libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
+      &state->state1, Eurydice_array_to_slice((size_t)840U, out1, uint8_t));
+  libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
+      &state->state2, Eurydice_array_to_slice((size_t)840U, out2, uint8_t));
+  libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
+      &state->state3, Eurydice_array_to_slice((size_t)840U, out3, uint8_t));
+}
+
+typedef struct uint8_t_168size_t__x4_s {
+  uint8_t fst[168U];
+  uint8_t snd[168U];
+  uint8_t thd[168U];
+  uint8_t f3[168U];
+} uint8_t_168size_t__x4;
+
+static KRML_MUSTINLINE uint8_t_168size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block(
+    libcrux_ml_dsa_hash_functions_portable_Shake128X4 *state) {
+  uint8_t out0[168U] = {0U};
+  libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+      &state->state0, Eurydice_array_to_slice((size_t)168U, out0, uint8_t));
+  uint8_t out1[168U] = {0U};
+  libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+      &state->state1, Eurydice_array_to_slice((size_t)168U, out1, uint8_t));
+  uint8_t out2[168U] = {0U};
+  libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+      &state->state2, Eurydice_array_to_slice((size_t)168U, out2, uint8_t));
+  uint8_t out3[168U] = {0U};
+  libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+      &state->state3, Eurydice_array_to_slice((size_t)168U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[168U];
+  memcpy(copy_of_out0, out0, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[168U];
+  memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[168U];
+  memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[168U];
+  memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t));
+  uint8_t_168size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)168U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)168U * sizeof(uint8_t));
+  return lit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_shake256(
+    libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) {
+  uint8_t out[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      state, Eurydice_array_to_slice((size_t)136U, out, uint8_t));
+  memcpy(ret, out, (size_t)136U * sizeof(uint8_t));
+}
+
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4(
+    libcrux_ml_dsa_hash_functions_portable_Shake256X4 *state) {
+  uint8_t out0[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      &state->state0, Eurydice_array_to_slice((size_t)136U, out0, uint8_t));
+  uint8_t out1[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      &state->state1, Eurydice_array_to_slice((size_t)136U, out1, uint8_t));
+  uint8_t out2[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      &state->state2, Eurydice_array_to_slice((size_t)136U, out2, uint8_t));
+  uint8_t out3[136U] = {0U};
+  libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+      &state->state3, Eurydice_array_to_slice((size_t)136U, out3, uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[136U];
+  memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[136U];
+  memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[136U];
+  memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out3[136U];
+  memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t));
+  uint8_t_136size_t__x4 lit;
+  memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t));
+  memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake128X4)}
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake128X4
+libcrux_ml_dsa_hash_functions_portable_init_absorb_ed(Eurydice_slice input0,
+                                                      Eurydice_slice input1,
+                                                      Eurydice_slice input2,
+                                                      Eurydice_slice input3) {
+  return libcrux_ml_dsa_hash_functions_portable_init_absorb(input0, input1,
+                                                            input2, input3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake128X4)}
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed(
+    libcrux_ml_dsa_hash_functions_portable_Shake128X4 *self, uint8_t *out0,
+    uint8_t *out1, uint8_t *out2, uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks(
+      self, out0, out1, out2, out3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake128X4)}
+*/
+static KRML_MUSTINLINE uint8_t_168size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(
+    libcrux_ml_dsa_hash_functions_portable_Shake128X4 *self) {
+  return libcrux_ml_dsa_hash_functions_portable_squeeze_next_block(self);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState
+libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c(
+    Eurydice_slice input) {
+  return libcrux_ml_dsa_hash_functions_portable_init_absorb_final_shake256(
+      input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_5c(
+    libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) {
+  libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_shake256(self,
+                                                                      ret);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_5c(
+    libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) {
+  libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_shake256(self, ret);
+}
+
+typedef libcrux_sha3_portable_incremental_Shake256Xof
+    libcrux_ml_dsa_hash_functions_portable_Shake256Xof;
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for
+libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4}
+*/
+static inline void libcrux_ml_dsa_hash_functions_portable_absorb_83(
+    libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice input) {
+  libcrux_sha3_portable_incremental_absorb_68(self, input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for
+libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4}
+*/
+static inline void libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+    libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice input) {
+  libcrux_sha3_portable_incremental_absorb_final_68(self, input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for
+libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4}
+*/
+static inline libcrux_sha3_portable_incremental_Shake256Xof
+libcrux_ml_dsa_hash_functions_portable_init_83(void) {
+  return libcrux_sha3_portable_incremental_new_68();
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for
+libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4}
+*/
+static inline void libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+    libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice out) {
+  libcrux_sha3_portable_incremental_squeeze_68(self, out);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3}
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake256X4
+libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3) {
+  return libcrux_ml_dsa_hash_functions_portable_init_absorb_x4(input0, input1,
+                                                               input2, input3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3}
+*/
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50(
+    libcrux_ml_dsa_hash_functions_portable_Shake256X4 *self) {
+  return libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4(self);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3}
+*/
+static KRML_MUSTINLINE uint8_t_136size_t__x4
+libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50(
+    libcrux_ml_dsa_hash_functions_portable_Shake256X4 *self) {
+  return libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4(self);
+}
+
+#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_BLOCK_SIZE ((size_t)168U)
+
+#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_FIVE_BLOCKS_SIZE \
+  (LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_BLOCK_SIZE * (size_t)5U)
+
+#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE256_BLOCK_SIZE ((size_t)136U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE ((size_t)49U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_ETA ((size_t)4U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_BETA                              \
+  ((int32_t)(LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE * \
+             LIBCRUX_ML_DSA_ML_DSA_65_ETA))
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT ((size_t)4U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT ((size_t)4U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT ((size_t)20U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A ((size_t)5U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE ((size_t)48U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE \
+  (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT * \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A ((size_t)6U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_VECTOR_SIZE    \
+  (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE * \
+   LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE \
+  (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT * \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_EXPONENT ((size_t)19U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE \
+  (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT * \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA2 \
+  ((LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS - (int32_t)1) / (int32_t)32)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT ((size_t)55U)
+
+typedef libcrux_ml_dsa_types_MLDSASigningKey_22
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65SigningKey;
+
+typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65VerificationKey;
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNATURE_SIZE            \
+  (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE +         \
+   LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A *                 \
+       LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE + \
+   LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT +             \
+   LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNING_KEY_SIZE             \
+  (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE +                 \
+   LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE +           \
+   LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH + \
+   (LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A +                      \
+    LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A) *                  \
+       LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE +     \
+   LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A *                       \
+       LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE)
+
+#define LIBCRUX_ML_DSA_ML_DSA_65_VERIFICATION_KEY_SIZE                \
+  (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE +                         \
+   LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *            \
+       LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A *                           \
+       (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - \
+        LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) /           \
+       (size_t)8U)
+
+#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417)
+
+#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \
+  (58728449ULL)
+
+typedef struct uint8_t_x2_s {
+  uint8_t fst;
+  uint8_t snd;
+} uint8_t_x2;
+
+static KRML_MUSTINLINE uint16_t
+libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) {
+  uint8_t row = _.fst;
+  uint8_t column = _.snd;
+  return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U;
+}
+
+typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s {
+  Eurydice_slice context;
+  Option_30 pre_hash_oid;
+} libcrux_ml_dsa_pre_hash_DomainSeparationContext;
+
+#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0
+
+typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError;
+
+/**
+A monomorphic instance of core.result.Result
+with types libcrux_ml_dsa_pre_hash_DomainSeparationContext,
+libcrux_ml_dsa_pre_hash_DomainSeparationError
+
+*/
+typedef struct Result_a8_s {
+  Result_a9_tags tag;
+  union {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err;
+  } val;
+} Result_a8;
+
+/**
+ `context` must be at most 255 bytes long.
+*/
+/**
+This function found in impl
+{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1}
+*/
+static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context,
+                                                       Option_30 pre_hash_oid) {
+  Result_a8 uu____0;
+  if (Eurydice_slice_len(context, uint8_t) >
+      LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) {
+    uu____0 = (CLITERAL(Result_a8){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}});
+  } else {
+    uu____0 = (CLITERAL(Result_a8){
+        .tag = Ok,
+        .val = {
+            .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}});
+  }
+  return uu____0;
+}
+
+/**
+ Returns the pre-hash OID, if any.
+*/
+/**
+This function found in impl
+{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1}
+*/
+static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45(
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) {
+  return &self->pre_hash_oid;
+}
+
+/**
+ Returns the context, guaranteed to be at most 255 bytes long.
+*/
+/**
+This function found in impl
+{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1}
+*/
+static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45(
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) {
+  return self->context;
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed(
+    uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) {
+  seed[64U] = (uint8_t)domain_separator[0U];
+  seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U);
+  domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+  memcpy(ret, seed, (size_t)66U * sizeof(uint8_t));
+}
+
+static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle(
+    Eurydice_slice randomness, size_t *out_index, uint64_t *signs,
+    int32_t *result) {
+  bool done = false;
+  for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t);
+       i++) {
+    size_t _cloop_j = i;
+    uint8_t *byte =
+        &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *);
+    if (!done) {
+      size_t sample_at = (size_t)byte[0U];
+      if (sample_at <= out_index[0U]) {
+        result[out_index[0U]] = result[sample_at];
+        out_index[0U] = out_index[0U] + (size_t)1U;
+        result[sample_at] =
+            (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL);
+        signs[0U] = signs[0U] >> 1U;
+        size_t uu____0 = out_index[0U];
+        done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice(
+                                                 (size_t)256U, result, int32_t),
+                                             int32_t);
+      } else {
+        size_t uu____1 = out_index[0U];
+        done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice(
+                                                 (size_t)256U, result, int32_t),
+                                             int32_t);
+      }
+    }
+  }
+  return done;
+}
+
+static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = {
+    6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U};
+
+/**
+This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for
+libcrux_ml_dsa::pre_hash::SHAKE128_PH)}
+*/
+static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) {
+  memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID,
+         (size_t)11U * sizeof(uint8_t));
+}
+
+typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s {
+} libcrux_ml_dsa_pre_hash_SHAKE128_PH;
+
+typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s {
+  int32_t coefficients[8U];
+} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit;
+
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_vector_type_ZERO(void) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit;
+  lit.coefficients[0U] = (int32_t)0;
+  lit.coefficients[1U] = (int32_t)0;
+  lit.coefficients[2U] = (int32_t)0;
+  lit.coefficients[3U] = (int32_t)0;
+  lit.coefficients[4U] = (int32_t)0;
+  lit.coefficients[5U] = (int32_t)0;
+  lit.coefficients[6U] = (int32_t)0;
+  lit.coefficients[7U] = (int32_t)0;
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_ZERO_36(void) {
+  return libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+}
+
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(
+    Eurydice_slice array) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit;
+  int32_t ret[8U];
+  Result_6c dst;
+  Eurydice_slice_to_array2(
+      &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)8U, int32_t),
+      Eurydice_slice, int32_t[8U]);
+  unwrap_26_55(dst, ret);
+  memcpy(lit.coefficients, ret, (size_t)8U * sizeof(int32_t));
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_from_coefficient_array_36(Eurydice_slice array) {
+  return libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array);
+}
+
+static inline void
+libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *x,
+    int32_t ret[8U]) {
+  memcpy(ret, x->coefficients, (size_t)8U * sizeof(int32_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self,
+    int32_t ret[8U]) {
+  libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(self, ret);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_add(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit sum =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)8U, sum.coefficients, int32_t),
+               int32_t);
+       i++) {
+    size_t i0 = i;
+    sum.coefficients[i0] = lhs->coefficients[i0] + rhs->coefficients[i0];
+  }
+  return sum;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_add_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_subtract(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit difference =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, difference.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    difference.coefficients[i0] = lhs->coefficients[i0] - rhs->coefficients[i0];
+  }
+  return difference;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_subtract_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_subtract(lhs, rhs);
+}
+
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t bound) {
+  bool exceeds = false;
+  core_ops_range_Range_08 lit;
+  lit.start = (size_t)0U;
+  lit.end = Eurydice_slice_len(
+      Eurydice_array_to_slice((size_t)8U, simd_unit.coefficients, int32_t),
+      int32_t);
+  core_ops_range_Range_08 iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+          lit, core_ops_range_Range_08, core_ops_range_Range_08);
+  while (true) {
+    Option_08 uu____0 =
+        core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+            &iter, size_t, Option_08);
+    if (uu____0.tag == None) {
+      return exceeds;
+    } else {
+      size_t _cloop_k = uu____0.f0;
+      int32_t coefficient = simd_unit.coefficients[_cloop_k];
+      int32_t sign = coefficient >> 31U;
+      int32_t normalized = coefficient - (sign & (int32_t)2 * coefficient);
+      bool uu____1;
+      if (exceeds) {
+        uu____1 = true;
+      } else {
+        uu____1 = normalized >= bound;
+      }
+      exceeds = uu____1;
+    }
+  }
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t bound) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds(
+      simd_unit, bound);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U)
+
+static KRML_MUSTINLINE uint64_t
+libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits(
+    uint8_t n, uint64_t value) {
+  return value & ((1ULL << (uint32_t)n) - 1ULL);
+}
+
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element(
+    int64_t value) {
+  uint64_t t =
+      libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits(
+          LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT,
+          (uint64_t)value) *
+      LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
+  int32_t k = (int32_t)
+      libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits(
+          LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, t);
+  int64_t k_times_modulus =
+      (int64_t)k * (int64_t)LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS;
+  int32_t c =
+      (int32_t)(k_times_modulus >>
+                (uint32_t)
+                    LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT);
+  int32_t value_high =
+      (int32_t)(value >>
+                (uint32_t)
+                    LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT);
+  return value_high - c;
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit product =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, product.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    product.coefficients[i0] =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element(
+            (int64_t)lhs->coefficients[i0] * (int64_t)rhs->coefficients[i0]);
+  }
+  return product;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_montgomery_multiply_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lhs,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit rhs) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(&lhs,
+                                                                     &rhs);
+}
+
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) {
+  int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U;
+  return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS;
+}
+
+typedef struct int32_t_x2_s {
+  int32_t fst;
+  int32_t snd;
+} int32_t_x2;
+
+static KRML_MUSTINLINE int32_t_x2
+libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) {
+  int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  int32_t t1 =
+      (t2 - (int32_t)1 +
+       ((int32_t)1
+        << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T -
+                      (size_t)1U))) >>
+      (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T;
+  int32_t t0 =
+      t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T);
+  return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1});
+}
+
+typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2_s {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit fst;
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd;
+} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2;
+
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2
+libcrux_ml_dsa_simd_portable_arithmetic_power2round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    int32_t t = simd_unit.coefficients[i0];
+    int32_t_x2 uu____0 =
+        libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(t);
+    int32_t t0 = uu____0.fst;
+    int32_t t1 = uu____0.snd;
+    t0_simd_unit.coefficients[i0] = t0;
+    t1_simd_unit.coefficients[i0] = t1;
+  }
+  return (
+      CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){
+          .fst = t0_simd_unit, .snd = t1_simd_unit});
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2
+libcrux_ml_dsa_simd_portable_power2round_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_power2round(simd_unit);
+}
+
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  size_t sampled = (size_t)0U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U,
+                                 _cloop_i * (size_t)3U + (size_t)3U, uint8_t);
+    int32_t b0 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
+    int32_t b1 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *);
+    int32_t b2 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *);
+    int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607;
+    if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) {
+      Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient;
+      sampled++;
+    }
+  }
+  return sampled;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline size_t
+libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus(
+      randomness, out);
+}
+
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  size_t sampled = (size_t)0U;
+  for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t);
+       i++) {
+    size_t _cloop_j = i;
+    uint8_t *byte =
+        &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *);
+    uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U);
+    uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4);
+    if (try_0 < 15U) {
+      int32_t try_00 = (int32_t)try_0;
+      int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5;
+      Eurydice_slice_index(out, sampled, int32_t, int32_t *) =
+          (int32_t)2 - try_0_mod_5;
+      sampled++;
+    }
+    if (try_1 < 15U) {
+      int32_t try_10 = (int32_t)try_1;
+      int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5;
+      Eurydice_slice_index(out, sampled, int32_t, int32_t *) =
+          (int32_t)2 - try_1_mod_5;
+      sampled++;
+    }
+  }
+  return sampled;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline size_t
+libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2(
+      randomness, out);
+}
+
+static KRML_MUSTINLINE size_t
+libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  size_t sampled = (size_t)0U;
+  for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t);
+       i++) {
+    size_t _cloop_j = i;
+    uint8_t *byte =
+        &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *);
+    uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U);
+    uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4);
+    if (try_0 < 9U) {
+      Eurydice_slice_index(out, sampled, int32_t, int32_t *) =
+          (int32_t)4 - (int32_t)try_0;
+      sampled++;
+    }
+    if (try_1 < 9U) {
+      Eurydice_slice_index(out, sampled, int32_t, int32_t *) =
+          (int32_t)4 - (int32_t)try_1;
+      sampled++;
+    }
+  }
+  return sampled;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline size_t
+libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36(
+    Eurydice_slice randomness, Eurydice_slice out) {
+  return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4(
+      randomness, out);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \
+  ((int32_t)1 << 17U)
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)4U;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice coefficients =
+        Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U,
+                                    i0 * (size_t)4U + (size_t)4U, int32_t);
+    int32_t coefficient0 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *);
+    int32_t coefficient1 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *);
+    int32_t coefficient2 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *);
+    int32_t coefficient3 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *);
+    Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) =
+        (uint8_t)coefficient0;
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient0 >> 8U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient0 >> 16U);
+    size_t uu____0 = (size_t)9U * i0 + (size_t)2U;
+    Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) =
+        (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t,
+                                       uint8_t *) |
+        (uint32_t)(uint8_t)(coefficient1 << 2U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient1 >> 6U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient1 >> 14U);
+    size_t uu____1 = (size_t)9U * i0 + (size_t)4U;
+    Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) =
+        (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t,
+                                       uint8_t *) |
+        (uint32_t)(uint8_t)(coefficient2 << 4U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient2 >> 4U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient2 >> 12U);
+    size_t uu____2 = (size_t)9U * i0 + (size_t)6U;
+    Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) =
+        (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t,
+                                       uint8_t *) |
+        (uint32_t)(uint8_t)(coefficient3 << 6U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient3 >> 2U);
+    Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient3 >> 10U);
+  }
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \
+  ((int32_t)1 << 19U)
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)2U;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice coefficients =
+        Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U,
+                                    i0 * (size_t)2U + (size_t)2U, int32_t);
+    int32_t coefficient0 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *);
+    int32_t coefficient1 =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 -
+        Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *);
+    Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) =
+        (uint8_t)coefficient0;
+    Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient0 >> 8U);
+    Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient0 >> 16U);
+    size_t uu____0 = (size_t)5U * i0 + (size_t)2U;
+    Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) =
+        (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t,
+                                       uint8_t *) |
+        (uint32_t)(uint8_t)(coefficient1 << 4U);
+    Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient1 >> 4U);
+    Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t,
+                         uint8_t *) = (uint8_t)(coefficient1 >> 12U);
+  }
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \
+  ((int32_t)1 << 17U)
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \
+  ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1                     \
+    << 1U) -                                                                                                    \
+   (int32_t)1)
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17(
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)9U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes = Eurydice_slice_subslice2(
+        serialized, i0 * (size_t)9U, i0 * (size_t)9U + (size_t)9U, uint8_t);
+    int32_t coefficient0 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
+    coefficient0 =
+        coefficient0 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)
+            << 8U;
+    coefficient0 =
+        coefficient0 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *)
+            << 16U;
+    coefficient0 =
+        coefficient0 &
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK;
+    int32_t coefficient1 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >>
+        2U;
+    coefficient1 =
+        coefficient1 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *)
+            << 6U;
+    coefficient1 =
+        coefficient1 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *)
+            << 14U;
+    coefficient1 =
+        coefficient1 &
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK;
+    int32_t coefficient2 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >>
+        4U;
+    coefficient2 =
+        coefficient2 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *)
+            << 4U;
+    coefficient2 =
+        coefficient2 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *)
+            << 12U;
+    coefficient2 =
+        coefficient2 &
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK;
+    int32_t coefficient3 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >>
+        6U;
+    coefficient3 =
+        coefficient3 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)
+            << 2U;
+    coefficient3 =
+        coefficient3 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *)
+            << 10U;
+    coefficient3 =
+        coefficient3 &
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK;
+    simd_unit.coefficients[(size_t)4U * i0] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        coefficient0;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        coefficient1;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        coefficient2;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 -
+        coefficient3;
+  }
+  return simd_unit;
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \
+  ((int32_t)1 << 19U)
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \
+  ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1                     \
+    << 1U) -                                                                                                    \
+   (int32_t)1)
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19(
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes = Eurydice_slice_subslice2(
+        serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t);
+    int32_t coefficient0 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
+    coefficient0 =
+        coefficient0 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)
+            << 8U;
+    coefficient0 =
+        coefficient0 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *)
+            << 16U;
+    coefficient0 =
+        coefficient0 &
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK;
+    int32_t coefficient1 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >>
+        4U;
+    coefficient1 =
+        coefficient1 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *)
+            << 4U;
+    coefficient1 =
+        coefficient1 |
+        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *)
+            << 12U;
+    simd_unit.coefficients[(size_t)2U * i0] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 -
+        coefficient0;
+    simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 -
+        coefficient1;
+  }
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  switch ((uint8_t)Eurydice_slice_len(serialized, uint8_t)) {
+    case 4U: {
+      for (size_t i = (size_t)0U;
+           i <
+           Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)2U;
+           i++) {
+        size_t i0 = i;
+        Eurydice_slice coefficients =
+            Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U,
+                                        i0 * (size_t)2U + (size_t)2U, int32_t);
+        uint8_t coefficient0 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)0U, int32_t, int32_t *);
+        uint8_t coefficient1 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)1U, int32_t, int32_t *);
+        Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) =
+            (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0;
+      }
+      break;
+    }
+    case 6U: {
+      for (size_t i = (size_t)0U;
+           i <
+           Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)4U;
+           i++) {
+        size_t i0 = i;
+        Eurydice_slice coefficients =
+            Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U,
+                                        i0 * (size_t)4U + (size_t)4U, int32_t);
+        uint8_t coefficient0 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)0U, int32_t, int32_t *);
+        uint8_t coefficient1 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)1U, int32_t, int32_t *);
+        uint8_t coefficient2 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)2U, int32_t, int32_t *);
+        uint8_t coefficient3 = (uint8_t)Eurydice_slice_index(
+            coefficients, (size_t)3U, int32_t, int32_t *);
+        Eurydice_slice_index(serialized, (size_t)3U * i0, uint8_t, uint8_t *) =
+            (uint32_t)coefficient1 << 6U | (uint32_t)coefficient0;
+        Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)1U, uint8_t,
+                             uint8_t *) =
+            (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1 >> 2U;
+        Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)2U, uint8_t,
+                             uint8_t *) =
+            (uint32_t)coefficient3 << 2U | (uint32_t)coefficient2 >> 4U;
+      }
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                        "panic!");
+      KRML_HOST_EXIT(255U);
+    }
+  }
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit,
+                                                             serialized);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \
+  ((int32_t)2)
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  uint8_t coefficient0 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[0U]);
+  uint8_t coefficient1 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[1U]);
+  uint8_t coefficient2 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[2U]);
+  uint8_t coefficient3 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[3U]);
+  uint8_t coefficient4 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[4U]);
+  uint8_t coefficient5 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[5U]);
+  uint8_t coefficient6 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[6U]);
+  uint8_t coefficient7 =
+      (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA -
+                simd_unit.coefficients[7U]);
+  Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) =
+      ((uint32_t)coefficient2 << 6U | (uint32_t)coefficient1 << 3U) |
+      (uint32_t)coefficient0;
+  Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) =
+      (((uint32_t)coefficient5 << 7U | (uint32_t)coefficient4 << 4U) |
+       (uint32_t)coefficient3 << 1U) |
+      (uint32_t)coefficient2 >> 2U;
+  Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *) =
+      ((uint32_t)coefficient7 << 5U | (uint32_t)coefficient6 << 2U) |
+      (uint32_t)coefficient5 >> 1U;
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \
+  ((int32_t)4)
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)2U;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice coefficients =
+        Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U,
+                                    i0 * (size_t)2U + (size_t)2U, int32_t);
+    uint8_t coefficient0 =
+        (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA -
+                  Eurydice_slice_index(coefficients, (size_t)0U, int32_t,
+                                       int32_t *));
+    uint8_t coefficient1 =
+        (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA -
+                  Eurydice_slice_index(coefficients, (size_t)1U, int32_t,
+                                       int32_t *));
+    Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) =
+        (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0;
+  }
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \
+  ((int32_t)2)
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2(
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  int32_t byte0 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *);
+  int32_t byte1 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *);
+  int32_t byte2 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *);
+  simd_unit.coefficients[0U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte0 & (int32_t)7);
+  simd_unit.coefficients[1U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte0 >> 3U & (int32_t)7);
+  simd_unit.coefficients[2U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      ((byte0 >> 6U | byte1 << 2U) & (int32_t)7);
+  simd_unit.coefficients[3U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte1 >> 1U & (int32_t)7);
+  simd_unit.coefficients[4U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte1 >> 4U & (int32_t)7);
+  simd_unit.coefficients[5U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      ((byte1 >> 7U | byte2 << 1U) & (int32_t)7);
+  simd_unit.coefficients[6U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte2 >> 2U & (int32_t)7);
+  simd_unit.coefficients[7U] =
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA -
+      (byte2 >> 5U & (int32_t)7);
+  return simd_unit;
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \
+  ((int32_t)4)
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4(
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t);
+       i++) {
+    size_t i0 = i;
+    uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *);
+    uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U);
+    simd_unit.coefficients[(size_t)2U * i0] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA -
+        (int32_t)uu____0;
+    uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4);
+    simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] =
+        LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA -
+        (int32_t)uu____1;
+  }
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) {
+  return ((int32_t)1
+          << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T -
+                        (size_t)1U)) -
+         t0;
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    uint8_t ret[13U]) {
+  uint8_t serialized[13U] = {0U};
+  int32_t coefficient0 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[0U]);
+  int32_t coefficient1 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[1U]);
+  int32_t coefficient2 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[2U]);
+  int32_t coefficient3 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[3U]);
+  int32_t coefficient4 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[4U]);
+  int32_t coefficient5 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[5U]);
+  int32_t coefficient6 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[6U]);
+  int32_t coefficient7 =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(
+          simd_unit.coefficients[7U]);
+  serialized[0U] = (uint8_t)coefficient0;
+  serialized[1U] = (uint8_t)(coefficient0 >> 8U);
+  size_t uu____0 = (size_t)1U;
+  serialized[uu____0] =
+      (uint32_t)serialized[uu____0] | (uint32_t)(uint8_t)(coefficient1 << 5U);
+  serialized[2U] = (uint8_t)(coefficient1 >> 3U);
+  serialized[3U] = (uint8_t)(coefficient1 >> 11U);
+  size_t uu____1 = (size_t)3U;
+  serialized[uu____1] =
+      (uint32_t)serialized[uu____1] | (uint32_t)(uint8_t)(coefficient2 << 2U);
+  serialized[4U] = (uint8_t)(coefficient2 >> 6U);
+  size_t uu____2 = (size_t)4U;
+  serialized[uu____2] =
+      (uint32_t)serialized[uu____2] | (uint32_t)(uint8_t)(coefficient3 << 7U);
+  serialized[5U] = (uint8_t)(coefficient3 >> 1U);
+  serialized[6U] = (uint8_t)(coefficient3 >> 9U);
+  size_t uu____3 = (size_t)6U;
+  serialized[uu____3] =
+      (uint32_t)serialized[uu____3] | (uint32_t)(uint8_t)(coefficient4 << 4U);
+  serialized[7U] = (uint8_t)(coefficient4 >> 4U);
+  serialized[8U] = (uint8_t)(coefficient4 >> 12U);
+  size_t uu____4 = (size_t)8U;
+  serialized[uu____4] =
+      (uint32_t)serialized[uu____4] | (uint32_t)(uint8_t)(coefficient5 << 1U);
+  serialized[9U] = (uint8_t)(coefficient5 >> 7U);
+  size_t uu____5 = (size_t)9U;
+  serialized[uu____5] =
+      (uint32_t)serialized[uu____5] | (uint32_t)(uint8_t)(coefficient6 << 6U);
+  serialized[10U] = (uint8_t)(coefficient6 >> 2U);
+  serialized[11U] = (uint8_t)(coefficient6 >> 10U);
+  size_t uu____6 = (size_t)11U;
+  serialized[uu____6] =
+      (uint32_t)serialized[uu____6] | (uint32_t)(uint8_t)(coefficient7 << 3U);
+  serialized[12U] = (uint8_t)(coefficient7 >> 5U);
+  memcpy(ret, serialized, (size_t)13U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    uint8_t ret[13U]) {
+  libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, ret);
+}
+
+#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK \
+  (((int32_t)1 << (uint32_t)(int32_t)                                                     \
+        LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) -                               \
+   (int32_t)1)
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(
+    Eurydice_slice serialized) {
+  int32_t byte0 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *);
+  int32_t byte1 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *);
+  int32_t byte2 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *);
+  int32_t byte3 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)3U, uint8_t, uint8_t *);
+  int32_t byte4 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)4U, uint8_t, uint8_t *);
+  int32_t byte5 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)5U, uint8_t, uint8_t *);
+  int32_t byte6 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)6U, uint8_t, uint8_t *);
+  int32_t byte7 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)7U, uint8_t, uint8_t *);
+  int32_t byte8 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)8U, uint8_t, uint8_t *);
+  int32_t byte9 =
+      (int32_t)Eurydice_slice_index(serialized, (size_t)9U, uint8_t, uint8_t *);
+  int32_t byte10 = (int32_t)Eurydice_slice_index(serialized, (size_t)10U,
+                                                 uint8_t, uint8_t *);
+  int32_t byte11 = (int32_t)Eurydice_slice_index(serialized, (size_t)11U,
+                                                 uint8_t, uint8_t *);
+  int32_t byte12 = (int32_t)Eurydice_slice_index(serialized, (size_t)12U,
+                                                 uint8_t, uint8_t *);
+  int32_t coefficient0 = byte0;
+  coefficient0 = coefficient0 | byte1 << 8U;
+  coefficient0 =
+      coefficient0 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient1 = byte1 >> 5U;
+  coefficient1 = coefficient1 | byte2 << 3U;
+  coefficient1 = coefficient1 | byte3 << 11U;
+  coefficient1 =
+      coefficient1 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient2 = byte3 >> 2U;
+  coefficient2 = coefficient2 | byte4 << 6U;
+  coefficient2 =
+      coefficient2 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient3 = byte4 >> 7U;
+  coefficient3 = coefficient3 | byte5 << 1U;
+  coefficient3 = coefficient3 | byte6 << 9U;
+  coefficient3 =
+      coefficient3 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient4 = byte6 >> 4U;
+  coefficient4 = coefficient4 | byte7 << 4U;
+  coefficient4 = coefficient4 | byte8 << 12U;
+  coefficient4 =
+      coefficient4 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient5 = byte8 >> 1U;
+  coefficient5 = coefficient5 | byte9 << 7U;
+  coefficient5 =
+      coefficient5 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient6 = byte9 >> 6U;
+  coefficient6 = coefficient6 | byte10 << 2U;
+  coefficient6 = coefficient6 | byte11 << 10U;
+  coefficient6 =
+      coefficient6 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  int32_t coefficient7 = byte11 >> 3U;
+  coefficient7 = coefficient7 | byte12 << 5U;
+  coefficient7 =
+      coefficient7 &
+      LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK;
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  simd_unit.coefficients[0U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient0);
+  simd_unit.coefficients[1U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient1);
+  simd_unit.coefficients[2U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient2);
+  simd_unit.coefficients[3U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient3);
+  simd_unit.coefficients[4U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient4);
+  simd_unit.coefficients[5U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient5);
+  simd_unit.coefficients[6U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient6);
+  simd_unit.coefficients[7U] =
+      libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient7);
+  return simd_unit;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized);
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    uint8_t ret[10U]) {
+  uint8_t serialized[10U] = {0U};
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t) /
+               (size_t)4U;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice coefficients =
+        Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U,
+                                    i0 * (size_t)4U + (size_t)4U, int32_t);
+    serialized[(size_t)5U * i0] =
+        (uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U, int32_t,
+                                       int32_t *) &
+                  (int32_t)255);
+    serialized[(size_t)5U * i0 + (size_t)1U] =
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)1U,
+                                                 int32_t, int32_t *) &
+                            (int32_t)63)
+            << 2U |
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U,
+                                                 int32_t, int32_t *) >>
+                                8U &
+                            (int32_t)3);
+    serialized[(size_t)5U * i0 + (size_t)2U] =
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)2U,
+                                                 int32_t, int32_t *) &
+                            (int32_t)15)
+            << 4U |
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)1U,
+                                                 int32_t, int32_t *) >>
+                                6U &
+                            (int32_t)15);
+    serialized[(size_t)5U * i0 + (size_t)3U] =
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U,
+                                                 int32_t, int32_t *) &
+                            (int32_t)3)
+            << 6U |
+        (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)2U,
+                                                 int32_t, int32_t *) >>
+                                4U &
+                            (int32_t)63);
+    serialized[(size_t)5U * i0 + (size_t)4U] =
+        (uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U, int32_t,
+                                       int32_t *) >>
+                      2U &
+                  (int32_t)255);
+  }
+  memcpy(ret, serialized, (size_t)10U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    uint8_t ret[10U]) {
+  libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, ret);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  int32_t mask = ((int32_t)1 << (uint32_t)
+                      LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) -
+                 (int32_t)1;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes = Eurydice_slice_subslice2(
+        serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t);
+    int32_t byte0 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
+    int32_t byte1 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *);
+    int32_t byte2 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *);
+    int32_t byte3 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *);
+    int32_t byte4 =
+        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *);
+    simd_unit.coefficients[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] =
+        (byte1 >> 2U | byte2 << 6U) & mask;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] =
+        (byte2 >> 4U | byte3 << 4U) & mask;
+    simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] =
+        (byte3 >> 6U | byte4 << 2U) & mask;
+  }
+  return simd_unit;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t c) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    simd_unit.coefficients[i0] =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element(
+            (int64_t)simd_unit.coefficients[i0] * (int64_t)c);
+  }
+  return simd_unit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 16
+- ZETA= 25847
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)16U], (int32_t)25847);
+    re[j + (size_t)16U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 8
+- ZETA= -2608894
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)8U], (int32_t)-2608894);
+    re[j + (size_t)8U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 8
+- ZETA= -518909
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)8U], (int32_t)-518909);
+    re[j + (size_t)8U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 4
+- ZETA= 237124
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)4U], (int32_t)237124);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 4
+- ZETA= -777960
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)4U], (int32_t)-777960);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 4
+- ZETA= -876248
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)4U], (int32_t)-876248);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 4
+- ZETA= 466468
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)4U], (int32_t)466468);
+    re[j + (size_t)4U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 2
+- ZETA= 1826347
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)1826347);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 2
+- ZETA= 2353451
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)2353451);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 2
+- ZETA= -359251
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)-359251);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 2
+- ZETA= -2091905
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)-2091905);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 2
+- ZETA= 3119733
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)3119733);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 2
+- ZETA= -2884855
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)-2884855);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 2
+- ZETA= 3111497
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)3111497);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 2
+- ZETA= 2680103
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)2U], (int32_t)2680103);
+    re[j + (size_t)2U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 1
+- ZETA= 2725464
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)2725464);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 2
+- STEP_BY= 1
+- ZETA= 1024112
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)1024112);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 1
+- ZETA= -1079900
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-1079900);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 6
+- STEP_BY= 1
+- ZETA= 3585928
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)3585928);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 1
+- ZETA= -549488
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-549488);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 10
+- STEP_BY= 1
+- ZETA= -1119584
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-1119584);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 1
+- ZETA= 2619752
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)2619752);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 14
+- STEP_BY= 1
+- ZETA= -2108549
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-2108549);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 1
+- ZETA= -2118186
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-2118186);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 18
+- STEP_BY= 1
+- ZETA= -3859737
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-3859737);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 1
+- ZETA= -1399561
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-1399561);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 22
+- STEP_BY= 1
+- ZETA= -3277672
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-3277672);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 1
+- ZETA= 1757237
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)1757237);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 26
+- STEP_BY= 1
+- ZETA= -19422
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)-19422);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 1
+- ZETA= 4010497
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)4010497);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus
+with const generics
+- OFFSET= 30
+- STEP_BY= 1
+- ZETA= 280005
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[j + (size_t)1U], (int32_t)280005);
+    re[j + (size_t)1U] =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t);
+    re[j] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re);
+  libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re);
+}
+
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+    int32_t fe, int32_t fer) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element(
+      (int64_t)fe * (int64_t)fer);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta) {
+  int32_t t =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[4U], zeta);
+  simd_unit.coefficients[4U] = simd_unit.coefficients[0U] - t;
+  simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t;
+  int32_t t0 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[5U], zeta);
+  simd_unit.coefficients[5U] = simd_unit.coefficients[1U] - t0;
+  simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0;
+  int32_t t1 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[6U], zeta);
+  simd_unit.coefficients[6U] = simd_unit.coefficients[2U] - t1;
+  simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t1;
+  int32_t t2 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[7U], zeta);
+  simd_unit.coefficients[7U] = simd_unit.coefficients[3U] - t2;
+  simd_unit.coefficients[3U] = simd_unit.coefficients[3U] + t2;
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(re[index],
+                                                                zeta);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U,
+                                                        (int32_t)2706023);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U,
+                                                        (int32_t)95776);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U,
+                                                        (int32_t)3077325);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U,
+                                                        (int32_t)3530437);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U,
+                                                        (int32_t)-1661693);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U,
+                                                        (int32_t)-3592148);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U,
+                                                        (int32_t)-2537516);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U,
+                                                        (int32_t)3915439);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U,
+                                                        (int32_t)-3861115);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U,
+                                                        (int32_t)-3043716);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U,
+                                                        (int32_t)3574422);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U,
+                                                        (int32_t)-2867647);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U,
+                                                        (int32_t)3539968);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U,
+                                                        (int32_t)-300467);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U,
+                                                        (int32_t)2348700);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U,
+                                                        (int32_t)-539299);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U,
+                                                        (int32_t)-1699267);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U,
+                                                        (int32_t)-1643818);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U,
+                                                        (int32_t)3505694);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U,
+                                                        (int32_t)-3821735);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U,
+                                                        (int32_t)3507263);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U,
+                                                        (int32_t)-2140649);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U,
+                                                        (int32_t)-1600420);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U,
+                                                        (int32_t)3699596);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U,
+                                                        (int32_t)811944);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U,
+                                                        (int32_t)531354);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U,
+                                                        (int32_t)954230);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U,
+                                                        (int32_t)3881043);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U,
+                                                        (int32_t)3900724);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U,
+                                                        (int32_t)-2556880);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U,
+                                                        (int32_t)2071892);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U,
+                                                        (int32_t)-2797779);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta1, int32_t zeta2) {
+  int32_t t =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[2U], zeta1);
+  simd_unit.coefficients[2U] = simd_unit.coefficients[0U] - t;
+  simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t;
+  int32_t t0 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[3U], zeta1);
+  simd_unit.coefficients[3U] = simd_unit.coefficients[1U] - t0;
+  simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0;
+  int32_t t1 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[6U], zeta2);
+  simd_unit.coefficients[6U] = simd_unit.coefficients[4U] - t1;
+  simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1;
+  int32_t t2 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[7U], zeta2);
+  simd_unit.coefficients[7U] = simd_unit.coefficients[5U] - t2;
+  simd_unit.coefficients[5U] = simd_unit.coefficients[5U] + t2;
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta_0, int32_t zeta_1) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(re[index],
+                                                                zeta_0, zeta_1);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)7U, (int32_t)-3632928, (int32_t)126922);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)8U, (int32_t)3412210, (int32_t)-983419);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)9U, (int32_t)2147896, (int32_t)2715295);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)14U, (int32_t)-381987, (int32_t)1349076);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)16U, (int32_t)-3343383, (int32_t)264944);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)17U, (int32_t)508951, (int32_t)3097992);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)18U, (int32_t)44288, (int32_t)-1100098);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)19U, (int32_t)904516, (int32_t)3958618);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)22U, (int32_t)2389356, (int32_t)-210977);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)23U, (int32_t)759969, (int32_t)-1316856);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)24U, (int32_t)189548, (int32_t)-3553272);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)27U, (int32_t)1315589, (int32_t)1341330);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(
+      re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) {
+  int32_t t =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[1U], zeta0);
+  simd_unit.coefficients[1U] = simd_unit.coefficients[0U] - t;
+  simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t;
+  int32_t t0 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[3U], zeta1);
+  simd_unit.coefficients[3U] = simd_unit.coefficients[2U] - t0;
+  simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t0;
+  int32_t t1 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[5U], zeta2);
+  simd_unit.coefficients[5U] = simd_unit.coefficients[4U] - t1;
+  simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1;
+  int32_t t2 =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          simd_unit.coefficients[7U], zeta3);
+  simd_unit.coefficients[7U] = simd_unit.coefficients[6U] - t2;
+  simd_unit.coefficients[6U] = simd_unit.coefficients[6U] + t2;
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, int32_t zeta_3) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0(
+          re[index], zeta_0, zeta_1, zeta_2, zeta_3);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500,
+      (int32_t)3817976);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433,
+      (int32_t)-3562462);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728,
+      (int32_t)3513181);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226,
+      (int32_t)-3193378);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542,
+      (int32_t)819034);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260,
+      (int32_t)-522500);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748,
+      (int32_t)3207046);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622,
+      (int32_t)-3595838);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823,
+      (int32_t)4108315);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879,
+      (int32_t)203044);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150,
+      (int32_t)1265009);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353,
+      (int32_t)1595974);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921,
+      (int32_t)-3548272);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435,
+      (int32_t)-1050970);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210,
+      (int32_t)-1430225);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115,
+      (int32_t)-1962642);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312,
+      (int32_t)-1374803);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880,
+      (int32_t)3406031);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176,
+      (int32_t)-1846953);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136,
+      (int32_t)-3776993);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455,
+      (int32_t)-164721);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531,
+      (int32_t)-1207385);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392,
+      (int32_t)3014001);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233,
+      (int32_t)-1799107);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901,
+      (int32_t)269760);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735,
+      (int32_t)472078);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090,
+      (int32_t)1910376);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646,
+      (int32_t)-3833893);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899,
+      (int32_t)-2286327);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842,
+      (int32_t)-3545687);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306,
+      (int32_t)-1362209);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round(
+      re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154,
+      (int32_t)1976782);
+}
+
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U],
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) {
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re);
+  libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re);
+  memcpy(ret, re,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_ntt_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U],
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+      copy_of_simd_units[32U];
+  memcpy(copy_of_simd_units, simd_units,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U];
+  libcrux_ml_dsa_simd_portable_ntt_ntt(copy_of_simd_units, ret0);
+  memcpy(ret, ret0,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) {
+  int32_t a_minus_b = simd_unit.coefficients[1U] - simd_unit.coefficients[0U];
+  simd_unit.coefficients[0U] =
+      simd_unit.coefficients[0U] + simd_unit.coefficients[1U];
+  simd_unit.coefficients[1U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b, zeta0);
+  int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[2U];
+  simd_unit.coefficients[2U] =
+      simd_unit.coefficients[2U] + simd_unit.coefficients[3U];
+  simd_unit.coefficients[3U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b0, zeta1);
+  int32_t a_minus_b1 = simd_unit.coefficients[5U] - simd_unit.coefficients[4U];
+  simd_unit.coefficients[4U] =
+      simd_unit.coefficients[4U] + simd_unit.coefficients[5U];
+  simd_unit.coefficients[5U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b1, zeta2);
+  int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[6U];
+  simd_unit.coefficients[6U] =
+      simd_unit.coefficients[6U] + simd_unit.coefficients[7U];
+  simd_unit.coefficients[7U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b2, zeta3);
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0(
+          re[index], zeta0, zeta1, zeta2, zeta3);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424,
+      (int32_t)3937738);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)1U, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660,
+      (int32_t)-554416);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891,
+      (int32_t)183443);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)3U, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985,
+      (int32_t)-2939036);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333,
+      (int32_t)-1667432);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)5U, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600,
+      (int32_t)-426683);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884,
+      (int32_t)2213111);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)7U, (int32_t)269760, (int32_t)3866901, (int32_t)3523897,
+      (int32_t)-3038916);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634,
+      (int32_t)810149);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)9U, (int32_t)3014001, (int32_t)1616392, (int32_t)162844,
+      (int32_t)-3183426);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112,
+      (int32_t)1957272);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)11U, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395,
+      (int32_t)-2013608);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270,
+      (int32_t)-2584293);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)13U, (int32_t)-1846953, (int32_t)-1671176, (int32_t)-2831860,
+      (int32_t)-542412);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191,
+      (int32_t)1500165);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)15U, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081,
+      (int32_t)-1279661);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455,
+      (int32_t)-451100);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)17U, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275,
+      (int32_t)-1333058);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119,
+      (int32_t)-2994039);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)19U, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494,
+      (int32_t)-3767016);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620,
+      (int32_t)4055324);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)21U, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481,
+      (int32_t)2842341);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277,
+      (int32_t)3437287);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)23U, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988,
+      (int32_t)342297);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098,
+      (int32_t)-3556995);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)25U, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442,
+      (int32_t)-655327);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174,
+      (int32_t)495491);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)27U, (int32_t)819034, (int32_t)909542, (int32_t)1859098,
+      (int32_t)900702);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364,
+      (int32_t)-3520352);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)29U, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439,
+      (int32_t)266997);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091,
+      (int32_t)-3342478);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round(
+      re, (size_t)31U, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706,
+      (int32_t)2091667);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta0, int32_t zeta1) {
+  int32_t a_minus_b = simd_unit.coefficients[2U] - simd_unit.coefficients[0U];
+  simd_unit.coefficients[0U] =
+      simd_unit.coefficients[0U] + simd_unit.coefficients[2U];
+  simd_unit.coefficients[2U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b, zeta0);
+  int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[1U];
+  simd_unit.coefficients[1U] =
+      simd_unit.coefficients[1U] + simd_unit.coefficients[3U];
+  simd_unit.coefficients[3U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b0, zeta0);
+  int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[4U];
+  simd_unit.coefficients[4U] =
+      simd_unit.coefficients[4U] + simd_unit.coefficients[6U];
+  simd_unit.coefficients[6U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b1, zeta1);
+  int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[5U];
+  simd_unit.coefficients[5U] =
+      simd_unit.coefficients[5U] + simd_unit.coefficients[7U];
+  simd_unit.coefficients[7U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b2, zeta1);
+  return simd_unit;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta_00, int32_t zeta_01) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1(
+          re[index], zeta_00, zeta_01);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)1U, (int32_t)-3881060, (int32_t)-3019102);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)3U, (int32_t)-1584928, (int32_t)1285669);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)4U, (int32_t)1341330, (int32_t)1315589);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)5U, (int32_t)-177440, (int32_t)-2409325);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)7U, (int32_t)-3553272, (int32_t)189548);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)8U, (int32_t)-1316856, (int32_t)759969);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)9U, (int32_t)-210977, (int32_t)2389356);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)11U, (int32_t)-8578, (int32_t)-3724342);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)12U, (int32_t)3958618, (int32_t)904516);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)13U, (int32_t)-1100098, (int32_t)44288);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)14U, (int32_t)3097992, (int32_t)508951);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)15U, (int32_t)264944, (int32_t)-3343383);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)17U, (int32_t)1349076, (int32_t)-381987);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)19U, (int32_t)-1228525, (int32_t)-671102);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)21U, (int32_t)-3693493, (int32_t)-2967645);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)22U, (int32_t)2715295, (int32_t)2147896);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)23U, (int32_t)-983419, (int32_t)3412210);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)24U, (int32_t)126922, (int32_t)-3632928);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)25U, (int32_t)-3157330, (int32_t)-3190144);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)27U, (int32_t)1939314, (int32_t)-1257611);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)29U, (int32_t)3475950, (int32_t)-1452451);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round(
+      re, (size_t)31U, (int32_t)-1528703, (int32_t)-3930395);
+}
+
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    int32_t zeta) {
+  int32_t a_minus_b = simd_unit.coefficients[4U] - simd_unit.coefficients[0U];
+  simd_unit.coefficients[0U] =
+      simd_unit.coefficients[0U] + simd_unit.coefficients[4U];
+  simd_unit.coefficients[4U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b, zeta);
+  int32_t a_minus_b0 = simd_unit.coefficients[5U] - simd_unit.coefficients[1U];
+  simd_unit.coefficients[1U] =
+      simd_unit.coefficients[1U] + simd_unit.coefficients[5U];
+  simd_unit.coefficients[5U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b0, zeta);
+  int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[2U];
+  simd_unit.coefficients[2U] =
+      simd_unit.coefficients[2U] + simd_unit.coefficients[6U];
+  simd_unit.coefficients[6U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b1, zeta);
+  int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[3U];
+  simd_unit.coefficients[3U] =
+      simd_unit.coefficients[3U] + simd_unit.coefficients[7U];
+  simd_unit.coefficients[7U] =
+      libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer(
+          a_minus_b2, zeta);
+  return simd_unit;
+}
+
+static inline void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index,
+    int32_t zeta1) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+      libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2(
+          re[index], zeta1);
+  re[index] = uu____0;
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)0U, (int32_t)-2797779);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)1U, (int32_t)2071892);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)2U, (int32_t)-2556880);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)3U, (int32_t)3900724);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)4U, (int32_t)3881043);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)5U, (int32_t)954230);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)6U, (int32_t)531354);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)7U, (int32_t)811944);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)8U, (int32_t)3699596);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)9U, (int32_t)-1600420);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)10U, (int32_t)-2140649);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)11U, (int32_t)3507263);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)12U, (int32_t)-3821735);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)13U, (int32_t)3505694);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)14U, (int32_t)-1643818);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)15U, (int32_t)-1699267);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)16U, (int32_t)-539299);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)17U, (int32_t)2348700);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)18U, (int32_t)-300467);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)19U, (int32_t)3539968);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)20U, (int32_t)-2867647);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)21U, (int32_t)3574422);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)22U, (int32_t)-3043716);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)23U, (int32_t)-3861115);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)24U, (int32_t)3915439);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)25U, (int32_t)-2537516);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)26U, (int32_t)-3592148);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)27U, (int32_t)-1661693);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)28U, (int32_t)3530437);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)29U, (int32_t)3077325);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)30U, (int32_t)95776);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round(
+      re, (size_t)31U, (int32_t)2706023);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 1
+- ZETA= 280005
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)280005);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 2
+- STEP_BY= 1
+- ZETA= 4010497
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)4010497);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 1
+- ZETA= -19422
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-19422);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 6
+- STEP_BY= 1
+- ZETA= 1757237
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1757237);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 1
+- ZETA= -3277672
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-3277672);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 10
+- STEP_BY= 1
+- ZETA= -1399561
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1399561);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 1
+- ZETA= -3859737
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-3859737);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 14
+- STEP_BY= 1
+- ZETA= -2118186
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2118186);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 1
+- ZETA= -2108549
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2108549);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 18
+- STEP_BY= 1
+- ZETA= 2619752
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2619752);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 1
+- ZETA= -1119584
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1119584);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 22
+- STEP_BY= 1
+- ZETA= -549488
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-549488);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 1
+- ZETA= 3585928
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3585928);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 26
+- STEP_BY= 1
+- ZETA= -1079900
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-1079900);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 1
+- ZETA= 1024112
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1024112);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 30
+- STEP_BY= 1
+- ZETA= 2725464
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)1U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2725464);
+    re[j + (size_t)1U] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 2
+- ZETA= 2680103
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2680103);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 4
+- STEP_BY= 2
+- ZETA= 3111497
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3111497);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 2
+- ZETA= -2884855
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2884855);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 12
+- STEP_BY= 2
+- ZETA= 3119733
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)3119733);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 2
+- ZETA= -2091905
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2091905);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 20
+- STEP_BY= 2
+- ZETA= -359251
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-359251);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 2
+- ZETA= 2353451
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)2353451);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 28
+- STEP_BY= 2
+- ZETA= 1826347
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)2U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)1826347);
+    re[j + (size_t)2U] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 4
+- ZETA= 466468
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)4U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)466468);
+    re[j + (size_t)4U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 8
+- STEP_BY= 4
+- ZETA= -876248
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)4U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-876248);
+    re[j + (size_t)4U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 4
+- ZETA= -777960
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)4U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-777960);
+    re[j + (size_t)4U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 24
+- STEP_BY= 4
+- ZETA= 237124
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)4U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)237124);
+    re[j + (size_t)4U] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 8
+- ZETA= -518909
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)8U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-518909);
+    re[j + (size_t)8U] = uu____1;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 16
+- STEP_BY= 8
+- ZETA= -2608894
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)8U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)-2608894);
+    re[j + (size_t)8U] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re);
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus
+with const generics
+- OFFSET= 0
+- STEP_BY= 16
+- ZETA= 25847
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) {
+    size_t j = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b =
+        libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)16U],
+                                                         &re[j]);
+    re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j],
+                                                        &re[j + (size_t)16U]);
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            a_minus_b, (int32_t)25847);
+    re[j + (size_t)16U] = uu____1;
+  }
+}
+
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) {
+  libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re);
+}
+
+static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U],
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) {
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re);
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant(
+            re[i0], (int32_t)41978);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U],
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+      copy_of_simd_units[32U];
+  memcpy(copy_of_simd_units, simd_units,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U];
+  libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(copy_of_simd_units,
+                                                            ret0);
+  memcpy(ret, ret0,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+}
+
+typedef struct libcrux_ml_dsa_samplex4_portable_PortableSampler_s {
+} libcrux_ml_dsa_samplex4_portable_PortableSampler;
+
+/**
+A monomorphic instance of K.
+with types uint8_t[4032size_t], uint8_t[1952size_t]
+
+*/
+typedef struct tuple_a0_s {
+  uint8_t fst[4032U];
+  uint8_t snd[1952U];
+} tuple_a0;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+
+*/
+typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_9b_s {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U];
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_9b;
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_polynomial_ZERO_ff_ba(void) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit;
+  lit.simd_units[0U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[1U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[2U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[3U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[4U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[5U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[6U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[7U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[8U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[9U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[10U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[11U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[12U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[13U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[14U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[15U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[16U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[17U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[18U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[19U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[20U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[21U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[22U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[23U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[24U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[25U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[26U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[27U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[28U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[29U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[30U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  lit.simd_units[31U] = libcrux_ml_dsa_simd_portable_ZERO_36();
+  return lit;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U,
+                                 _cloop_i * (size_t)24U + (size_t)24U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.update_matrix
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static inline void libcrux_ml_dsa_sample_update_matrix_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*m)[5U], size_t i,
+    size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b v) {
+  m[i][j] = v;
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_from_coefficient_array_36(
+            Eurydice_slice_subslice2(
+                array,
+                i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+                (i0 + (size_t)1U) *
+                    LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+                int32_t));
+    result.simd_units[i0] = uu____0;
+  }
+  return result;
+}
+
+/**
+ Sample and write out up to four ring elements.
+
+ If i <= `elements_requested`, a field element with domain separated
+ seed according to the provided index is generated in
+ `tmp_stack[i]`. After successful rejection sampling in
+ `tmp_stack[i]`, the ring element is written to `matrix` at the
+ provided index in `indices[i]`.
+ `rand_stack` is a working buffer that holds initial Shake output.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+    uint8_t seed0[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U],
+    uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2,
+    uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices,
+    size_t elements_requested) {
+  uint16_t domain_separator0 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]);
+  uint16_t domain_separator1 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]);
+  uint16_t domain_separator2 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]);
+  uint16_t domain_separator3 =
+      libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]);
+  seed0[32U] = (uint8_t)domain_separator0;
+  seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U);
+  uint8_t seed1[34U];
+  memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t));
+  seed1[32U] = (uint8_t)domain_separator1;
+  seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U);
+  uint8_t seed2[34U];
+  memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t));
+  seed2[32U] = (uint8_t)domain_separator2;
+  seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U);
+  uint8_t seed3[34U];
+  memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t));
+  seed3[32U] = (uint8_t)domain_separator3;
+  seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U);
+  libcrux_ml_dsa_hash_functions_portable_Shake128X4 state =
+      libcrux_ml_dsa_hash_functions_portable_init_absorb_ed(
+          Eurydice_array_to_slice((size_t)34U, seed0, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed1, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed2, uint8_t),
+          Eurydice_array_to_slice((size_t)34U, seed3, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed(
+      &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3);
+  size_t sampled0 = (size_t)0U;
+  size_t sampled1 = (size_t)0U;
+  size_t sampled2 = (size_t)0U;
+  size_t sampled3 = (size_t)0U;
+  bool done0 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+          Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t),
+          &sampled0,
+          Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done1 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+          Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t),
+          &sampled1,
+          Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done2 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+          Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t),
+          &sampled2,
+          Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                               int32_t(*)[263U]));
+  bool done3 =
+      libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+          Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t),
+          &sampled3,
+          Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                               int32_t(*)[263U]));
+  while (true) {
+    if (done0) {
+      if (done1) {
+        if (done2) {
+          if (done3) {
+            break;
+          } else {
+            uint8_t_168size_t__x4 randomnesses =
+                libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(
+                    &state);
+            if (!done0) {
+              done0 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                              uint8_t),
+                      &sampled0,
+                      Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done1) {
+              done1 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                              uint8_t),
+                      &sampled1,
+                      Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done2) {
+              done2 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                              uint8_t),
+                      &sampled2,
+                      Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+            if (!done3) {
+              done3 =
+                  libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                      Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                              uint8_t),
+                      &sampled3,
+                      Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                           int32_t(*)[263U]));
+            }
+          }
+        } else {
+          uint8_t_168size_t__x4 randomnesses =
+              libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(
+                  &state);
+          if (!done0) {
+            done0 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                            uint8_t),
+                    &sampled0,
+                    Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done1) {
+            done1 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                            uint8_t),
+                    &sampled1,
+                    Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done2) {
+            done2 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                            uint8_t),
+                    &sampled2,
+                    Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+          if (!done3) {
+            done3 =
+                libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                    Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                            uint8_t),
+                    &sampled3,
+                    Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                         int32_t(*)[263U]));
+          }
+        }
+      } else {
+        uint8_t_168size_t__x4 randomnesses =
+            libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(
+                &state);
+        if (!done0) {
+          done0 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                          uint8_t),
+                  &sampled0,
+                  Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done1) {
+          done1 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                          uint8_t),
+                  &sampled1,
+                  Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done2) {
+          done2 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                          uint8_t),
+                  &sampled2,
+                  Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+        if (!done3) {
+          done3 =
+              libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                  Eurydice_array_to_slice((size_t)168U, randomnesses.f3,
+                                          uint8_t),
+                  &sampled3,
+                  Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                       int32_t(*)[263U]));
+        }
+      }
+    } else {
+      uint8_t_168size_t__x4 randomnesses =
+          libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state);
+      if (!done0) {
+        done0 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.fst,
+                                        uint8_t),
+                &sampled0,
+                Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done1) {
+        done1 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.snd,
+                                        uint8_t),
+                &sampled1,
+                Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done2) {
+        done2 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.thd,
+                                        uint8_t),
+                &sampled2,
+                Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+      if (!done3) {
+        done3 =
+            libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba(
+                Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t),
+                &sampled3,
+                Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U],
+                                     int32_t(*)[263U]));
+      }
+    }
+  }
+  for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) {
+    size_t k = i0;
+    size_t uu____0 = k;
+    uint8_t i = indices[uu____0].fst;
+    uint8_t j = indices[uu____0].snd;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____1)[5U] = matrix;
+    size_t uu____2 = (size_t)i;
+    size_t uu____3 = (size_t)j;
+    libcrux_ml_dsa_sample_update_matrix_2f(
+        uu____1, uu____2, uu____3,
+        libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_array_to_slice(
+            (size_t)263U,
+            Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]),
+            int32_t)));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+    A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+    A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+    A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+    A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  uint8_t rand_stack0[840U] = {0U};
+  uint8_t rand_stack1[840U] = {0U};
+  uint8_t rand_stack2[840U] = {0U};
+  uint8_t rand_stack3[840U] = {0U};
+  int32_t tmp_stack[4U][263U] = {{0U}};
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed[34U];
+  memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed0[34U];
+  memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed1[34U];
+  memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed2[34U];
+  memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed3[34U];
+  memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}),
+                         (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed4[34U];
+  memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}),
+                         (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed5[34U];
+  memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}),
+                         (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6,
+      (size_t)4U);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed6[34U];
+  memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t));
+  uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}),
+                        (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})};
+  libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49(
+      copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3,
+      Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf,
+      (size_t)2U);
+  memcpy(ret, A,
+         (size_t)6U *
+             sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_generic
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static inline void libcrux_ml_dsa_samplex4_matrix_A_generic_49(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) {
+  uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U};
+  switch (uu____0.fst) {
+    case 6U: {
+      switch (uu____0.snd) {
+        case 5U: {
+          /* Passing arrays by value in Rust generates a copy in C */
+          uint8_t copy_of_seed[34U];
+          memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U];
+          libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49(copy_of_seed, ret0);
+          memcpy(
+              ret, ret0,
+              (size_t)6U *
+                  sizeof(
+                      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]));
+          return;
+        }
+        default: {
+        }
+      }
+      break;
+    }
+    default: {
+    }
+  }
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for
+libcrux_ml_dsa::samplex4::portable::PortableSampler)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_A_36
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(
+    uint8_t seed[34U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed[34U];
+  memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U];
+  libcrux_ml_dsa_samplex4_matrix_A_generic_49(copy_of_seed, ret0);
+  memcpy(ret, ret0,
+         (size_t)6U *
+             sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]));
+}
+
+/**
+A monomorphic instance of K.
+with types libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t]
+
+*/
+typedef struct tuple_ce_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[5U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U];
+} tuple_ce;
+
+typedef struct
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b thd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3;
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4;
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ba(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U,
+                                 _cloop_i * (size_t)4U + (size_t)4U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba(
+    Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) {
+  bool done = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) {
+    size_t _cloop_i = i;
+    Eurydice_slice random_bytes =
+        Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U,
+                                 _cloop_i * (size_t)4U + (size_t)4U, uint8_t);
+    if (!done) {
+      Eurydice_slice uu____0 = random_bytes;
+      size_t sampled =
+          libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36(
+              uu____0, Eurydice_array_to_subslice_from((size_t)263U, out,
+                                                       sampled_coefficients[0U],
+                                                       int32_t, size_t));
+      sampled_coefficients[0U] = sampled_coefficients[0U] + sampled;
+      if (sampled_coefficients[0U] >=
+          LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
+        done = true;
+      }
+    }
+  }
+  return done;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ETA= 4
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+    Eurydice_slice randomness, size_t *sampled, int32_t *out) {
+  return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba(
+      randomness, sampled, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ETA= 4
+*/
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4
+    libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(
+        uint8_t seed_base[66U], uint16_t domain_separator0,
+        uint16_t domain_separator1, uint16_t domain_seperator2,
+        uint16_t domain_separator3) {
+  uint8_t seed0[66U];
+  memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t));
+  seed0[64U] = (uint8_t)domain_separator0;
+  seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U);
+  uint8_t seed1[66U];
+  memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t));
+  seed1[64U] = (uint8_t)domain_separator1;
+  seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U);
+  uint8_t seed2[66U];
+  memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t));
+  seed2[64U] = (uint8_t)domain_seperator2;
+  seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U);
+  uint8_t seed3[66U];
+  memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t));
+  seed3[64U] = (uint8_t)domain_separator3;
+  seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U);
+  libcrux_ml_dsa_hash_functions_portable_Shake256X4 state =
+      libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50(
+          Eurydice_array_to_slice((size_t)66U, seed0, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed1, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed2, uint8_t),
+          Eurydice_array_to_slice((size_t)66U, seed3, uint8_t));
+  uint8_t_136size_t__x4 randomnesses0 =
+      libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50(&state);
+  int32_t out0[263U] = {0U};
+  int32_t out1[263U] = {0U};
+  int32_t out2[263U] = {0U};
+  int32_t out3[263U] = {0U};
+  size_t sampled0 = (size_t)0U;
+  size_t sampled1 = (size_t)0U;
+  size_t sampled2 = (size_t)0U;
+  size_t sampled3 = (size_t)0U;
+  bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t),
+      &sampled0, out0);
+  bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t),
+      &sampled1, out1);
+  bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t),
+      &sampled2, out2);
+  bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+      Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t),
+      &sampled3, out3);
+  while (true) {
+    if (done0) {
+      if (done1) {
+        if (done2) {
+          if (done3) {
+            break;
+          } else {
+            uint8_t_136size_t__x4 randomnesses =
+                libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50(
+                    &state);
+            if (!done0) {
+              done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.fst,
+                                          uint8_t),
+                  &sampled0, out0);
+            }
+            if (!done1) {
+              done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.snd,
+                                          uint8_t),
+                  &sampled1, out1);
+            }
+            if (!done2) {
+              done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.thd,
+                                          uint8_t),
+                  &sampled2, out2);
+            }
+            if (!done3) {
+              done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                  Eurydice_array_to_slice((size_t)136U, randomnesses.f3,
+                                          uint8_t),
+                  &sampled3, out3);
+            }
+          }
+        } else {
+          uint8_t_136size_t__x4 randomnesses =
+              libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50(
+                  &state);
+          if (!done0) {
+            done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.fst,
+                                        uint8_t),
+                &sampled0, out0);
+          }
+          if (!done1) {
+            done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.snd,
+                                        uint8_t),
+                &sampled1, out1);
+          }
+          if (!done2) {
+            done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.thd,
+                                        uint8_t),
+                &sampled2, out2);
+          }
+          if (!done3) {
+            done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+                Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+                &sampled3, out3);
+          }
+        }
+      } else {
+        uint8_t_136size_t__x4 randomnesses =
+            libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50(
+                &state);
+        if (!done0) {
+          done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t),
+              &sampled0, out0);
+        }
+        if (!done1) {
+          done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t),
+              &sampled1, out1);
+        }
+        if (!done2) {
+          done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t),
+              &sampled2, out2);
+        }
+        if (!done3) {
+          done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+              Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+              &sampled3, out3);
+        }
+      }
+    } else {
+      uint8_t_136size_t__x4 randomnesses =
+          libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50(
+              &state);
+      if (!done0) {
+        done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t),
+            &sampled0, out0);
+      }
+      if (!done1) {
+        done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t),
+            &sampled1, out1);
+      }
+      if (!done2) {
+        done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t),
+            &sampled2, out2);
+      }
+      if (!done3) {
+        done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73(
+            Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t),
+            &sampled3, out3);
+      }
+    }
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+          Eurydice_array_to_slice((size_t)263U, out0, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+          Eurydice_array_to_slice((size_t)263U, out1, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 =
+      libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+          Eurydice_array_to_slice((size_t)263U, out2, int32_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4
+      lit;
+  lit.fst = uu____0;
+  lit.snd = uu____1;
+  lit.thd = uu____2;
+  lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+      Eurydice_array_to_slice((size_t)263U, out3, int32_t));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ETA= 4
+- S1_DIMENSION= 5
+- S2_DIMENSION= 6
+*/
+static KRML_MUSTINLINE tuple_ce
+libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe(uint8_t seed_base[66U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base[66U];
+  memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4
+      four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(
+          copy_of_seed_base, 0U, 1U, 2U, 3U);
+  s1[0U] = four.fst;
+  s1[1U] = four.snd;
+  s1[2U] = four.thd;
+  s1[3U] = four.f3;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base0[66U];
+  memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4
+      four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(
+          copy_of_seed_base0, 4U, 5U, 6U, 7U);
+  s1[4U] = four0.fst;
+  s2[0U] = four0.snd;
+  s2[1U] = four0.thd;
+  s2[2U] = four0.f3;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed_base1[66U];
+  memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4
+      four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(
+          copy_of_seed_base1, 8U, 9U, 10U, 11U);
+  s2[3U] = four1.fst;
+  s2[4U] = four1.snd;
+  s2[5U] = four1.thd;
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U];
+  memcpy(
+      copy_of_s2, s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  tuple_ce lit;
+  memcpy(
+      lit.fst, copy_of_s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  memcpy(
+      lit.snd, copy_of_s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ETA= 4
+- S1_DIMENSION= 5
+- S2_DIMENSION= 6
+*/
+static KRML_MUSTINLINE tuple_ce
+libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) {
+  uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U};
+  switch (uu____0.fst) {
+    case 5U: {
+      switch (uu____0.snd) {
+        case 6U: {
+          /* Passing arrays by value in Rust generates a copy in C */
+          uint8_t copy_of_seed[66U];
+          memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t));
+          return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe(
+              copy_of_seed);
+        }
+        default: {
+        }
+      }
+      break;
+    }
+    default: {
+    }
+  }
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.ntt
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_ntt_ntt_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U];
+  memcpy(uu____0, re.simd_units,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit;
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U];
+  libcrux_ml_dsa_simd_portable_ntt_36(uu____0, ret);
+  memcpy(lit.simd_units, ret,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) {
+  return libcrux_ml_dsa_ntt_ntt_ba(s);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, out.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_montgomery_multiply_36(
+            lhs->simd_units[i0], rhs->simd_units[i0]);
+    out.simd_units[i0] = uu____0;
+  }
+  return out;
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_polynomial_add_ff_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b sum =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, sum.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_add_36(&self->simd_units[i0],
+                                            &rhs->simd_units[i0]);
+    sum.simd_units[i0] = uu____0;
+  }
+  return sum;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U];
+  memcpy(uu____0, re.simd_units,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit;
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U];
+  libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36(uu____0, ret);
+  memcpy(lit.simd_units, ret,
+         (size_t)32U *
+             sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit));
+  return lit;
+}
+
+/**
+ Compute InvertNTT(Â ◦ ŝ₁) + s₂
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s2,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_ntt[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    s1_ntt[i] =
+        libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(copy_of_s1[i]);
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element,
+                                                        &s1_ntt[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 =
+        libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &s2[i1]);
+    result[i1] = uu____3;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+typedef struct
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2_s {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[6U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U];
+} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+    libcrux_ml_dsa_arithmetic_power2round_vector_07(
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, t,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)32U, ring_element->simd_units,
+                     libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+                 libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+          &ring_element->simd_units[j];
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 =
+          libcrux_ml_dsa_simd_portable_power2round_36(simd_unit[0U]);
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_unit =
+          uu____0.fst;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_unit =
+          uu____0.snd;
+      t0[i1].simd_units[j] = t0_unit;
+      t1[i1].simd_units[j] = t1_unit;
+    }
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U];
+  memcpy(
+      copy_of_t0, t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+      lit;
+  memcpy(
+      lit.fst, copy_of_t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  memcpy(
+      lit.snd, copy_of_t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[320U]) {
+  uint8_t serialized[320U] = {0U};
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        serialized,
+        i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT,
+        uint8_t);
+    uint8_t ret0[10U];
+    libcrux_ml_dsa_simd_portable_t1_serialize_36(simd_unit[0U], ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t);
+  }
+  memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.verification_key.generate_serialized with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+- ROWS_IN_A= 6
+- VERIFICATION_KEY_SIZE= 1952
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f(
+    Eurydice_slice seed_for_A,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U],
+    uint8_t ret[1952U]) {
+  uint8_t verification_key_serialized[1952U] = {0U};
+  Eurydice_slice_copy(Eurydice_array_to_subslice2(
+                          verification_key_serialized, (size_t)0U,
+                          LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t),
+                      seed_for_A, uint8_t);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, t1,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t1[i0];
+    size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE +
+                    i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE;
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        verification_key_serialized, offset,
+        offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t);
+    uint8_t ret0[320U];
+    libcrux_ml_dsa_encoding_t1_serialize_ba(ring_element[0U], ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t);
+  }
+  memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256
+with const generics
+- OUTPUT_LENGTH= 64
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_24(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)64U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c
+with const generics
+- OUTPUT_LENGTH= 64
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(Eurydice_slice input,
+                                                      uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_portable_shake256_24(input, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.error.serialize
+with const generics
+- ETA= 4
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4(
+      simd_unit, serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.error_serialize_36
+with const generics
+- ETA= 4
+*/
+static inline void libcrux_ml_dsa_simd_portable_error_serialize_36_ac(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac(simd_unit,
+                                                           serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ETA= 4
+- OUTPUT_SIZE= 128
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_ea(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re,
+    Eurydice_slice serialized) {
+  size_t output_bytes_per_simd_unit;
+  output_bytes_per_simd_unit = (size_t)4U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    libcrux_ml_dsa_simd_portable_error_serialize_36_ac(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit,
+                                 (i0 + (size_t)1U) * output_bytes_per_simd_unit,
+                                 uint8_t));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+        uint8_t);
+    uint8_t ret[13U];
+    libcrux_ml_dsa_simd_portable_t0_serialize_36(simd_unit[0U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.signing_key.generate_serialized with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2(
+    Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing,
+    Eurydice_slice verification_key,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U],
+    uint8_t ret[4032U]) {
+  uint8_t signing_key_serialized[4032U] = {0U};
+  size_t offset = (size_t)0U;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(
+          signing_key_serialized, offset,
+          offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t),
+      seed_for_A, uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE;
+  Eurydice_slice_copy(
+      Eurydice_array_to_subslice2(
+          signing_key_serialized, offset,
+          offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t),
+      seed_for_signing, uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE;
+  uint8_t verification_key_hash[64U] = {0U};
+  libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(verification_key,
+                                                        verification_key_hash);
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+      signing_key_serialized, offset,
+      offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH,
+      uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t),
+      uint8_t);
+  offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, s1,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &s1[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_error_serialize_ea(
+        uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, s2,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &s2[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_error_serialize_ea(
+        uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, t0,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &t0[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_t0_serialize_ba(
+        uu____3, Eurydice_array_to_subslice2(
+                     signing_key_serialized, offset,
+                     offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+                     uint8_t));
+    offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE;
+  }
+  memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t));
+}
+
+/**
+ Generate a key pair.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+- VERIFICATION_KEY_SIZE= 1952
+*/
+static KRML_MUSTINLINE tuple_a0
+libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) {
+  uint8_t seed_expanded0[128U] = {0U};
+  libcrux_sha3_portable_incremental_Shake256Xof shake =
+      libcrux_ml_dsa_hash_functions_portable_init_83();
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t));
+  uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U};
+  libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+      &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+      &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t));
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_a = uu____0.fst;
+  Eurydice_slice seed_expanded = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
+      seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_error_vectors = uu____1.fst;
+  Eurydice_slice seed_for_signing = uu____1.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b a_as_ntt[6U][5U];
+  uint8_t ret[34U];
+  libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret);
+  libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, a_as_ntt);
+  uint8_t ret0[66U];
+  libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0);
+  tuple_ce uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(ret0);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U];
+  memcpy(
+      s1, uu____2.fst,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U];
+  memcpy(
+      s2, uu____2.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U];
+  libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f(a_as_ntt, s1, s2, t);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t[6U];
+  memcpy(
+      copy_of_t, t,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+      uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_07(copy_of_t);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U];
+  memcpy(
+      t0, uu____4.fst,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U];
+  memcpy(
+      t1, uu____4.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  Eurydice_slice uu____5 = seed_for_a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  uint8_t verification_key_serialized[1952U];
+  libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f(
+      uu____5, copy_of_t1, verification_key_serialized);
+  Eurydice_slice uu____7 = seed_for_a;
+  Eurydice_slice uu____8 = seed_for_signing;
+  Eurydice_slice uu____9 = Eurydice_array_to_slice(
+      (size_t)1952U, verification_key_serialized, uint8_t);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U];
+  memcpy(
+      copy_of_s1, s1,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U];
+  memcpy(
+      copy_of_s2, s2,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U];
+  memcpy(
+      copy_of_t0, t0,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  uint8_t signing_key_serialized[4032U];
+  libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2(
+      uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0,
+      signing_key_serialized);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_signing_key_serialized[4032U];
+  memcpy(copy_of_signing_key_serialized, signing_key_serialized,
+         (size_t)4032U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_verification_key_serialized[1952U];
+  memcpy(copy_of_verification_key_serialized, verification_key_serialized,
+         (size_t)1952U * sizeof(uint8_t));
+  tuple_a0 lit;
+  memcpy(lit.fst, copy_of_signing_key_serialized,
+         (size_t)4032U * sizeof(uint8_t));
+  memcpy(lit.snd, copy_of_verification_key_serialized,
+         (size_t)1952U * sizeof(uint8_t));
+  return lit;
+}
+
+/**
+ Generate key pair.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with
+const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+- VERIFICATION_KEY_SIZE= 1952
+*/
+static inline tuple_a0
+libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52(
+    uint8_t randomness[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(copy_of_randomness);
+}
+
+/**
+ Generate an ML-DSA-65 Key Pair
+*/
+static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair
+libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  tuple_a0 uu____1 =
+      libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52(
+          copy_of_randomness);
+  uint8_t signing_key[4032U];
+  memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t));
+  uint8_t verification_key[1952U];
+  memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_signing_key[4032U];
+  memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t));
+  libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 =
+      libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_verification_key[1952U];
+  memcpy(copy_of_verification_key, verification_key,
+         (size_t)1952U * sizeof(uint8_t));
+  libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit;
+  lit.signing_key = uu____3;
+  lit.verification_key =
+      libcrux_ml_dsa_types_new_66_97(copy_of_verification_key);
+  return lit;
+}
+
+/**
+A monomorphic instance of K.
+with types int32_t[256size_t][6size_t], size_t
+
+*/
+typedef struct tuple_e6_s {
+  int32_t fst[6U][256U];
+  size_t snd;
+} tuple_e6;
+
+/**
+A monomorphic instance of core.option.Option
+with types libcrux_ml_dsa_pre_hash_DomainSeparationContext
+
+*/
+typedef struct Option_84_s {
+  Option_d8_tags tag;
+  libcrux_ml_dsa_pre_hash_DomainSeparationContext f0;
+} Option_84;
+
+/**
+A monomorphic instance of K.
+with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t],
+libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t]
+
+*/
+typedef struct tuple_f0_s {
+  uint8_t fst[32U];
+  uint8_t snd[32U];
+  uint8_t thd[64U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3[5U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f4[6U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f5[6U];
+} tuple_f0;
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.portable.encoding.error.deserialize with const generics
+- ETA= 4
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4(
+      serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.error_deserialize_36
+with const generics
+- ETA= 4
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_error_deserialize_36_ac(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac(serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ETA= 4
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_73(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) {
+  size_t chunk_size;
+  chunk_size = (size_t)4U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, result->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_error_deserialize_36_ac(
+            Eurydice_slice_subslice2(serialized, i0 * chunk_size,
+                                     (i0 + (size_t)1U) * chunk_size, uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+- DIMENSION= 5
+- ETA= 4
+- RING_ELEMENT_SIZE= 128
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes =
+        Eurydice_slice_subslice2(serialized, i0 * (size_t)128U,
+                                 i0 * (size_t)128U + (size_t)128U, uint8_t);
+    libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+- DIMENSION= 6
+- ETA= 4
+- RING_ELEMENT_SIZE= 128
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes =
+        Eurydice_slice_subslice2(serialized, i0 * (size_t)128U,
+                                 i0 * (size_t)128U + (size_t)128U, uint8_t);
+    libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ba(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, result->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice_subslice2(
+            serialized,
+            i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+            (i0 + (size_t)1U) *
+                LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT,
+            uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(serialized, uint8_t) /
+               LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE;
+       i++) {
+    size_t i0 = i;
+    Eurydice_slice bytes = Eurydice_slice_subslice2(
+        serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+        i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE +
+            LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE,
+        uint8_t);
+    libcrux_ml_dsa_encoding_t0_deserialize_ba(bytes, &ring_elements[i0]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]);
+    ring_elements[i0] = uu____0;
+  }
+  memcpy(
+      ret, ring_elements,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- SIGNING_KEY_SIZE= 4032
+*/
+static KRML_MUSTINLINE tuple_f0
+libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6(
+    uint8_t *serialized) {
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice remaining_serialized0 = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
+      remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_signing = uu____1.fst;
+  Eurydice_slice remaining_serialized1 = uu____1.snd;
+  Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at(
+      remaining_serialized1,
+      LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice verification_key_hash = uu____2.fst;
+  Eurydice_slice remaining_serialized2 = uu____2.snd;
+  Eurydice_slice_uint8_t_x2 uu____3 =
+      Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice s1_serialized = uu____3.fst;
+  Eurydice_slice remaining_serialized = uu____3.snd;
+  Eurydice_slice_uint8_t_x2 uu____4 =
+      Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice s2_serialized = uu____4.fst;
+  Eurydice_slice t0_serialized = uu____4.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U];
+  libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76(s1_serialized,
+                                                                  s1_as_ntt);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U];
+  libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d(s2_serialized,
+                                                                  s2_as_ntt);
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U];
+  libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07(t0_serialized,
+                                                               t0_as_ntt);
+  uint8_t uu____5[32U];
+  Result_fb dst0;
+  Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]);
+  unwrap_26_b3(dst0, uu____5);
+  uint8_t uu____6[32U];
+  Result_fb dst1;
+  Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice,
+                           uint8_t[32U]);
+  unwrap_26_b3(dst1, uu____6);
+  uint8_t uu____7[64U];
+  Result_f2 dst;
+  Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice,
+                           uint8_t[64U]);
+  unwrap_26_4b(dst, uu____7);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1_as_ntt[5U];
+  memcpy(
+      copy_of_s1_as_ntt, s1_as_ntt,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2_as_ntt[6U];
+  memcpy(
+      copy_of_s2_as_ntt, s2_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0_as_ntt[6U];
+  memcpy(
+      copy_of_t0_as_ntt, t0_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  tuple_f0 lit;
+  memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t));
+  memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t));
+  memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t));
+  memcpy(
+      lit.f3, copy_of_s1_as_ntt,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  memcpy(
+      lit.f4, copy_of_s2_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  memcpy(
+      lit.f5, copy_of_t0_as_ntt,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  return lit;
+}
+
+/**
+ This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm
+ 8, resp.).
+
+ If `domain_separation_context` is supplied, applies domain
+ separation and length encoding to the context string,
+ before appending the message (in the regular variant) or the
+ pre-hash OID as well as the pre-hashed message digest. Otherwise,
+ it is assumed that `message` already contains domain separation
+ information.
+
+ In FIPS 204 M' is the concatenation of the domain separated context, any
+ potential pre-hash OID and the message (or the message pre-hash). We do not
+ explicitely construct the concatenation in memory since it is of statically
+ unknown length, but feed its components directly into the incremental XOF.
+
+ Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS
+ 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5)
+ for details on the domain separation for regular ML-DSA. Line
+ 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation
+ for the HashMl-DSA variant.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.derive_message_representative with types
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics
+
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b(
+    uint8_t verification_key_hash[64U], Option_84 domain_separation_context,
+    Eurydice_slice message, uint8_t *message_representative) {
+  libcrux_sha3_portable_incremental_Shake256Xof shake =
+      libcrux_ml_dsa_hash_functions_portable_init_83();
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake,
+      Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t));
+  if (domain_separation_context.tag == Some) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 =
+        domain_separation_context.f0;
+    libcrux_sha3_portable_incremental_Shake256Xof *uu____0 = &shake;
+    uint8_t buf0[1U] = {
+        (uint8_t)core_option__core__option__Option_T__TraitClause_0___is_some(
+            libcrux_ml_dsa_pre_hash_pre_hash_oid_45(
+                &domain_separation_context0),
+            uint8_t[11U], bool)};
+    libcrux_ml_dsa_hash_functions_portable_absorb_83(
+        uu____0, Eurydice_array_to_slice((size_t)1U, buf0, uint8_t));
+    libcrux_sha3_portable_incremental_Shake256Xof *uu____1 = &shake;
+    uint8_t buf[1U] = {(uint8_t)Eurydice_slice_len(
+        libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0),
+        uint8_t)};
+    libcrux_ml_dsa_hash_functions_portable_absorb_83(
+        uu____1, Eurydice_array_to_slice((size_t)1U, buf, uint8_t));
+    libcrux_ml_dsa_hash_functions_portable_absorb_83(
+        &shake,
+        libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0));
+    Option_30 *uu____2 =
+        libcrux_ml_dsa_pre_hash_pre_hash_oid_45(&domain_separation_context0);
+    if (uu____2->tag == Some) {
+      uint8_t *pre_hash_oid = uu____2->f0;
+      libcrux_ml_dsa_hash_functions_portable_absorb_83(
+          &shake, Eurydice_array_to_slice((size_t)11U, pre_hash_oid, uint8_t));
+    }
+  }
+  libcrux_ml_dsa_hash_functions_portable_absorb_final_83(&shake, message);
+  libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+      &shake,
+      Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t));
+}
+
+/**
+A monomorphic instance of core.option.Option
+with types libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t]
+
+*/
+typedef struct Option_f3_s {
+  Option_d8_tags tag;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f0[5U];
+} Option_f3;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256
+with const generics
+- OUTPUT_LENGTH= 576
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_1b(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)576U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50
+with const generics
+- OUT_LEN= 576
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_1b(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_portable_shake256_1b(input0, out0);
+  libcrux_ml_dsa_hash_functions_portable_shake256_1b(input1, out1);
+  libcrux_ml_dsa_hash_functions_portable_shake256_1b(input2, out2);
+  libcrux_ml_dsa_hash_functions_portable_shake256_1b(input3, out3);
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.portable.encoding.gamma1.deserialize with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19(
+      serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_deserialize_36
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36(
+    Eurydice_slice serialized) {
+  return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36(
+      serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, result->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36(
+            Eurydice_slice_subslice2(
+                serialized, i0 * ((size_t)19U + (size_t)1U),
+                (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256
+with const generics
+- OUTPUT_LENGTH= 640
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_c8(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake256(
+      Eurydice_array_to_slice((size_t)640U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4
+for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50
+with const generics
+- OUT_LEN= 640
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2,
+    uint8_t *out3) {
+  libcrux_ml_dsa_hash_functions_portable_shake256_c8(input0, out0);
+  libcrux_ml_dsa_hash_functions_portable_shake256_c8(input1, out1);
+  libcrux_ml_dsa_hash_functions_portable_shake256_c8(input2, out2);
+  libcrux_ml_dsa_hash_functions_portable_shake256_c8(input3, out3);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c
+with const generics
+- OUTPUT_LENGTH= 576
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake256_5c_1b(Eurydice_slice input,
+                                                      uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_portable_shake256_1b(input, out);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof
+for libcrux_ml_dsa::hash_functions::portable::Shake256)#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c
+with const generics
+- OUTPUT_LENGTH= 640
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8(Eurydice_slice input,
+                                                      uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_portable_shake256_c8(input, out);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_20(
+    uint8_t seed[66U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) {
+  uint8_t out[640U] = {0U};
+  libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8(
+      Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+      Eurydice_array_to_slice((size_t)640U, out, uint8_t), result);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- DIMENSION= 5
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_0e(
+    uint8_t seed[66U], uint16_t *domain_separator,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed0[66U];
+  memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed0[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed1[66U];
+  memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed1[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed2[66U];
+  memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed2[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_seed3[66U];
+  memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t));
+  uint8_t seed3[66U];
+  libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3);
+  uint8_t out0[640U] = {0U};
+  uint8_t out1[640U] = {0U};
+  uint8_t out2[640U] = {0U};
+  uint8_t out3[640U] = {0U};
+  libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8(
+      Eurydice_array_to_slice((size_t)66U, seed0, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed1, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed2, uint8_t),
+      Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2,
+      out3);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+      Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+      Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+      Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]);
+  libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+      Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]);
+  for (size_t i = (size_t)4U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    seed[64U] = (uint8_t)domain_separator[0U];
+    seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U);
+    domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+    /* Passing arrays by value in Rust generates a copy in C */
+    uint8_t copy_of_seed[66U];
+    memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t));
+    libcrux_ml_dsa_sample_sample_mask_ring_element_20(copy_of_seed, &mask[i0]);
+  }
+  memcpy(
+      ret, mask,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) {
+  return libcrux_ml_dsa_ntt_ntt_ba(s);
+}
+
+/**
+ Compute InvertNTT(Â ◦ ŷ)
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *mask,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_mask[5U];
+  memcpy(
+      copy_of_mask, mask,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask_ntt[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    mask_ntt[i] =
+        libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f(copy_of_mask[i]);
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element,
+                                                        &mask_ntt[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]);
+    result[i1] = uu____2;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.portable.arithmetic.decompose_element with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE int32_t_x2
+libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(int32_t r) {
+  int32_t r2 = r + (r >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  int32_t ALPHA = (int32_t)261888 * (int32_t)2;
+  int32_t ceil_of_r_by_128 = (r2 + (int32_t)127) >> 7U;
+  int32_t r1;
+  switch (ALPHA) {
+    case 190464: {
+      int32_t result =
+          (ceil_of_r_by_128 * (int32_t)11275 + ((int32_t)1 << 23U)) >> 24U;
+      r1 = (result ^ ((int32_t)43 - result) >> 31U) & result;
+      break;
+    }
+    case 523776: {
+      int32_t result =
+          (ceil_of_r_by_128 * (int32_t)1025 + ((int32_t)1 << 21U)) >> 22U;
+      r1 = result & (int32_t)15;
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                        "panic!");
+      KRML_HOST_EXIT(255U);
+    }
+  }
+  int32_t r0 = r2 - r1 * ALPHA;
+  r0 = r0 -
+       (((LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2 -
+         r0) >>
+            31U &
+        LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS);
+  return (CLITERAL(int32_t_x2){.fst = r0, .snd = r1});
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.decompose
+with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2
+    libcrux_ml_dsa_simd_portable_arithmetic_decompose_80(
+        libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)8U, low.coefficients, int32_t),
+               int32_t);
+       i++) {
+    size_t i0 = i;
+    int32_t_x2 uu____0 =
+        libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(
+            simd_unit.coefficients[i0]);
+    int32_t low_part = uu____0.fst;
+    int32_t high_part = uu____0.snd;
+    low.coefficients[i0] = low_part;
+    high.coefficients[i0] = high_part;
+  }
+  return (
+      CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){
+          .fst = low, .snd = high});
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.decompose_36
+with const generics
+- GAMMA2= 261888
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2
+libcrux_ml_dsa_simd_portable_decompose_36_80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_decompose_80(simd_unit);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+    libcrux_ml_dsa_arithmetic_decompose_vector_2f(
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_low[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_high[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)32U, vector_low->simd_units,
+                     libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+                 libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 =
+          libcrux_ml_dsa_simd_portable_decompose_36_80(t[i1].simd_units[j]);
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low =
+          uu____0.fst;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high =
+          uu____0.snd;
+      vector_low[i1].simd_units[j] = low;
+      vector_high[i1].simd_units[j] = high;
+    }
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_low[6U];
+  memcpy(
+      copy_of_vector_low, vector_low,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_high[6U];
+  memcpy(
+      copy_of_vector_high, vector_high,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+      lit;
+  memcpy(
+      lit.fst, copy_of_vector_low,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  memcpy(
+      lit.snd, copy_of_vector_high,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re,
+    Eurydice_slice serialized) {
+  size_t output_bytes_per_simd_unit =
+      Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U);
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    libcrux_ml_dsa_simd_portable_commitment_serialize_36(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit,
+                                 (i0 + (size_t)1U) * output_bytes_per_simd_unit,
+                                 uint8_t));
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+- RING_ELEMENT_SIZE= 128
+- OUTPUT_SIZE= 768
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_encoding_commitment_serialize_vector_5d(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U],
+    uint8_t ret[768U]) {
+  uint8_t serialized[768U] = {0U};
+  size_t offset = (size_t)0U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &vector[_cloop_j];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        ring_element[0U];
+    libcrux_ml_dsa_encoding_commitment_serialize_ba(
+        uu____0, Eurydice_array_to_subslice2(serialized, offset,
+                                             offset + (size_t)128U, uint8_t));
+    offset = offset + (size_t)128U;
+  }
+  memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics
+- NUMBER_OF_ONES= 49
+- SEED_SIZE= 48
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uint8_t seed[48U]) {
+  libcrux_sha3_portable_KeccakState state =
+      libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c(
+          Eurydice_array_to_slice((size_t)48U, seed, uint8_t));
+  uint8_t randomness0[136U];
+  libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_5c(&state,
+                                                                randomness0);
+  uint8_t ret[8U];
+  Result_15 dst;
+  Eurydice_slice_to_array2(
+      &dst,
+      Eurydice_array_to_subslice2(randomness0, (size_t)0U, (size_t)8U, uint8_t),
+      Eurydice_slice, uint8_t[8U]);
+  unwrap_26_68(dst, ret);
+  uint64_t signs = core_num__u64_9__from_le_bytes(ret);
+  int32_t result[256U] = {0U};
+  size_t out_index =
+      Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t),
+                         int32_t) -
+      (size_t)49U;
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
+      (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t);
+  bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index,
+                                                       &signs, result);
+  while (true) {
+    if (done) {
+      break;
+    } else {
+      uint8_t randomness[136U];
+      libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_5c(&state,
+                                                                   randomness);
+      done = libcrux_ml_dsa_sample_inside_out_shuffle(
+          Eurydice_array_to_slice((size_t)136U, randomness, uint8_t),
+          &out_index, &signs, result);
+    }
+  }
+  return libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+      Eurydice_array_to_slice((size_t)256U, result, int32_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_4f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element =
+        &vector[i0];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element,
+                                                          ring_element));
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_07(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element =
+        &vector[i0];
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element,
+                                                          ring_element));
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_4f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_polynomial_subtract_ff_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b difference =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, difference.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_subtract_36(&self->simd_units[i0],
+                                                 &rhs->simd_units[i0]);
+    difference.simd_units[i0] = uu____0;
+  }
+  return difference;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_07(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_polynomial_subtract_ff_ba(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, self->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36(
+          self->simd_units[i0], bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 5
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[5U],
+    int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &vector[_cloop_j];
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba(
+          ring_element, bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE bool
+libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U],
+    int32_t bound) {
+  bool exceeds = false;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)6U, vector,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t _cloop_j = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+        &vector[_cloop_j];
+    bool uu____0;
+    if (exceeds) {
+      uu____0 = true;
+    } else {
+      uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba(
+          ring_element, bound);
+    }
+    exceeds = uu____0;
+  }
+  return exceeds;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_07(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of K.
+with types size_t, libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+
+*/
+typedef struct tuple_ca_s {
+  size_t fst;
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd;
+} tuple_ca;
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.portable.arithmetic.compute_one_hint with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80(int32_t low,
+                                                            int32_t high) {
+  int32_t uu____0;
+  if (!(low > (int32_t)261888)) {
+    if (!(low < -(int32_t)261888)) {
+      if (low == -(int32_t)261888) {
+        if (!(high != (int32_t)0)) {
+          uu____0 = (int32_t)0;
+          return uu____0;
+        }
+      } else {
+        uu____0 = (int32_t)0;
+        return uu____0;
+      }
+    }
+  }
+  uu____0 = (int32_t)1;
+  return uu____0;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.compute_hint
+with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE tuple_ca
+libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  size_t one_hints_count = (size_t)0U;
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice((size_t)8U, hint.coefficients, int32_t),
+               int32_t);
+       i++) {
+    size_t i0 = i;
+    hint.coefficients[i0] =
+        libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80(
+            low.coefficients[i0], high.coefficients[i0]);
+    one_hints_count = one_hints_count + (size_t)hint.coefficients[i0];
+  }
+  return (CLITERAL(tuple_ca){.fst = one_hints_count, .snd = hint});
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.compute_hint_36
+with const generics
+- GAMMA2= 261888
+*/
+static inline tuple_ca libcrux_ml_dsa_simd_portable_compute_hint_36_80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(low, high);
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::polynomial::PolynomialRingElement<SIMDUnit>[TraitClause@0,
+TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ba(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self,
+    int32_t ret[256U]) {
+  int32_t result[256U] = {0U};
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, self->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &self->simd_units[i0];
+    Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+        result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+        (i0 + (size_t)1U) *
+            LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT,
+        int32_t);
+    int32_t ret0[8U];
+    libcrux_ml_dsa_simd_portable_to_coefficient_array_36(simd_unit, ret0);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t);
+  }
+  memcpy(ret, result, (size_t)256U * sizeof(int32_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b low[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b high[6U]) {
+  int32_t hint[6U][256U] = {{0U}};
+  size_t true_hints = (size_t)0U;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd =
+        libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)32U, hint_simd.simd_units,
+                     libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+                 libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+         i++) {
+      size_t j = i;
+      tuple_ca uu____0 = libcrux_ml_dsa_simd_portable_compute_hint_36_80(
+          low[i1].simd_units[j], high[i1].simd_units[j]);
+      size_t one_hints_count = uu____0.fst;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit current_hint =
+          uu____0.snd;
+      hint_simd.simd_units[j] = current_hint;
+      true_hints = true_hints + one_hints_count;
+    }
+    int32_t uu____1[256U];
+    libcrux_ml_dsa_polynomial_to_i32_array_ff_ba(&hint_simd, uu____1);
+    memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t));
+  }
+  /* Passing arrays by value in Rust generates a copy in C */
+  int32_t copy_of_hint[6U][256U];
+  memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+  tuple_e6 lit;
+  memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U]));
+  lit.snd = true_hints;
+  return lit;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- $48size_t
+- $5size_t
+- $6size_t
+*/
+typedef struct libcrux_ml_dsa_encoding_signature_Signature_44_s {
+  uint8_t commitment_hash[48U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U];
+  int32_t hint[6U][256U];
+} libcrux_ml_dsa_encoding_signature_Signature_44;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.gamma1.serialize
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19(
+      simd_unit, serialized);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_serialize_36
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static inline void libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    Eurydice_slice serialized) {
+  libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36(simd_unit,
+                                                            serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- GAMMA1_EXPONENT= 19
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_61(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re,
+    Eurydice_slice serialized) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36(
+        simd_unit[0U],
+        Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U),
+                                 (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U),
+                                 uint8_t));
+  }
+}
+
+/**
+This function found in impl
+{libcrux_ml_dsa::encoding::signature::Signature<SIMDUnit, COMMITMENT_HASH_SIZE,
+COLUMNS_IN_A, ROWS_IN_A>[TraitClause@0, TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- COMMITMENT_HASH_SIZE= 48
+- COLUMNS_IN_A= 5
+- ROWS_IN_A= 6
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- MAX_ONES_IN_HINT= 55
+- SIGNATURE_SIZE= 3309
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_76(
+    libcrux_ml_dsa_encoding_signature_Signature_44 *self, uint8_t ret[3309U]) {
+  uint8_t signature[3309U] = {0U};
+  size_t offset = (size_t)0U;
+  Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+      signature, offset, offset + (size_t)48U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t),
+      uint8_t);
+  offset = offset + (size_t)48U;
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+        self->signer_response[i0];
+    libcrux_ml_dsa_encoding_gamma1_serialize_61(
+        uu____1, Eurydice_array_to_subslice2(signature, offset,
+                                             offset + (size_t)640U, uint8_t));
+    offset = offset + (size_t)640U;
+  }
+  size_t true_hints_seen = (size_t)0U;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t),
+                 int32_t);
+         i++) {
+      size_t j = i;
+      if (self->hint[i1][j] == (int32_t)1) {
+        signature[offset + true_hints_seen] = (uint8_t)j;
+        true_hints_seen++;
+      }
+    }
+    signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen;
+  }
+  memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t));
+}
+
+/**
+ The internal signing API.
+
+ If no `domain_separation_context` is supplied, it is assumed that
+ `message` already contains the domain separation.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f(
+    uint8_t *signing_key, Eurydice_slice message,
+    Option_84 domain_separation_context, uint8_t randomness[32U]) {
+  tuple_f0 uu____0 =
+      libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6(signing_key);
+  uint8_t seed_for_A[32U];
+  memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t));
+  uint8_t seed_for_signing[32U];
+  memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t));
+  uint8_t verification_key_hash[64U];
+  memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U];
+  memcpy(
+      s1_as_ntt, uu____0.f3,
+      (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U];
+  memcpy(
+      s2_as_ntt, uu____0.f4,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U];
+  memcpy(
+      t0_as_ntt, uu____0.f5,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U];
+  uint8_t ret[34U];
+  libcrux_ml_dsa_utils_into_padded_array_b6(
+      Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret);
+  libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt);
+  uint8_t message_representative[64U] = {0U};
+  uint8_t uu____1[64U];
+  memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t));
+  libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b(
+      uu____1, domain_separation_context, message, message_representative);
+  uint8_t mask_seed[64U] = {0U};
+  libcrux_sha3_portable_incremental_Shake256Xof shake0 =
+      libcrux_ml_dsa_hash_functions_portable_init_83();
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_absorb_83(
+      &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+      &shake0,
+      Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t));
+  libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+      &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t));
+  uint16_t domain_separator_for_mask = 0U;
+  int32_t BETA = (int32_t)((size_t)49U * (size_t)4U);
+  size_t attempt = (size_t)0U;
+  Option_67 commitment_hash0 = {.tag = None};
+  Option_f3 signer_response0 = {.tag = None};
+  Option_f0 hint0 = {.tag = None};
+  while (true) {
+    if (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) {
+      attempt++;
+      uint8_t uu____2[66U];
+      libcrux_ml_dsa_utils_into_padded_array_20(
+          Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U];
+      libcrux_ml_dsa_sample_sample_mask_vector_0e(
+          uu____2, &domain_separator_for_mask, mask);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_times_mask[6U];
+      libcrux_ml_dsa_matrix_compute_A_times_mask_2f(A_as_ntt, mask,
+                                                    A_times_mask);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          copy_of_A_times_mask[6U];
+      memcpy(copy_of_A_times_mask, A_times_mask,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2
+          uu____4 = libcrux_ml_dsa_arithmetic_decompose_vector_2f(
+              copy_of_A_times_mask);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w0[6U];
+      memcpy(w0, uu____4.fst,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U];
+      memcpy(commitment, uu____4.snd,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      uint8_t commitment_hash_candidate[48U] = {0U};
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          copy_of_commitment0[6U];
+      memcpy(copy_of_commitment0, commitment,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      uint8_t commitment_serialized[768U];
+      libcrux_ml_dsa_encoding_commitment_serialize_vector_5d(
+          copy_of_commitment0, commitment_serialized);
+      libcrux_sha3_portable_incremental_Shake256Xof shake =
+          libcrux_ml_dsa_hash_functions_portable_init_83();
+      libcrux_ml_dsa_hash_functions_portable_absorb_83(
+          &shake, Eurydice_array_to_slice((size_t)64U, message_representative,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+          &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+          &shake, Eurydice_array_to_slice((size_t)48U,
+                                          commitment_hash_candidate, uint8_t));
+      /* Passing arrays by value in Rust generates a copy in C */
+      uint8_t copy_of_commitment_hash_candidate[48U];
+      memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate,
+             (size_t)48U * sizeof(uint8_t));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba(
+              libcrux_ml_dsa_sample_sample_challenge_ring_element_83(
+                  copy_of_commitment_hash_candidate));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s1[5U];
+      libcrux_ml_dsa_matrix_vector_times_ring_element_4f(
+          s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s2[6U];
+      libcrux_ml_dsa_matrix_vector_times_ring_element_07(
+          s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          signer_response_candidate[5U];
+      libcrux_ml_dsa_matrix_add_vectors_4f(mask, challenge_times_s1,
+                                           signer_response_candidate);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          w0_minus_challenge_times_s2[6U];
+      libcrux_ml_dsa_matrix_subtract_vectors_07(w0, challenge_times_s2,
+                                                w0_minus_challenge_times_s2);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          copy_of_signer_response_candidate[5U];
+      memcpy(copy_of_signer_response_candidate, signer_response_candidate,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f(
+              copy_of_signer_response_candidate,
+              ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) {
+        /* Passing arrays by value in Rust generates a copy in C */
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+            copy_of_w0_minus_challenge_times_s2[6U];
+        memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2,
+               (size_t)6U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+        if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07(
+                copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) {
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+              challenge_times_t0[6U];
+          libcrux_ml_dsa_matrix_vector_times_ring_element_07(
+              t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0);
+          /* Passing arrays by value in Rust generates a copy in C */
+          libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+              copy_of_challenge_times_t0[6U];
+          memcpy(
+              copy_of_challenge_times_t0, challenge_times_t0,
+              (size_t)6U *
+                  sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+          if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07(
+                  copy_of_challenge_times_t0, (int32_t)261888)) {
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+                w0_minus_c_times_s2_plus_c_times_t0[6U];
+            libcrux_ml_dsa_matrix_add_vectors_07(
+                w0_minus_challenge_times_s2, challenge_times_t0,
+                w0_minus_c_times_s2_plus_c_times_t0);
+            /* Passing arrays by value in Rust generates a copy in C */
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U];
+            memcpy(
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0,
+                w0_minus_c_times_s2_plus_c_times_t0,
+                (size_t)6U *
+                    sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+            /* Passing arrays by value in Rust generates a copy in C */
+            libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+                copy_of_commitment[6U];
+            memcpy(
+                copy_of_commitment, commitment,
+                (size_t)6U *
+                    sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+            tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_2f(
+                copy_of_w0_minus_c_times_s2_plus_c_times_t0,
+                copy_of_commitment);
+            int32_t hint_candidate[6U][256U];
+            memcpy(hint_candidate, uu____12.fst,
+                   (size_t)6U * sizeof(int32_t[256U]));
+            size_t ones_in_hint = uu____12.snd;
+            if (!(ones_in_hint > (size_t)55U)) {
+              attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN;
+              /* Passing arrays by value in Rust generates a copy in C */
+              uint8_t copy_of_commitment_hash_candidate0[48U];
+              memcpy(copy_of_commitment_hash_candidate0,
+                     commitment_hash_candidate, (size_t)48U * sizeof(uint8_t));
+              Option_67 lit0;
+              lit0.tag = Some;
+              memcpy(lit0.f0, copy_of_commitment_hash_candidate0,
+                     (size_t)48U * sizeof(uint8_t));
+              commitment_hash0 = lit0;
+              /* Passing arrays by value in Rust generates a copy in C */
+              libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+                  copy_of_signer_response_candidate0[5U];
+              memcpy(
+                  copy_of_signer_response_candidate0, signer_response_candidate,
+                  (size_t)5U *
+                      sizeof(
+                          libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+              Option_f3 lit1;
+              lit1.tag = Some;
+              memcpy(
+                  lit1.f0, copy_of_signer_response_candidate0,
+                  (size_t)5U *
+                      sizeof(
+                          libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+              signer_response0 = lit1;
+              /* Passing arrays by value in Rust generates a copy in C */
+              int32_t copy_of_hint_candidate[6U][256U];
+              memcpy(copy_of_hint_candidate, hint_candidate,
+                     (size_t)6U * sizeof(int32_t[256U]));
+              Option_f0 lit;
+              lit.tag = Some;
+              memcpy(lit.f0, copy_of_hint_candidate,
+                     (size_t)6U * sizeof(int32_t[256U]));
+              hint0 = lit;
+            }
+          }
+        }
+      }
+    } else {
+      break;
+    }
+  }
+  Result_2e uu____16;
+  if (commitment_hash0.tag == None) {
+    uu____16 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+  } else {
+    uint8_t commitment_hash1[48U];
+    memcpy(commitment_hash1, commitment_hash0.f0,
+           (size_t)48U * sizeof(uint8_t));
+    uint8_t commitment_hash[48U];
+    memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t));
+    if (signer_response0.tag == None) {
+      uu____16 = (CLITERAL(Result_2e){
+          .tag = Err,
+          .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+    } else {
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response1[5U];
+      memcpy(signer_response1, signer_response0.f0,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U];
+      memcpy(signer_response, signer_response1,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      if (hint0.tag == None) {
+        uu____16 = (CLITERAL(Result_2e){
+            .tag = Err,
+            .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}});
+      } else {
+        int32_t hint1[6U][256U];
+        memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U]));
+        int32_t hint[6U][256U];
+        memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U]));
+        /* Passing arrays by value in Rust generates a copy in C */
+        uint8_t copy_of_commitment_hash[48U];
+        memcpy(copy_of_commitment_hash, commitment_hash,
+               (size_t)48U * sizeof(uint8_t));
+        /* Passing arrays by value in Rust generates a copy in C */
+        libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+            copy_of_signer_response[5U];
+        memcpy(copy_of_signer_response, signer_response,
+               (size_t)5U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+        /* Passing arrays by value in Rust generates a copy in C */
+        int32_t copy_of_hint[6U][256U];
+        memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+        uint8_t signature[3309U];
+        libcrux_ml_dsa_encoding_signature_Signature_44 lit0;
+        memcpy(lit0.commitment_hash, copy_of_commitment_hash,
+               (size_t)48U * sizeof(uint8_t));
+        memcpy(lit0.signer_response, copy_of_signer_response,
+               (size_t)5U *
+                   sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+        memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U]));
+        libcrux_ml_dsa_encoding_signature_serialize_92_76(&lit0, signature);
+        /* Passing arrays by value in Rust generates a copy in C */
+        uint8_t copy_of_signature[3309U];
+        memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t));
+        Result_2e lit;
+        lit.tag = Ok;
+        lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature);
+        uu____16 = lit;
+        return uu____16;
+      }
+    }
+  }
+  return uu____16;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_3f(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45(
+      context, (CLITERAL(Option_30){.tag = None}));
+  Result_2e uu____1;
+  if (uu____0.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uint8_t *uu____2 = signing_key;
+    Eurydice_slice uu____3 = message;
+    Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context};
+    /* Passing arrays by value in Rust generates a copy in C */
+    uint8_t copy_of_randomness[32U];
+    memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+    uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f(
+        uu____2, uu____3, uu____4, copy_of_randomness);
+  } else {
+    uu____1 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+  }
+  return uu____1;
+}
+
+/**
+ Sign.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_sign_3f(uu____0, uu____1, uu____2,
+                                               copy_of_randomness);
+}
+
+/**
+ Generate an ML-DSA-65 Signature
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign(
+    libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key,
+    Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) {
+  uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key);
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128
+with const generics
+- OUTPUT_LENGTH= 256
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake128_6b(
+    Eurydice_slice input, uint8_t *out) {
+  libcrux_sha3_portable_shake128(
+      Eurydice_array_to_slice((size_t)256U, out, uint8_t), input);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::Xof for
+libcrux_ml_dsa::hash_functions::portable::Shake128)#1}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128_a0
+with const generics
+- OUTPUT_LENGTH= 256
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(Eurydice_slice input,
+                                                      uint8_t *out) {
+  libcrux_ml_dsa_hash_functions_portable_shake128_6b(input, out);
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for
+libcrux_ml_dsa::pre_hash::SHAKE128_PH)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.pre_hash.hash_bd
+with types libcrux_ml_dsa_hash_functions_portable_Shake128
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_bd_54(
+    Eurydice_slice message, uint8_t ret[256U]) {
+  uint8_t output[256U] = {0U};
+  libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(message, output);
+  memcpy(ret, output, (size_t)256U * sizeof(uint8_t));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_hash_functions_portable_Shake256X4,
+libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics
+- PH_DIGEST_LEN= 256
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+static KRML_MUSTINLINE Result_2e
+libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(uint8_t *signing_key,
+                                                 Eurydice_slice message,
+                                                 Eurydice_slice context,
+                                                 uint8_t randomness[32U]) {
+  Result_2e uu____0;
+  if (Eurydice_slice_len(context, uint8_t) >
+      LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) {
+    uu____0 = (CLITERAL(Result_2e){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+  } else {
+    uint8_t pre_hashed_message[256U];
+    libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message);
+    Eurydice_slice uu____1 = context;
+    Option_30 lit;
+    lit.tag = Some;
+    uint8_t ret[11U];
+    libcrux_ml_dsa_pre_hash_oid_bd(ret);
+    memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t));
+    Result_a8 uu____2 = libcrux_ml_dsa_pre_hash_new_45(uu____1, lit);
+    if (uu____2.tag == Ok) {
+      libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____2.val.case_Ok;
+      libcrux_ml_dsa_pre_hash_DomainSeparationContext
+          domain_separation_context = dsc;
+      uint8_t *uu____3 = signing_key;
+      Eurydice_slice uu____4 =
+          Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t);
+      Option_84 uu____5 = {.tag = Some, .f0 = domain_separation_context};
+      /* Passing arrays by value in Rust generates a copy in C */
+      uint8_t copy_of_randomness[32U];
+      memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+      uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f(
+          uu____3, uu____4, uu____5, copy_of_randomness);
+    } else {
+      uu____0 = (CLITERAL(Result_2e){
+          .tag = Err,
+          .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}});
+    }
+  }
+  return uu____0;
+}
+
+/**
+ Sign (pre-hashed).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- ETA= 4
+- ERROR_RING_ELEMENT_SIZE= 128
+- GAMMA1_EXPONENT= 19
+- GAMMA2= 261888
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- SIGNING_KEY_SIZE= 4032
+- SIGNATURE_SIZE= 3309
+*/
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3(
+    uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t randomness[32U]) {
+  uint8_t *uu____0 = signing_key;
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+ Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+static inline Result_2e
+libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128(
+    libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key,
+    Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) {
+  uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key);
+  Eurydice_slice uu____1 = message;
+  Eurydice_slice uu____2 = context;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_randomness[32U];
+  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3(
+      uu____0, uu____1, uu____2, copy_of_randomness);
+}
+
+/**
+A monomorphic instance of K.
+with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t]
+
+*/
+typedef struct tuple_93_s {
+  uint8_t fst[32U];
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U];
+} tuple_93;
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+
+*/
+static inline void libcrux_ml_dsa_encoding_t1_deserialize_ba(
+    Eurydice_slice serialized,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) {
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, result->simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice_subslice2(
+            serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW,
+            (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW,
+            uint8_t));
+    result->simd_units[i0] = uu____0;
+  }
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- VERIFICATION_KEY_SIZE= 1952
+*/
+static KRML_MUSTINLINE tuple_93
+libcrux_ml_dsa_encoding_verification_key_deserialize_2f(uint8_t *serialized) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t),
+      LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t,
+      Eurydice_slice_uint8_t_x2);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice serialized_remaining = uu____0.snd;
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_encoding_t1_deserialize_ba(
+        Eurydice_slice_subslice2(
+            serialized_remaining,
+            i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE,
+            (i0 + (size_t)1U) *
+                LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE,
+            uint8_t),
+        &t1[i0]);
+  }
+  uint8_t uu____1[32U];
+  Result_fb dst;
+  Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]);
+  unwrap_26_b3(dst, uu____1);
+  /* Passing arrays by value in Rust generates a copy in C */
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U];
+  memcpy(
+      copy_of_t1, t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  tuple_93 lit;
+  memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t));
+  memcpy(
+      lit.snd, copy_of_t1,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  return lit;
+}
+
+/**
+A monomorphic instance of core.result.Result
+with types libcrux_ml_dsa_encoding_signature_Signature
+libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]],
+libcrux_ml_dsa_types_VerificationError
+
+*/
+typedef struct Result_ef_s {
+  Result_a9_tags tag;
+  union {
+    libcrux_ml_dsa_encoding_signature_Signature_44 case_Ok;
+    libcrux_ml_dsa_types_VerificationError case_Err;
+  } val;
+} Result_ef;
+
+/**
+This function found in impl
+{libcrux_ml_dsa::encoding::signature::Signature<SIMDUnit, COMMITMENT_HASH_SIZE,
+COLUMNS_IN_A, ROWS_IN_A>[TraitClause@0, TraitClause@1]}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- COMMITMENT_HASH_SIZE= 48
+- COLUMNS_IN_A= 5
+- ROWS_IN_A= 6
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- MAX_ONES_IN_HINT= 55
+- SIGNATURE_SIZE= 3309
+*/
+static KRML_MUSTINLINE Result_ef
+libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) {
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
+      Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U,
+      uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice commitment_hash = uu____0.fst;
+  Eurydice_slice rest_of_serialized = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 =
+      Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U,
+                              uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice signer_response_serialized = uu____1.fst;
+  Eurydice_slice hint_serialized = uu____1.snd;
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U];
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_encoding_gamma1_deserialize_61(
+        Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U,
+                                 (i0 + (size_t)1U) * (size_t)640U, uint8_t),
+        &signer_response[i0]);
+  }
+  int32_t hint[6U][256U] = {{0U}};
+  size_t previous_true_hints_seen = (size_t)0U;
+  size_t i = (size_t)0U;
+  bool malformed_hint = false;
+  while (true) {
+    if (i < (size_t)6U) {
+      if (malformed_hint) {
+        break;
+      } else {
+        size_t current_true_hints_seen = (size_t)Eurydice_slice_index(
+            hint_serialized, (size_t)55U + i, uint8_t, uint8_t *);
+        size_t j;
+        bool uu____2;
+        bool uu____3;
+        size_t uu____4;
+        size_t uu____5;
+        bool uu____6;
+        size_t uu____7;
+        size_t uu____8;
+        bool uu____9;
+        uint8_t uu____10;
+        size_t uu____11;
+        uint8_t uu____12;
+        size_t uu____13;
+        size_t uu____14;
+        bool uu____15;
+        size_t uu____16;
+        size_t uu____17;
+        uint8_t uu____18;
+        size_t uu____19;
+        bool uu____20;
+        size_t uu____21;
+        if (!(current_true_hints_seen < previous_true_hints_seen)) {
+          if (!(previous_true_hints_seen > (size_t)55U)) {
+            j = previous_true_hints_seen;
+            while (true) {
+              uu____2 = malformed_hint;
+              if (uu____2) {
+                break;
+              } else {
+                uu____4 = j;
+                uu____5 = current_true_hints_seen;
+                uu____3 = uu____4 < uu____5;
+                if (uu____3) {
+                  uu____7 = j;
+                  uu____8 = previous_true_hints_seen;
+                  uu____6 = uu____7 > uu____8;
+                  if (uu____6) {
+                    uu____11 = j;
+                    uu____10 = Eurydice_slice_index(hint_serialized, uu____11,
+                                                    uint8_t, uint8_t *);
+                    uu____14 = j;
+                    uu____13 = uu____14 - (size_t)1U;
+                    uu____12 = Eurydice_slice_index(hint_serialized, uu____13,
+                                                    uint8_t, uint8_t *);
+                    uu____9 = uu____10 <= uu____12;
+                    if (uu____9) {
+                      malformed_hint = true;
+                      uu____15 = malformed_hint;
+                      if (!uu____15) {
+                        uu____16 = i;
+                        uu____19 = j;
+                        uu____18 = Eurydice_slice_index(
+                            hint_serialized, uu____19, uint8_t, uint8_t *);
+                        uu____17 = (size_t)uu____18;
+                        hint[uu____16][uu____17] = (int32_t)1;
+                        j++;
+                      }
+                      continue;
+                    }
+                  }
+                  uu____15 = malformed_hint;
+                  if (!uu____15) {
+                    uu____16 = i;
+                    uu____19 = j;
+                    uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                    uint8_t, uint8_t *);
+                    uu____17 = (size_t)uu____18;
+                    hint[uu____16][uu____17] = (int32_t)1;
+                    j++;
+                  }
+                } else {
+                  break;
+                }
+              }
+            }
+            uu____20 = malformed_hint;
+            if (!uu____20) {
+              uu____21 = current_true_hints_seen;
+              previous_true_hints_seen = uu____21;
+              i++;
+            }
+            continue;
+          }
+        }
+        malformed_hint = true;
+        j = previous_true_hints_seen;
+        while (true) {
+          uu____2 = malformed_hint;
+          if (uu____2) {
+            break;
+          } else {
+            uu____4 = j;
+            uu____5 = current_true_hints_seen;
+            uu____3 = uu____4 < uu____5;
+            if (uu____3) {
+              uu____7 = j;
+              uu____8 = previous_true_hints_seen;
+              uu____6 = uu____7 > uu____8;
+              if (uu____6) {
+                uu____11 = j;
+                uu____10 = Eurydice_slice_index(hint_serialized, uu____11,
+                                                uint8_t, uint8_t *);
+                uu____14 = j;
+                uu____13 = uu____14 - (size_t)1U;
+                uu____12 = Eurydice_slice_index(hint_serialized, uu____13,
+                                                uint8_t, uint8_t *);
+                uu____9 = uu____10 <= uu____12;
+                if (uu____9) {
+                  malformed_hint = true;
+                  uu____15 = malformed_hint;
+                  if (!uu____15) {
+                    uu____16 = i;
+                    uu____19 = j;
+                    uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                    uint8_t, uint8_t *);
+                    uu____17 = (size_t)uu____18;
+                    hint[uu____16][uu____17] = (int32_t)1;
+                    j++;
+                  }
+                  continue;
+                }
+              }
+              uu____15 = malformed_hint;
+              if (!uu____15) {
+                uu____16 = i;
+                uu____19 = j;
+                uu____18 = Eurydice_slice_index(hint_serialized, uu____19,
+                                                uint8_t, uint8_t *);
+                uu____17 = (size_t)uu____18;
+                hint[uu____16][uu____17] = (int32_t)1;
+                j++;
+              }
+            } else {
+              break;
+            }
+          }
+        }
+        uu____20 = malformed_hint;
+        if (!uu____20) {
+          uu____21 = current_true_hints_seen;
+          previous_true_hints_seen = uu____21;
+          i++;
+        }
+      }
+    } else {
+      break;
+    }
+  }
+  i = previous_true_hints_seen;
+  while (true) {
+    if (i < (size_t)55U) {
+      if (malformed_hint) {
+        break;
+      } else {
+        if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) !=
+            0U) {
+          malformed_hint = true;
+        }
+        i++;
+      }
+    } else {
+      break;
+    }
+  }
+  Result_ef uu____22;
+  if (malformed_hint) {
+    uu____22 = (CLITERAL(Result_ef){
+        .tag = Err,
+        .val = {.case_Err = libcrux_ml_dsa_types_MalformedHintError}});
+  } else {
+    uint8_t uu____23[48U];
+    Result_ae dst;
+    Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice,
+                             uint8_t[48U]);
+    unwrap_26_28(dst, uu____23);
+    /* Passing arrays by value in Rust generates a copy in C */
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+        copy_of_signer_response[5U];
+    memcpy(copy_of_signer_response, signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+    /* Passing arrays by value in Rust generates a copy in C */
+    int32_t copy_of_hint[6U][256U];
+    memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U]));
+    Result_ef lit;
+    lit.tag = Ok;
+    memcpy(lit.val.case_Ok.commitment_hash, uu____23,
+           (size_t)48U * sizeof(uint8_t));
+    memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+    memcpy(lit.val.case_Ok.hint, copy_of_hint,
+           (size_t)6U * sizeof(int32_t[256U]));
+    uu____22 = lit;
+  }
+  return uu____22;
+}
+
+/**
+A monomorphic instance of
+libcrux_ml_dsa.simd.portable.arithmetic.shift_left_then_reduce with const
+generics
+- SHIFT_BY= 13
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit out =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, simd_unit.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    out.coefficients[i0] =
+        libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(
+            simd_unit.coefficients[i0] << (uint32_t)(int32_t)13);
+  }
+  return out;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.shift_left_then_reduce_36
+with const generics
+- SHIFT_BY= 13
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84(
+      simd_unit);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- SHIFT_BY= 13
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out =
+      libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)32U, re.simd_units,
+                   libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+               libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit =
+        &re.simd_units[i0];
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+        libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84(
+            simd_unit[0U]);
+    out.simd_units[i0] = uu____0;
+  }
+  return out;
+}
+
+/**
+ Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ))
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_2f(
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+        verifier_challenge_as_ntt,
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(
+               Eurydice_array_to_slice(
+                   (size_t)5U, signer_response,
+                   libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+               libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+       i++) {
+    size_t i0 = i;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 =
+        libcrux_ml_dsa_ntt_ntt_ba(signer_response[i0]);
+    signer_response[i0] = uu____0;
+  }
+  for (size_t i0 = (size_t)0U;
+       i0 < Eurydice_slice_len(
+                Eurydice_array_to_slice(
+                    (size_t)6U, A_as_ntt,
+                    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]),
+                libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]);
+       i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1];
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)5U, row,
+                     libcrux_ml_dsa_polynomial_PolynomialRingElement_9b),
+                 libcrux_ml_dsa_polynomial_PolynomialRingElement_9b);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element =
+          &row[j];
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product =
+          libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element,
+                                                        &signer_response[j]);
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 =
+          libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product);
+      result[i1] = uu____1;
+    }
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted =
+        libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9(t1[i1]);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted0 =
+        libcrux_ml_dsa_ntt_ntt_ba(t1_shifted);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+        challenge_times_t1_shifted =
+            libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(
+                &verifier_challenge_as_ntt, &t1_shifted0);
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 =
+        libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(
+            libcrux_ml_dsa_polynomial_subtract_ff_ba(
+                &result[i1], &challenge_times_t1_shifted));
+    result[i1] = uu____2;
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_one_hint
+with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE int32_t
+libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80(int32_t r,
+                                                        int32_t hint) {
+  int32_t_x2 uu____0 =
+      libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(r);
+  int32_t r0 = uu____0.fst;
+  int32_t r1 = uu____0.snd;
+  int32_t uu____1;
+  if (hint == (int32_t)0) {
+    uu____1 = r1;
+  } else if (r0 > (int32_t)0) {
+    uu____1 = (r1 + hint) & (int32_t)15;
+  } else {
+    uu____1 = (r1 - hint) & (int32_t)15;
+  }
+  return uu____1;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_hint
+with const generics
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) {
+  libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit result =
+      libcrux_ml_dsa_simd_portable_vector_type_ZERO();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(Eurydice_array_to_slice(
+                                  (size_t)8U, result.coefficients, int32_t),
+                              int32_t);
+       i++) {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80(
+        simd_unit.coefficients[i0], hint.coefficients[i0]);
+    result.coefficients[i0] = uu____0;
+  }
+  return result;
+}
+
+/**
+This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.simd.portable.use_hint_36
+with const generics
+- GAMMA2= 261888
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_use_hint_36_80(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit,
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) {
+  return libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80(simd_unit, hint);
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+with const generics
+- DIMENSION= 6
+- GAMMA2= 261888
+*/
+static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_2f(
+    int32_t hint[6U][256U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re_vector[6U],
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) {
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U];
+  for (size_t i = (size_t)0U; i < (size_t)6U; i++) {
+    result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba();
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) {
+    size_t i1 = i0;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd =
+        libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(
+            Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t));
+    for (size_t i = (size_t)0U;
+         i < Eurydice_slice_len(
+                 Eurydice_array_to_slice(
+                     (size_t)32U, result->simd_units,
+                     libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit),
+                 libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit);
+         i++) {
+      size_t j = i;
+      libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 =
+          libcrux_ml_dsa_simd_portable_use_hint_36_80(
+              re_vector[i1].simd_units[j], hint_simd.simd_units[j]);
+      result[i1].simd_units[j] = uu____0;
+    }
+  }
+  memcpy(
+      ret, result,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+}
+
+/**
+ The internal verification API.
+
+ If no `domain_separation_context` is supplied, it is assumed that
+ `message` already contains the domain separation.
+*/
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+static KRML_MUSTINLINE Result_41
+libcrux_ml_dsa_ml_dsa_generic_verify_internal_51(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Option_84 domain_separation_context, uint8_t *signature_serialized) {
+  tuple_93 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_2f(
+      verification_key_serialized);
+  uint8_t seed_for_A[32U];
+  memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t));
+  libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U];
+  memcpy(
+      t1, uu____0.snd,
+      (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+  Result_ef uu____1 =
+      libcrux_ml_dsa_encoding_signature_deserialize_92_76(signature_serialized);
+  Result_41 uu____2;
+  if (uu____1.tag == Ok) {
+    libcrux_ml_dsa_encoding_signature_Signature_44 s = uu____1.val.case_Ok;
+    libcrux_ml_dsa_encoding_signature_Signature_44 signature = s;
+    libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3[5U];
+    memcpy(uu____3, signature.signer_response,
+           (size_t)5U *
+               sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+    if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f(
+            uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) {
+      uu____2 = (CLITERAL(Result_41){
+          .tag = Err,
+          .f0 = libcrux_ml_dsa_types_SignerResponseExceedsBoundError});
+    } else {
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U];
+      uint8_t ret[34U];
+      libcrux_ml_dsa_utils_into_padded_array_b6(
+          Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret);
+      libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt);
+      uint8_t verification_key_hash[64U] = {0U};
+      libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(
+          Eurydice_array_to_slice((size_t)1952U, verification_key_serialized,
+                                  uint8_t),
+          verification_key_hash);
+      uint8_t message_representative[64U] = {0U};
+      uint8_t uu____4[64U];
+      memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t));
+      libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b(
+          uu____4, domain_separation_context, message, message_representative);
+      uint8_t uu____5[48U];
+      memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b
+          verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba(
+              libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uu____5));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____6)[5U] =
+          A_as_ntt;
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____7[5U];
+      memcpy(uu____7, signature.signer_response,
+             (size_t)5U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____8 =
+          verifier_challenge_as_ntt;
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U];
+      memcpy(copy_of_t1, t1,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w_approx[6U];
+      libcrux_ml_dsa_matrix_compute_w_approx_2f(uu____6, uu____7, uu____8,
+                                                copy_of_t1, w_approx);
+      uint8_t commitment_hash[48U] = {0U};
+      int32_t uu____10[6U][256U];
+      memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U]));
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_w_approx[6U];
+      memcpy(copy_of_w_approx, w_approx,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U];
+      libcrux_ml_dsa_arithmetic_use_hint_2f(uu____10, copy_of_w_approx,
+                                            commitment);
+      /* Passing arrays by value in Rust generates a copy in C */
+      libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_commitment[6U];
+      memcpy(copy_of_commitment, commitment,
+             (size_t)6U *
+                 sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b));
+      uint8_t commitment_serialized[768U];
+      libcrux_ml_dsa_encoding_commitment_serialize_vector_5d(
+          copy_of_commitment, commitment_serialized);
+      libcrux_sha3_portable_incremental_Shake256Xof shake =
+          libcrux_ml_dsa_hash_functions_portable_init_83();
+      libcrux_ml_dsa_hash_functions_portable_absorb_83(
+          &shake, Eurydice_array_to_slice((size_t)64U, message_representative,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_absorb_final_83(
+          &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized,
+                                          uint8_t));
+      libcrux_ml_dsa_hash_functions_portable_squeeze_83(
+          &shake,
+          Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t));
+      if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq(
+              (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t,
+              uint8_t, bool)) {
+        uu____2 = (CLITERAL(Result_41){.tag = Ok});
+      } else {
+        uu____2 = (CLITERAL(Result_41){
+            .tag = Err,
+            .f0 = libcrux_ml_dsa_types_CommitmentHashesDontMatchError});
+      }
+    }
+  } else {
+    libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err;
+    uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e});
+  }
+  return uu____2;
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_51(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Eurydice_slice context, uint8_t *signature_serialized) {
+  Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45(
+      context, (CLITERAL(Option_30){.tag = None}));
+  Result_41 uu____1;
+  if (uu____0.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_51(
+        verification_key_serialized, message,
+        (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}),
+        signature_serialized);
+  } else {
+    uu____1 = (CLITERAL(Result_41){
+        .tag = Err,
+        .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError});
+  }
+  return uu____1;
+}
+
+/**
+ Verify.
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_verify_51(verification_key, message,
+                                                 context, signature);
+}
+
+/**
+ Verify an ML-DSA-65 Signature
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify(
+    libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key,
+    Eurydice_slice message, Eurydice_slice context,
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01(
+      libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context,
+      libcrux_ml_dsa_types_as_ref_8f_fa(signature));
+}
+
+/**
+A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed
+with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit,
+libcrux_ml_dsa_samplex4_portable_PortableSampler,
+libcrux_ml_dsa_hash_functions_portable_Shake128,
+libcrux_ml_dsa_hash_functions_portable_Shake128X4,
+libcrux_ml_dsa_hash_functions_portable_Shake256,
+libcrux_ml_dsa_hash_functions_portable_Shake256Xof,
+libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics
+- PH_DIGEST_LEN= 256
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+static KRML_MUSTINLINE Result_41
+libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b(
+    uint8_t *verification_key_serialized, Eurydice_slice message,
+    Eurydice_slice context, uint8_t *signature_serialized) {
+  uint8_t pre_hashed_message[256U];
+  libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message);
+  Eurydice_slice uu____0 = context;
+  Option_30 lit;
+  lit.tag = Some;
+  uint8_t ret[11U];
+  libcrux_ml_dsa_pre_hash_oid_bd(ret);
+  memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t));
+  Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit);
+  Result_41 uu____2;
+  if (uu____1.tag == Ok) {
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok;
+    libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context =
+        dsc;
+    uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_51(
+        verification_key_serialized,
+        Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t),
+        (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}),
+        signature_serialized);
+  } else {
+    uu____2 = (CLITERAL(Result_41){
+        .tag = Err,
+        .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError});
+  }
+  return uu____2;
+}
+
+/**
+ Verify (pre-hashed with SHAKE-128).
+*/
+/**
+A monomorphic instance of
+libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify_pre_hashed_shake128
+with const generics
+- ROWS_IN_A= 6
+- COLUMNS_IN_A= 5
+- SIGNATURE_SIZE= 3309
+- VERIFICATION_KEY_SIZE= 1952
+- GAMMA1_EXPONENT= 19
+- GAMMA1_RING_ELEMENT_SIZE= 640
+- GAMMA2= 261888
+- BETA= 196
+- COMMITMENT_RING_ELEMENT_SIZE= 128
+- COMMITMENT_VECTOR_SIZE= 768
+- COMMITMENT_HASH_SIZE= 48
+- ONES_IN_VERIFIER_CHALLENGE= 49
+- MAX_ONES_IN_HINT= 55
+*/
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01(
+    uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context,
+    uint8_t *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b(
+      verification_key, message, context, signature);
+}
+
+/**
+ Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing
+
+ The parameter `context` is used for domain separation
+ and is a byte string of length at most 255 bytes. It
+ may also be empty.
+*/
+static inline Result_41
+libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128(
+    libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key,
+    Eurydice_slice message, Eurydice_slice context,
+    libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) {
+  return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01(
+      libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context,
+      libcrux_ml_dsa_types_as_ref_8f_fa(signature));
+}
+
+#define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U)
+
+typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U];
+
+/**
+This function found in impl
+{(core::convert::From<libcrux_ml_dsa::pre_hash::DomainSeparationError> for
+libcrux_ml_dsa::types::SigningError)#2}
+*/
+static inline libcrux_ml_dsa_types_SigningError libcrux_ml_dsa_pre_hash_from_4b(
+    libcrux_ml_dsa_pre_hash_DomainSeparationError e) {
+  return libcrux_ml_dsa_types_ContextTooLongError;
+}
+
+/**
+This function found in impl
+{(core::convert::From<libcrux_ml_dsa::pre_hash::DomainSeparationError> for
+libcrux_ml_dsa::types::VerificationError)#3}
+*/
+static inline libcrux_ml_dsa_types_VerificationError
+libcrux_ml_dsa_pre_hash_from_b6(
+    libcrux_ml_dsa_pre_hash_DomainSeparationError e) {
+  return libcrux_ml_dsa_types_VerificationContextTooLongError;
+}
+
+/**
+This function found in impl {(core::clone::Clone for
+libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)}
+*/
+static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit
+libcrux_ml_dsa_simd_portable_vector_type_clone_ae(
+    libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self) {
+  return self[0U];
+}
+
+typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR;
+
+typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement;
+
+typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult;
+
+typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s {
+} libcrux_ml_dsa_hash_functions_portable_Shake128;
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_mldsa65_portable_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h
new file mode 100644
index 000000000..876ec6f9b
--- /dev/null
+++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h
@@ -0,0 +1,2571 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ *
+ * This code was generated with the following revisions:
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
+ */
+
+#ifndef __libcrux_sha3_avx2_H
+#define __libcrux_sha3_avx2_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+#include "intrinsics/libcrux_intrinsics_avx2.h"
+#include "libcrux_core.h"
+#include "libcrux_sha3_portable.h"
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) {
+  return libcrux_intrinsics_avx2_mm256_set1_epi64x((int64_t)0);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64(
+    __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d);
+  __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd);
+  return libcrux_intrinsics_avx2_mm256_xor_si256(abcd, e);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor5_ef(
+    __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) {
+  return libcrux_sha3_simd_avx2__veor5q_u64(a, b, c, d, e);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a,
+                                                                  __m256i b) {
+  __m256i uu____0 = a;
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vrax1q_u64(a, b);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a,
+                                                                  __m256i b,
+                                                                  __m256i c) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) {
+  return libcrux_sha3_simd_avx2__vbcaxq_u64(a, b, c);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a,
+                                                                   uint64_t c) {
+  __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x((int64_t)c);
+  return libcrux_intrinsics_avx2_mm256_xor_si256(a, c0);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) {
+  return libcrux_sha3_simd_avx2__veorq_n_u64(a, c);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a,
+                                                             __m256i b) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4(
+    Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) {
+  ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
+  ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t);
+  ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t);
+  ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef(
+    Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_a[4U];
+  memcpy(copy_of_a, a, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice ret0[4U];
+  libcrux_sha3_simd_avx2_slice_4(copy_of_a, start, len, ret0);
+  memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
+libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) {
+  Eurydice_slice out0 = out[0U];
+  Eurydice_slice out1 = out[1U];
+  Eurydice_slice out2 = out[2U];
+  Eurydice_slice out3 = out[3U];
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut(
+      out0, mid, uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice out00 = uu____0.fst;
+  Eurydice_slice out01 = uu____0.snd;
+  Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at_mut(
+      out1, mid, uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice out10 = uu____1.fst;
+  Eurydice_slice out11 = uu____1.snd;
+  Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at_mut(
+      out2, mid, uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice out20 = uu____2.fst;
+  Eurydice_slice out21 = uu____2.snd;
+  Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at_mut(
+      out3, mid, uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice out30 = uu____3.fst;
+  Eurydice_slice out31 = uu____3.snd;
+  Eurydice_slice_uint8_t_4size_t__x2 lit;
+  lit.fst[0U] = out00;
+  lit.fst[1U] = out10;
+  lit.fst[2U] = out20;
+  lit.fst[3U] = out30;
+  lit.snd[0U] = out01;
+  lit.snd[1U] = out11;
+  lit.snd[2U] = out21;
+  lit.snd[3U] = out31;
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
+libcrux_sha3_simd_avx2_split_at_mut_n_ef(Eurydice_slice a[4U], size_t mid) {
+  return libcrux_sha3_simd_avx2_split_at_mut_4(a, mid);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.KeccakState
+with types core_core_arch_x86___m256i
+with const generics
+- $4size_t
+*/
+typedef struct libcrux_sha3_generic_keccak_KeccakState_55_s {
+  __m256i st[5U][5U];
+} libcrux_sha3_generic_keccak_KeccakState_55;
+
+typedef libcrux_sha3_generic_keccak_KeccakState_55
+    libcrux_sha3_avx2_x4_incremental_KeccakState;
+
+/**
+ Create a new Shake128 x4 state.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakState<T,
+N>[TraitClause@0, TraitClause@1]#1}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.new_89
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55
+libcrux_sha3_generic_keccak_new_89_a6(void) {
+  libcrux_sha3_generic_keccak_KeccakState_55 lit;
+  lit.st[0U][0U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[0U][1U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[0U][2U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[0U][3U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[0U][4U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[1U][0U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[1U][1U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[1U][2U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[1U][3U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[1U][4U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[2U][0U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[2U][1U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[2U][2U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[2U][3U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[2U][4U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[3U][0U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[3U][1U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[3U][2U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[3U][3U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[3U][4U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[4U][0U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[4U][1U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[4U][2U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[4U][3U] = libcrux_sha3_simd_avx2_zero_ef();
+  lit.st[4U][4U] = libcrux_sha3_simd_avx2_zero_ef();
+  return lit;
+}
+
+/**
+ Initialise the [`KeccakState`].
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55
+libcrux_sha3_avx2_x4_incremental_init(void) {
+  return libcrux_sha3_generic_keccak_new_89_a6();
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block
+with const generics
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a(
+    __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
+  for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
+    size_t i0 = i;
+    __m256i v00 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v10 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v20 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v30 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10);
+    __m256i v1h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v00, v10);
+    __m256i v2l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v20, v30);
+    __m256i v3h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v20, v30);
+    __m256i v0 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32, v0l, v2l, __m256i);
+    __m256i v1 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32, v1h, v3h, __m256i);
+    __m256i v2 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49, v0l, v2l, __m256i);
+    __m256i v3 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49, v1h, v3h, __m256i);
+    s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U] =
+        libcrux_intrinsics_avx2_mm256_xor_si256(
+            s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], v0);
+    s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)1U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+             v1);
+    s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)2U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+             v2);
+    s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)3U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+             v3);
+  }
+  size_t rem = (size_t)168U % (size_t)32U;
+  size_t start = (size_t)32U * ((size_t)168U / (size_t)32U);
+  uint8_t u8s[32U] = {0U};
+  Eurydice_slice uu____0 =
+      Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____1 =
+      Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t);
+  Eurydice_slice_copy(
+      uu____1,
+      Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____2 =
+      Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t);
+  Eurydice_slice_copy(
+      uu____2,
+      Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____3 =
+      Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t);
+  Eurydice_slice_copy(
+      uu____3,
+      Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  __m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+      core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t,
+                                            Eurydice_slice));
+  size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U;
+  size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U;
+  s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u);
+  if (rem == (size_t)16U) {
+    uint8_t u8s0[32U] = {0U};
+    Eurydice_slice uu____4 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t);
+    Eurydice_slice_copy(uu____4,
+                        Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____5 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t);
+    Eurydice_slice_copy(uu____5,
+                        Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____6 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t);
+    Eurydice_slice_copy(uu____6,
+                        Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____7 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t);
+    Eurydice_slice_copy(uu____7,
+                        Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    __m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t,
+                                              Eurydice_slice));
+    size_t i =
+        ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U;
+    size_t j =
+        ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U;
+    s[i][j] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i][j], u0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full
+with const generics
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_3a(
+    __m256i (*s)[5U], uint8_t blocks[4U][200U]) {
+  Eurydice_slice buf[4U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)};
+  libcrux_sha3_simd_avx2_load_block_3a(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full_ef
+with const generics
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_3a(
+    __m256i (*a)[5U], uint8_t b[4U][200U]) {
+  __m256i(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[4U][200U];
+  memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U]));
+  libcrux_sha3_simd_avx2_load_block_full_3a(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_02(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_02(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_02(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_ac(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_ac(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_ac(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_020(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_020(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_020(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_a9(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_a9(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_a9(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_76(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_76(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_76(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_58(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_58(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_58(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_e0(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_e0(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_e0(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_63(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_63(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_63(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_6a(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_6a(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_6a(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_ab(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_ab(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_ab(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_5b(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_5b(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_5b(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_6f(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_6f(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_6f(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_62(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_62(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_62(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_23(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_23(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_23(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_37(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_37(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_37(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_bb(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_bb(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_bb(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_b9(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_b9(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_b9(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_54(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_54(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_54(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_4c(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_4c(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_4c(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_ce(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_ce(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_ce(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_77(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_77(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_77(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_25(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_25(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_25(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_af(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_af(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_af(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(
+      libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i),
+      libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i));
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a,
+                                                                    __m256i b) {
+  __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_rotate_left_fd(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_xor_and_rotate_ef_fd(__m256i a, __m256i b) {
+  return libcrux_sha3_simd_avx2__vxarq_u64_fd(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.theta_rho
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_a6(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s) {
+  __m256i c[5U] = {libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][0U], s->st[1U][0U],
+                                                  s->st[2U][0U], s->st[3U][0U],
+                                                  s->st[4U][0U]),
+                   libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][1U], s->st[1U][1U],
+                                                  s->st[2U][1U], s->st[3U][1U],
+                                                  s->st[4U][1U]),
+                   libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][2U], s->st[1U][2U],
+                                                  s->st[2U][2U], s->st[3U][2U],
+                                                  s->st[4U][2U]),
+                   libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][3U], s->st[1U][3U],
+                                                  s->st[2U][3U], s->st[3U][3U],
+                                                  s->st[4U][3U]),
+                   libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][4U], s->st[1U][4U],
+                                                  s->st[2U][4U], s->st[3U][4U],
+                                                  s->st[4U][4U])};
+  __m256i uu____0 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(
+      c[((size_t)0U + (size_t)4U) % (size_t)5U],
+      c[((size_t)0U + (size_t)1U) % (size_t)5U]);
+  __m256i uu____1 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(
+      c[((size_t)1U + (size_t)4U) % (size_t)5U],
+      c[((size_t)1U + (size_t)1U) % (size_t)5U]);
+  __m256i uu____2 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(
+      c[((size_t)2U + (size_t)4U) % (size_t)5U],
+      c[((size_t)2U + (size_t)1U) % (size_t)5U]);
+  __m256i uu____3 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(
+      c[((size_t)3U + (size_t)4U) % (size_t)5U],
+      c[((size_t)3U + (size_t)1U) % (size_t)5U]);
+  __m256i t[5U] = {uu____0, uu____1, uu____2, uu____3,
+                   libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(
+                       c[((size_t)4U + (size_t)4U) % (size_t)5U],
+                       c[((size_t)4U + (size_t)1U) % (size_t)5U])};
+  s->st[0U][0U] = libcrux_sha3_simd_avx2_xor_ef(s->st[0U][0U], t[0U]);
+  s->st[1U][0U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_02(s->st[1U][0U], t[0U]);
+  s->st[2U][0U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_ac(s->st[2U][0U], t[0U]);
+  s->st[3U][0U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_020(s->st[3U][0U], t[0U]);
+  s->st[4U][0U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_a9(s->st[4U][0U], t[0U]);
+  s->st[0U][1U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_76(s->st[0U][1U], t[1U]);
+  s->st[1U][1U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_58(s->st[1U][1U], t[1U]);
+  s->st[2U][1U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_e0(s->st[2U][1U], t[1U]);
+  s->st[3U][1U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_63(s->st[3U][1U], t[1U]);
+  s->st[4U][1U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_6a(s->st[4U][1U], t[1U]);
+  s->st[0U][2U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_ab(s->st[0U][2U], t[2U]);
+  s->st[1U][2U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_5b(s->st[1U][2U], t[2U]);
+  s->st[2U][2U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_6f(s->st[2U][2U], t[2U]);
+  s->st[3U][2U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_62(s->st[3U][2U], t[2U]);
+  s->st[4U][2U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_23(s->st[4U][2U], t[2U]);
+  s->st[0U][3U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_37(s->st[0U][3U], t[3U]);
+  s->st[1U][3U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_bb(s->st[1U][3U], t[3U]);
+  s->st[2U][3U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_b9(s->st[2U][3U], t[3U]);
+  s->st[3U][3U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_54(s->st[3U][3U], t[3U]);
+  s->st[4U][3U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_4c(s->st[4U][3U], t[3U]);
+  s->st[0U][4U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_ce(s->st[0U][4U], t[4U]);
+  s->st[1U][4U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_77(s->st[1U][4U], t[4U]);
+  s->st[2U][4U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_25(s->st[2U][4U], t[4U]);
+  s->st[3U][4U] =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_af(s->st[3U][4U], t[4U]);
+  __m256i uu____27 =
+      libcrux_sha3_simd_avx2_xor_and_rotate_ef_fd(s->st[4U][4U], t[4U]);
+  s->st[4U][4U] = uu____27;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.pi
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_pi_a6(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s) {
+  __m256i old[5U][5U];
+  memcpy(old, s->st, (size_t)5U * sizeof(__m256i[5U]));
+  s->st[0U][1U] = old[1U][1U];
+  s->st[0U][2U] = old[2U][2U];
+  s->st[0U][3U] = old[3U][3U];
+  s->st[0U][4U] = old[4U][4U];
+  s->st[1U][0U] = old[0U][3U];
+  s->st[1U][1U] = old[1U][4U];
+  s->st[1U][2U] = old[2U][0U];
+  s->st[1U][3U] = old[3U][1U];
+  s->st[1U][4U] = old[4U][2U];
+  s->st[2U][0U] = old[0U][1U];
+  s->st[2U][1U] = old[1U][2U];
+  s->st[2U][2U] = old[2U][3U];
+  s->st[2U][3U] = old[3U][4U];
+  s->st[2U][4U] = old[4U][0U];
+  s->st[3U][0U] = old[0U][4U];
+  s->st[3U][1U] = old[1U][0U];
+  s->st[3U][2U] = old[2U][1U];
+  s->st[3U][3U] = old[3U][2U];
+  s->st[3U][4U] = old[4U][3U];
+  s->st[4U][0U] = old[0U][2U];
+  s->st[4U][1U] = old[1U][3U];
+  s->st[4U][2U] = old[2U][4U];
+  s->st[4U][3U] = old[3U][0U];
+  s->st[4U][4U] = old[4U][1U];
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.chi
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_chi_a6(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s) {
+  __m256i old[5U][5U];
+  memcpy(old, s->st, (size_t)5U * sizeof(__m256i[5U]));
+  for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+      size_t j = i;
+      s->st[i1][j] = libcrux_sha3_simd_avx2_and_not_xor_ef(
+          s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U],
+          old[i1][(j + (size_t)1U) % (size_t)5U]);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.iota
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_iota_a6(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, size_t i) {
+  s->st[0U][0U] = libcrux_sha3_simd_avx2_xor_constant_ef(
+      s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccakf1600
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccakf1600_a6(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s) {
+  for (size_t i = (size_t)0U; i < (size_t)24U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_theta_rho_a6(s);
+    libcrux_sha3_generic_keccak_pi_a6(s);
+    libcrux_sha3_generic_keccak_chi_a6(s);
+    libcrux_sha3_generic_keccak_iota_a6(s, i0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 168
+- DELIM= 31
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice last[4U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[4U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 31U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)168U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  __m256i(*uu____3)[5U] = s->st;
+  uint8_t uu____4[4U][200U];
+  memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U]));
+  libcrux_sha3_simd_avx2_load_block_full_ef_3a(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
+}
+
+/**
+ Absorb
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
+    Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
+  Eurydice_slice buf[4U] = {data0, data1, data2, data3};
+  libcrux_sha3_generic_keccak_absorb_final_fb(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b(
+    __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
+  for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
+    size_t i0 = i;
+    __m256i v00 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v10 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v20 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v30 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t));
+    __m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10);
+    __m256i v1h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v00, v10);
+    __m256i v2l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v20, v30);
+    __m256i v3h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v20, v30);
+    __m256i v0 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32, v0l, v2l, __m256i);
+    __m256i v1 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32, v1h, v3h, __m256i);
+    __m256i v2 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49, v0l, v2l, __m256i);
+    __m256i v3 = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49, v1h, v3h, __m256i);
+    s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U] =
+        libcrux_intrinsics_avx2_mm256_xor_si256(
+            s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], v0);
+    s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)1U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+             v1);
+    s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)2U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+             v2);
+    s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+     [((size_t)4U * i0 + (size_t)3U) % (size_t)5U] =
+         libcrux_intrinsics_avx2_mm256_xor_si256(
+             s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+              [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+             v3);
+  }
+  size_t rem = (size_t)136U % (size_t)32U;
+  size_t start = (size_t)32U * ((size_t)136U / (size_t)32U);
+  uint8_t u8s[32U] = {0U};
+  Eurydice_slice uu____0 =
+      Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____1 =
+      Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t);
+  Eurydice_slice_copy(
+      uu____1,
+      Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____2 =
+      Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t);
+  Eurydice_slice_copy(
+      uu____2,
+      Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____3 =
+      Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t);
+  Eurydice_slice_copy(
+      uu____3,
+      Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t),
+      uint8_t);
+  __m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+      core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t,
+                                            Eurydice_slice));
+  size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U;
+  size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U;
+  s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u);
+  if (rem == (size_t)16U) {
+    uint8_t u8s0[32U] = {0U};
+    Eurydice_slice uu____4 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t);
+    Eurydice_slice_copy(uu____4,
+                        Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____5 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t);
+    Eurydice_slice_copy(uu____5,
+                        Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____6 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t);
+    Eurydice_slice_copy(uu____6,
+                        Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    Eurydice_slice uu____7 =
+        Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t);
+    Eurydice_slice_copy(uu____7,
+                        Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U,
+                                                 start + (size_t)16U, uint8_t),
+                        uint8_t);
+    __m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8(
+        core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t,
+                                              Eurydice_slice));
+    size_t i =
+        ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U;
+    size_t j =
+        ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U;
+    s[i][j] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i][j], u0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_5b(
+    __m256i (*s)[5U], uint8_t blocks[4U][200U]) {
+  Eurydice_slice buf[4U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t),
+      Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)};
+  libcrux_sha3_simd_avx2_load_block_5b(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full_ef
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_5b(
+    __m256i (*a)[5U], uint8_t b[4U][200U]) {
+  __m256i(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[4U][200U];
+  memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U]));
+  libcrux_sha3_simd_avx2_load_block_full_5b(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+- DELIM= 31
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice last[4U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[4U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 31U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)136U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  __m256i(*uu____3)[5U] = s->st;
+  uint8_t uu____4[4U][200U];
+  memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U]));
+  libcrux_sha3_simd_avx2_load_block_full_ef_5b(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
+}
+
+/**
+ Absorb
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
+    Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
+  Eurydice_slice buf[4U] = {data0, data1, data2, data3};
+  libcrux_sha3_generic_keccak_absorb_final_fb0(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.load_block_ef
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_ef_5b(
+    __m256i (*a)[5U], Eurydice_slice b[4U]) {
+  __m256i(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[4U];
+  memcpy(copy_of_b, b, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_simd_avx2_load_block_5b(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice blocks[4U]) {
+  __m256i(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[4U];
+  memcpy(uu____1, blocks, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_simd_avx2_load_block_ef_5b(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b(
+    __m256i (*s)[5U], Eurydice_slice out[4U]) {
+  for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
+    size_t i0 = i;
+    __m256i v0l = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32,
+        s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+        __m256i);
+    __m256i v1h = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32,
+        s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+        __m256i);
+    __m256i v2l = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49,
+        s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+        __m256i);
+    __m256i v3h = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49,
+        s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+        __m256i);
+    __m256i v0 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v0l, v1h);
+    __m256i v1 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v0l, v1h);
+    __m256i v2 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v2l, v3h);
+    __m256i v3 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[0U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v0);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[1U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v1);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[2U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v2);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[3U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v3);
+  }
+  size_t rem = (size_t)136U % (size_t)32U;
+  size_t start = (size_t)32U * ((size_t)136U / (size_t)32U);
+  uint8_t u8s[32U] = {0U};
+  size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U;
+  size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U;
+  libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+      Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]);
+  Eurydice_slice uu____0 =
+      Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____1 =
+      Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____1,
+      Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____2 =
+      Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____2,
+      Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____3 =
+      Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____3,
+      Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t),
+      uint8_t);
+  if (rem == (size_t)16U) {
+    uint8_t u8s0[32U] = {0U};
+    size_t i =
+        ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U;
+    size_t j =
+        ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U;
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]);
+    Eurydice_slice uu____4 = Eurydice_slice_subslice2(
+        out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____4,
+        Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____5 = Eurydice_slice_subslice2(
+        out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____5,
+        Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____6 = Eurydice_slice_subslice2(
+        out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____6,
+        Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____7 = Eurydice_slice_subslice2(
+        out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____7,
+        Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block_full
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_full_5b(
+    __m256i (*s)[5U], uint8_t ret[4U][200U]) {
+  uint8_t out0[200U] = {0U};
+  uint8_t out1[200U] = {0U};
+  uint8_t out2[200U] = {0U};
+  uint8_t out3[200U] = {0U};
+  Eurydice_slice buf[4U] = {
+      Eurydice_array_to_slice((size_t)200U, out0, uint8_t),
+      Eurydice_array_to_slice((size_t)200U, out1, uint8_t),
+      Eurydice_array_to_slice((size_t)200U, out2, uint8_t),
+      Eurydice_array_to_slice((size_t)200U, out3, uint8_t)};
+  libcrux_sha3_simd_avx2_store_block_5b(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out0[200U];
+  memcpy(copy_of_out0, out0, (size_t)200U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out1[200U];
+  memcpy(copy_of_out1, out1, (size_t)200U * sizeof(uint8_t));
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out2[200U];
+  memcpy(copy_of_out2, out2, (size_t)200U * sizeof(uint8_t));
+  uint8_t uu____3[200U];
+  memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out0, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[1U], copy_of_out1, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[2U], copy_of_out2, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block_full_ef
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_full_ef_5b(
+    __m256i (*a)[5U], uint8_t ret[4U][200U]) {
+  libcrux_sha3_simd_avx2_store_block_full_5b(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  uint8_t b[4U][200U];
+  libcrux_sha3_simd_avx2_store_block_full_ef_5b(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block_ef
+with const generics
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_5b(
+    __m256i (*a)[5U], Eurydice_slice b[4U]) {
+  libcrux_sha3_simd_avx2_store_block_5b(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  libcrux_sha3_simd_avx2_store_block_ef_5b(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
+  libcrux_sha3_simd_avx2_store_block_ef_5b(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 s, Eurydice_slice out[4U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_a6(&s);
+  uint8_t b[4U][200U];
+  libcrux_sha3_simd_avx2_store_block_full_ef_5b(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 136
+- DELIM= 31
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb(
+    Eurydice_slice data[4U], Eurydice_slice out[4U]) {
+  libcrux_sha3_generic_keccak_KeccakState_55 s =
+      libcrux_sha3_generic_keccak_new_89_a6();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_55 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[4U];
+    memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[4U];
+    libcrux_sha3_simd_avx2_slice_n_ef(copy_of_data, i0 * (size_t)136U,
+                                      (size_t)136U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_97(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U;
+  libcrux_sha3_generic_keccak_KeccakState_55 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[4U];
+  memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[4U];
+  libcrux_sha3_simd_avx2_slice_n_ef(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_fb0(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)136U;
+  size_t last = outlen - outlen % (size_t)136U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_97(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_4size_t__x2 uu____4 =
+        libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)136U);
+    Eurydice_slice o0[4U];
+    memcpy(o0, uu____4.fst, (size_t)4U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[4U];
+    memcpy(o1, uu____4.snd, (size_t)4U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_97(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_4size_t__x2 uu____5 =
+            libcrux_sha3_simd_avx2_split_at_mut_n_ef(o1, (size_t)136U);
+        Eurydice_slice o[4U];
+        memcpy(o, uu____5.fst, (size_t)4U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[4U];
+        memcpy(orest, uu____5.snd, (size_t)4U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_97(&s, o);
+        memcpy(o1, orest, (size_t)4U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_97(s, o1);
+    }
+  }
+}
+
+/**
+ Perform 4 SHAKE256 operations in parallel
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256(
+    Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
+    Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1,
+    Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf0[4U] = {input0, input1, input2, input3};
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_keccak_fb(buf0, buf);
+}
+
+/**
+ Squeeze block
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_first_block_97(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block
+with const generics
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a(
+    __m256i (*s)[5U], Eurydice_slice out[4U]) {
+  for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
+    size_t i0 = i;
+    __m256i v0l = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32,
+        s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+        __m256i);
+    __m256i v1h = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)32,
+        s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+        __m256i);
+    __m256i v2l = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49,
+        s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)2U) % (size_t)5U],
+        __m256i);
+    __m256i v3h = libcrux_intrinsics_avx2_mm256_permute2x128_si256(
+        (int32_t)49,
+        s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)1U) % (size_t)5U],
+        s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U]
+         [((size_t)4U * i0 + (size_t)3U) % (size_t)5U],
+        __m256i);
+    __m256i v0 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v0l, v1h);
+    __m256i v1 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v0l, v1h);
+    __m256i v2 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v2l, v3h);
+    __m256i v3 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[0U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v0);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[1U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v1);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[2U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v2);
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_slice_subslice2(out[3U], (size_t)32U * i0,
+                                 (size_t)32U * (i0 + (size_t)1U), uint8_t),
+        v3);
+  }
+  size_t rem = (size_t)168U % (size_t)32U;
+  size_t start = (size_t)32U * ((size_t)168U / (size_t)32U);
+  uint8_t u8s[32U] = {0U};
+  size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U;
+  size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U;
+  libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+      Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]);
+  Eurydice_slice uu____0 =
+      Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____0,
+      Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____1 =
+      Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____1,
+      Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____2 =
+      Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____2,
+      Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t),
+      uint8_t);
+  Eurydice_slice uu____3 =
+      Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t);
+  Eurydice_slice_copy(
+      uu____3,
+      Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t),
+      uint8_t);
+  if (rem == (size_t)16U) {
+    uint8_t u8s0[32U] = {0U};
+    size_t i =
+        ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U;
+    size_t j =
+        ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U;
+    libcrux_intrinsics_avx2_mm256_storeu_si256_u8(
+        Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]);
+    Eurydice_slice uu____4 = Eurydice_slice_subslice2(
+        out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____4,
+        Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____5 = Eurydice_slice_subslice2(
+        out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____5,
+        Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____6 = Eurydice_slice_subslice2(
+        out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____6,
+        Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t),
+        uint8_t);
+    Eurydice_slice uu____7 = Eurydice_slice_subslice2(
+        out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t);
+    Eurydice_slice_copy(
+        uu____7,
+        Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
+usize> for core::core_arch::x86::__m256i)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.simd.avx2.store_block_ef
+with const generics
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_3a(
+    __m256i (*a)[5U], Eurydice_slice b[4U]) {
+  libcrux_sha3_simd_avx2_store_block_3a(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
+  libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  Eurydice_slice_uint8_t_4size_t__x2 uu____0 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)168U);
+  Eurydice_slice o0[4U];
+  memcpy(o0, uu____0.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o10[4U];
+  memcpy(o10, uu____0.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_first_block_970(s, o0);
+  Eurydice_slice_uint8_t_4size_t__x2 uu____1 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(o10, (size_t)168U);
+  Eurydice_slice o1[4U];
+  memcpy(o1, uu____1.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o20[4U];
+  memcpy(o20, uu____1.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o1);
+  Eurydice_slice_uint8_t_4size_t__x2 uu____2 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(o20, (size_t)168U);
+  Eurydice_slice o2[4U];
+  memcpy(o2, uu____2.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o30[4U];
+  memcpy(o30, uu____2.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o2);
+  Eurydice_slice_uint8_t_4size_t__x2 uu____3 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(o30, (size_t)168U);
+  Eurydice_slice o3[4U];
+  memcpy(o3, uu____3.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o4[4U];
+  memcpy(o4, uu____3.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o3);
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o4);
+}
+
+/**
+ Squeeze five blocks
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97(s, buf);
+}
+
+/**
+ Squeeze another block
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf);
+}
+
+/**
+ Squeeze next block
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_next_block_97(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks
+with types core_core_arch_x86___m256i
+with const generics
+- N= 4
+- RATE= 168
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  Eurydice_slice_uint8_t_4size_t__x2 uu____0 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)168U);
+  Eurydice_slice o0[4U];
+  memcpy(o0, uu____0.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o10[4U];
+  memcpy(o10, uu____0.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_first_block_970(s, o0);
+  Eurydice_slice_uint8_t_4size_t__x2 uu____1 =
+      libcrux_sha3_simd_avx2_split_at_mut_n_ef(o10, (size_t)168U);
+  Eurydice_slice o1[4U];
+  memcpy(o1, uu____1.fst, (size_t)4U * sizeof(Eurydice_slice));
+  Eurydice_slice o2[4U];
+  memcpy(o2, uu____1.snd, (size_t)4U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o1);
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o2);
+}
+
+/**
+ Squeeze three blocks
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(s, buf);
+}
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_sha3_avx2_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h
new file mode 100644
index 000000000..ebba16495
--- /dev/null
+++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h
@@ -0,0 +1,4931 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
+ *
+ * SPDX-License-Identifier: MIT or Apache-2.0
+ *
+ * This code was generated with the following revisions:
+ * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79
+ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5
+ * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968
+ * F*: b0961063393215ca65927f017720cb365a193833-dirty
+ * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3
+ */
+
+#ifndef __libcrux_sha3_portable_H
+#define __libcrux_sha3_portable_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+#include "libcrux_core.h"
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_zero_5a(void) {
+  return 0ULL;
+}
+
+static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak__veor5q_u64(
+    uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) {
+  uint64_t ab = a ^ b;
+  uint64_t cd = c ^ d;
+  uint64_t abcd = ab ^ cd;
+  return abcd ^ e;
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_xor5_5a(
+    uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) {
+  return libcrux_sha3_portable_keccak__veor5q_u64(a, b, c, d, e);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_76(uint64_t x) {
+  return x << (uint32_t)(int32_t)1 | x >> (uint32_t)(int32_t)63;
+}
+
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vrax1q_u64(uint64_t a, uint64_t b) {
+  uint64_t uu____0 = a;
+  return uu____0 ^ libcrux_sha3_portable_keccak_rotate_left_76(b);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vrax1q_u64(a, b);
+}
+
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vbcaxq_u64(uint64_t a, uint64_t b, uint64_t c) {
+  return a ^ (b & ~c);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_and_not_xor_5a(
+    uint64_t a, uint64_t b, uint64_t c) {
+  return libcrux_sha3_portable_keccak__vbcaxq_u64(a, b, c);
+}
+
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__veorq_n_u64(uint64_t a, uint64_t c) {
+  return a ^ c;
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_constant_5a(uint64_t a, uint64_t c) {
+  return libcrux_sha3_portable_keccak__veorq_n_u64(a, c);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) {
+  return a ^ b;
+}
+
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_1(
+    Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) {
+  ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_n_5a(
+    Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_a[1U];
+  memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret0[1U];
+  libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0);
+  memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice));
+}
+
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2
+libcrux_sha3_portable_keccak_split_at_mut_1(Eurydice_slice out[1U],
+                                            size_t mid) {
+  Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut(
+      out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2);
+  Eurydice_slice out00 = uu____0.fst;
+  Eurydice_slice out01 = uu____0.snd;
+  Eurydice_slice_uint8_t_1size_t__x2 lit;
+  lit.fst[0U] = out00;
+  lit.snd[0U] = out01;
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2
+libcrux_sha3_portable_keccak_split_at_mut_n_5a(Eurydice_slice a[1U],
+                                               size_t mid) {
+  return libcrux_sha3_portable_keccak_split_at_mut_1(a, mid);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.KeccakState
+with types uint64_t
+with const generics
+- $1size_t
+*/
+typedef struct libcrux_sha3_generic_keccak_KeccakState_17_s {
+  uint64_t st[5U][5U];
+} libcrux_sha3_generic_keccak_KeccakState_17;
+
+typedef libcrux_sha3_generic_keccak_KeccakState_17
+    libcrux_sha3_portable_KeccakState;
+
+/**
+ Create a new Shake128 x4 state.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakState<T,
+N>[TraitClause@0, TraitClause@1]#1}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.new_89
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+libcrux_sha3_generic_keccak_new_89_04(void) {
+  libcrux_sha3_generic_keccak_KeccakState_17 lit;
+  lit.st[0U][0U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[0U][1U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[0U][2U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[0U][3U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[0U][4U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[1U][0U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[1U][1U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[1U][2U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[1U][3U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[1U][4U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[2U][0U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[2U][1U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[2U][2U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[2U][3U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[2U][4U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[3U][0U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[3U][1U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[3U][2U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[3U][3U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[3U][4U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[4U][0U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[4U][1U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[4U][2U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[4U][3U] = libcrux_sha3_portable_keccak_zero_5a();
+  lit.st[4U][4U] = libcrux_sha3_portable_keccak_zero_5a();
+  return lit;
+}
+
+/**
+ Create a new SHAKE-128 state object.
+*/
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+libcrux_sha3_portable_incremental_shake128_init(void) {
+  return libcrux_sha3_generic_keccak_new_89_04();
+}
+
+static const uint64_t libcrux_sha3_generic_keccak_ROUNDCONSTANTS[24U] = {
+    1ULL,
+    32898ULL,
+    9223372036854808714ULL,
+    9223372039002292224ULL,
+    32907ULL,
+    2147483649ULL,
+    9223372039002292353ULL,
+    9223372036854808585ULL,
+    138ULL,
+    136ULL,
+    2147516425ULL,
+    2147483658ULL,
+    2147516555ULL,
+    9223372036854775947ULL,
+    9223372036854808713ULL,
+    9223372036854808579ULL,
+    9223372036854808578ULL,
+    9223372036854775936ULL,
+    32778ULL,
+    9223372039002259466ULL,
+    9223372039002292353ULL,
+    9223372036854808704ULL,
+    2147483649ULL,
+    9223372039002292232ULL};
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_3a(
+    uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) {
+    size_t i0 = i;
+    uint8_t uu____0[8U];
+    Result_15 dst;
+    Eurydice_slice_to_array2(
+        &dst,
+        Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
+                                 (size_t)8U * i0 + (size_t)8U, uint8_t),
+        Eurydice_slice, uint8_t[8U]);
+    unwrap_26_68(dst, uu____0);
+    size_t uu____1 = i0 / (size_t)5U;
+    size_t uu____2 = i0 % (size_t)5U;
+    s[uu____1][uu____2] =
+        s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_3a(
+    uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
+  libcrux_sha3_portable_keccak_load_block_3a(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_3a(
+    uint64_t (*a)[5U], uint8_t b[1U][200U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[1U][200U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_3a(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_02(uint64_t x) {
+  return x << (uint32_t)(int32_t)36 | x >> (uint32_t)(int32_t)28;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_02(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_02(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 36
+- RIGHT= 28
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_02(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_02(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_ac(uint64_t x) {
+  return x << (uint32_t)(int32_t)3 | x >> (uint32_t)(int32_t)61;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_ac(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_ac(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 3
+- RIGHT= 61
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_ac(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_ac(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_020(uint64_t x) {
+  return x << (uint32_t)(int32_t)41 | x >> (uint32_t)(int32_t)23;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_020(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_020(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 41
+- RIGHT= 23
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_020(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_020(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_a9(uint64_t x) {
+  return x << (uint32_t)(int32_t)18 | x >> (uint32_t)(int32_t)46;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_a9(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_a9(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 18
+- RIGHT= 46
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_a9(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_a9(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_76(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_76(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 1
+- RIGHT= 63
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_76(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_76(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_58(uint64_t x) {
+  return x << (uint32_t)(int32_t)44 | x >> (uint32_t)(int32_t)20;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_58(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_58(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 44
+- RIGHT= 20
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_58(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_58(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_e0(uint64_t x) {
+  return x << (uint32_t)(int32_t)10 | x >> (uint32_t)(int32_t)54;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_e0(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_e0(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 10
+- RIGHT= 54
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_e0(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_e0(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_63(uint64_t x) {
+  return x << (uint32_t)(int32_t)45 | x >> (uint32_t)(int32_t)19;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_63(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_63(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 45
+- RIGHT= 19
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_63(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_63(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_6a(uint64_t x) {
+  return x << (uint32_t)(int32_t)2 | x >> (uint32_t)(int32_t)62;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_6a(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_6a(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 2
+- RIGHT= 62
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_6a(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_6a(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_ab(uint64_t x) {
+  return x << (uint32_t)(int32_t)62 | x >> (uint32_t)(int32_t)2;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_ab(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_ab(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 62
+- RIGHT= 2
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_ab(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_ab(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_5b(uint64_t x) {
+  return x << (uint32_t)(int32_t)6 | x >> (uint32_t)(int32_t)58;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_5b(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_5b(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 6
+- RIGHT= 58
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_5b(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_5b(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_6f(uint64_t x) {
+  return x << (uint32_t)(int32_t)43 | x >> (uint32_t)(int32_t)21;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_6f(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_6f(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 43
+- RIGHT= 21
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_6f(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_6f(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_62(uint64_t x) {
+  return x << (uint32_t)(int32_t)15 | x >> (uint32_t)(int32_t)49;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_62(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_62(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 15
+- RIGHT= 49
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_62(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_62(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_23(uint64_t x) {
+  return x << (uint32_t)(int32_t)61 | x >> (uint32_t)(int32_t)3;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_23(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_23(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 61
+- RIGHT= 3
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_23(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_23(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_37(uint64_t x) {
+  return x << (uint32_t)(int32_t)28 | x >> (uint32_t)(int32_t)36;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_37(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_37(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 28
+- RIGHT= 36
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_37(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_37(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_bb(uint64_t x) {
+  return x << (uint32_t)(int32_t)55 | x >> (uint32_t)(int32_t)9;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_bb(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_bb(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 55
+- RIGHT= 9
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_bb(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_b9(uint64_t x) {
+  return x << (uint32_t)(int32_t)25 | x >> (uint32_t)(int32_t)39;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_b9(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_b9(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 25
+- RIGHT= 39
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_b9(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_b9(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_54(uint64_t x) {
+  return x << (uint32_t)(int32_t)21 | x >> (uint32_t)(int32_t)43;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_54(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_54(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 21
+- RIGHT= 43
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_54(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_54(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_4c(uint64_t x) {
+  return x << (uint32_t)(int32_t)56 | x >> (uint32_t)(int32_t)8;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_4c(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_4c(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 56
+- RIGHT= 8
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_4c(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_4c(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_ce(uint64_t x) {
+  return x << (uint32_t)(int32_t)27 | x >> (uint32_t)(int32_t)37;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_ce(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_ce(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 27
+- RIGHT= 37
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_ce(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_ce(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_77(uint64_t x) {
+  return x << (uint32_t)(int32_t)20 | x >> (uint32_t)(int32_t)44;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_77(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_77(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 20
+- RIGHT= 44
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_77(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_77(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_25(uint64_t x) {
+  return x << (uint32_t)(int32_t)39 | x >> (uint32_t)(int32_t)25;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_25(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_25(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 39
+- RIGHT= 25
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_25(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_25(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_af(uint64_t x) {
+  return x << (uint32_t)(int32_t)8 | x >> (uint32_t)(int32_t)56;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_af(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_af(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 8
+- RIGHT= 56
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_af(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_af(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_rotate_left_fd(uint64_t x) {
+  return x << (uint32_t)(int32_t)14 | x >> (uint32_t)(int32_t)50;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak__vxarq_u64_fd(uint64_t a, uint64_t b) {
+  uint64_t ab = a ^ b;
+  return libcrux_sha3_portable_keccak_rotate_left_fd(ab);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
+with const generics
+- LEFT= 14
+- RIGHT= 50
+*/
+static KRML_MUSTINLINE uint64_t
+libcrux_sha3_portable_keccak_xor_and_rotate_5a_fd(uint64_t a, uint64_t b) {
+  return libcrux_sha3_portable_keccak__vxarq_u64_fd(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.theta_rho
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_04(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s) {
+  uint64_t c[5U] = {
+      libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][0U], s->st[1U][0U],
+                                           s->st[2U][0U], s->st[3U][0U],
+                                           s->st[4U][0U]),
+      libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][1U], s->st[1U][1U],
+                                           s->st[2U][1U], s->st[3U][1U],
+                                           s->st[4U][1U]),
+      libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][2U], s->st[1U][2U],
+                                           s->st[2U][2U], s->st[3U][2U],
+                                           s->st[4U][2U]),
+      libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][3U], s->st[1U][3U],
+                                           s->st[2U][3U], s->st[3U][3U],
+                                           s->st[4U][3U]),
+      libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][4U], s->st[1U][4U],
+                                           s->st[2U][4U], s->st[3U][4U],
+                                           s->st[4U][4U])};
+  uint64_t uu____0 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
+      c[((size_t)0U + (size_t)4U) % (size_t)5U],
+      c[((size_t)0U + (size_t)1U) % (size_t)5U]);
+  uint64_t uu____1 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
+      c[((size_t)1U + (size_t)4U) % (size_t)5U],
+      c[((size_t)1U + (size_t)1U) % (size_t)5U]);
+  uint64_t uu____2 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
+      c[((size_t)2U + (size_t)4U) % (size_t)5U],
+      c[((size_t)2U + (size_t)1U) % (size_t)5U]);
+  uint64_t uu____3 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
+      c[((size_t)3U + (size_t)4U) % (size_t)5U],
+      c[((size_t)3U + (size_t)1U) % (size_t)5U]);
+  uint64_t t[5U] = {uu____0, uu____1, uu____2, uu____3,
+                    libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
+                        c[((size_t)4U + (size_t)4U) % (size_t)5U],
+                        c[((size_t)4U + (size_t)1U) % (size_t)5U])};
+  s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]);
+  s->st[1U][0U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_02(s->st[1U][0U], t[0U]);
+  s->st[2U][0U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_ac(s->st[2U][0U], t[0U]);
+  s->st[3U][0U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_020(s->st[3U][0U], t[0U]);
+  s->st[4U][0U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_a9(s->st[4U][0U], t[0U]);
+  s->st[0U][1U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_76(s->st[0U][1U], t[1U]);
+  s->st[1U][1U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_58(s->st[1U][1U], t[1U]);
+  s->st[2U][1U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_e0(s->st[2U][1U], t[1U]);
+  s->st[3U][1U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_63(s->st[3U][1U], t[1U]);
+  s->st[4U][1U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_6a(s->st[4U][1U], t[1U]);
+  s->st[0U][2U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_ab(s->st[0U][2U], t[2U]);
+  s->st[1U][2U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_5b(s->st[1U][2U], t[2U]);
+  s->st[2U][2U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_6f(s->st[2U][2U], t[2U]);
+  s->st[3U][2U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_62(s->st[3U][2U], t[2U]);
+  s->st[4U][2U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_23(s->st[4U][2U], t[2U]);
+  s->st[0U][3U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_37(s->st[0U][3U], t[3U]);
+  s->st[1U][3U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(s->st[1U][3U], t[3U]);
+  s->st[2U][3U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_b9(s->st[2U][3U], t[3U]);
+  s->st[3U][3U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_54(s->st[3U][3U], t[3U]);
+  s->st[4U][3U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_4c(s->st[4U][3U], t[3U]);
+  s->st[0U][4U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_ce(s->st[0U][4U], t[4U]);
+  s->st[1U][4U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_77(s->st[1U][4U], t[4U]);
+  s->st[2U][4U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_25(s->st[2U][4U], t[4U]);
+  s->st[3U][4U] =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_af(s->st[3U][4U], t[4U]);
+  uint64_t uu____27 =
+      libcrux_sha3_portable_keccak_xor_and_rotate_5a_fd(s->st[4U][4U], t[4U]);
+  s->st[4U][4U] = uu____27;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.pi
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_pi_04(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s) {
+  uint64_t old[5U][5U];
+  memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U]));
+  s->st[0U][1U] = old[1U][1U];
+  s->st[0U][2U] = old[2U][2U];
+  s->st[0U][3U] = old[3U][3U];
+  s->st[0U][4U] = old[4U][4U];
+  s->st[1U][0U] = old[0U][3U];
+  s->st[1U][1U] = old[1U][4U];
+  s->st[1U][2U] = old[2U][0U];
+  s->st[1U][3U] = old[3U][1U];
+  s->st[1U][4U] = old[4U][2U];
+  s->st[2U][0U] = old[0U][1U];
+  s->st[2U][1U] = old[1U][2U];
+  s->st[2U][2U] = old[2U][3U];
+  s->st[2U][3U] = old[3U][4U];
+  s->st[2U][4U] = old[4U][0U];
+  s->st[3U][0U] = old[0U][4U];
+  s->st[3U][1U] = old[1U][0U];
+  s->st[3U][2U] = old[2U][1U];
+  s->st[3U][3U] = old[3U][2U];
+  s->st[3U][4U] = old[4U][3U];
+  s->st[4U][0U] = old[0U][2U];
+  s->st[4U][1U] = old[1U][3U];
+  s->st[4U][2U] = old[2U][4U];
+  s->st[4U][3U] = old[3U][0U];
+  s->st[4U][4U] = old[4U][1U];
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.chi
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_chi_04(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s) {
+  uint64_t old[5U][5U];
+  memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U]));
+  for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
+      size_t j = i;
+      s->st[i1][j] = libcrux_sha3_portable_keccak_and_not_xor_5a(
+          s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U],
+          old[i1][(j + (size_t)1U) % (size_t)5U]);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.iota
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_iota_04(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, size_t i) {
+  s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_constant_5a(
+      s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccakf1600
+with types uint64_t
+with const generics
+- N= 1
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccakf1600_04(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s) {
+  for (size_t i = (size_t)0U; i < (size_t)24U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_theta_rho_04(s);
+    libcrux_sha3_generic_keccak_pi_04(s);
+    libcrux_sha3_generic_keccak_chi_04(s);
+    libcrux_sha3_generic_keccak_iota_04(s, i0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 31U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)168U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_3a(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+ Absorb
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_absorb_final(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) {
+  Eurydice_slice buf[1U] = {data0};
+  libcrux_sha3_generic_keccak_absorb_final_9e(s, buf);
+}
+
+/**
+ Create a new SHAKE-256 state object.
+*/
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+libcrux_sha3_portable_incremental_shake256_init(void) {
+  return libcrux_sha3_generic_keccak_new_89_04();
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5b(
+    uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) {
+    size_t i0 = i;
+    uint8_t uu____0[8U];
+    Result_15 dst;
+    Eurydice_slice_to_array2(
+        &dst,
+        Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
+                                 (size_t)8U * i0 + (size_t)8U, uint8_t),
+        Eurydice_slice, uint8_t[8U]);
+    unwrap_26_68(dst, uu____0);
+    size_t uu____1 = i0 / (size_t)5U;
+    size_t uu____2 = i0 % (size_t)5U;
+    s[uu____1][uu____2] =
+        s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5b(
+    uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
+  libcrux_sha3_portable_keccak_load_block_5b(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_5b(
+    uint64_t (*a)[5U], uint8_t b[1U][200U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[1U][200U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5b(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e0(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 31U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)136U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+ Absorb some data for SHAKE-256 for the last time
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake256_absorb_final(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) {
+  Eurydice_slice buf[1U] = {data};
+  libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_3a(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[1U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_3a(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) {
+  uint64_t(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[1U];
+  memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5a_3a(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_3a(
+    uint64_t (*s)[5U], Eurydice_slice out[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_3a(
+    uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
+  uint8_t out[200U] = {0U};
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
+  libcrux_sha3_portable_keccak_store_block_3a(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out[200U];
+  memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_3a(
+    uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
+  libcrux_sha3_portable_keccak_store_block_full_3a(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_3a(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  libcrux_sha3_portable_keccak_store_block_3a(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+  libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(&s);
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_3a(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)168U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)168U,
+                                            (size_t)168U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c6(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)168U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)168U;
+  size_t last = outlen - outlen % (size_t)168U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c6(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c6(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)168U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c6(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c6(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 168
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e(copy_of_data, out);
+}
+
+/**
+ A portable SHAKE128 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
+    Eurydice_slice digest, Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_c6(buf0, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_5b(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[1U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5b(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c60(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) {
+  uint64_t(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[1U];
+  memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5a_5b(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5b(
+    uint64_t (*s)[5U], Eurydice_slice out[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5b(
+    uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
+  uint8_t out[200U] = {0U};
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
+  libcrux_sha3_portable_keccak_store_block_5b(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out[200U];
+  memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_5b(
+    uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
+  libcrux_sha3_portable_keccak_store_block_full_5b(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_c60(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_5b(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_5b(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5b(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c60(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5a_5b(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c60(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+  libcrux_sha3_portable_keccak_store_block_5a_5b(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c60(
+    libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(&s);
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_5b(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e0(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U,
+                                            (size_t)136U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c60(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e0(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)136U;
+  size_t last = outlen - outlen % (size_t)136U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c60(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c60(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c60(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c60(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 136
+- DELIM= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e0(copy_of_data, out);
+}
+
+/**
+ A portable SHAKE256 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
+    Eurydice_slice digest, Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_ad(buf0, buf);
+}
+
+/**
+ Squeeze the first SHAKE-256 block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_first_block_c60(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
+  Eurydice_slice o0[1U];
+  memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o10[1U];
+  memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_first_block_c6(s, o0);
+  Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U);
+  Eurydice_slice o1[1U];
+  memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o20[1U];
+  memcpy(o20, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o1);
+  Eurydice_slice_uint8_t_1size_t__x2 uu____2 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(o20, (size_t)168U);
+  Eurydice_slice o2[1U];
+  memcpy(o2, uu____2.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o30[1U];
+  memcpy(o30, uu____2.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o2);
+  Eurydice_slice_uint8_t_1size_t__x2 uu____3 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(o30, (size_t)168U);
+  Eurydice_slice o3[1U];
+  memcpy(o3, uu____3.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o4[1U];
+  memcpy(o4, uu____3.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o3);
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o4);
+}
+
+/**
+ Squeeze five blocks
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
+  Eurydice_slice buf[1U] = {out0};
+  libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(s, buf);
+}
+
+/**
+ Squeeze another block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
+  Eurydice_slice buf[1U] = {out0};
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf);
+}
+
+/**
+ Squeeze the next SHAKE-256 block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_next_block_c60(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
+with types uint64_t
+with const generics
+- $1size_t
+- $136size_t
+*/
+typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s {
+  libcrux_sha3_generic_keccak_KeccakState_17 inner;
+  uint8_t buf[1U][136U];
+  size_t buf_len;
+  bool sponge;
+} libcrux_sha3_generic_keccak_KeccakXofState_e2;
+
+typedef libcrux_sha3_generic_keccak_KeccakXofState_e2
+    libcrux_sha3_portable_incremental_Shake256Xof;
+
+/**
+ Consume the internal buffer and the required amount of the input to pad to
+ `RATE`.
+
+ Returns the `consumed` bytes from `inputs` if there's enough buffered
+ content to consume, and `0` otherwise.
+ If `consumed > 0` is returned, `self.buf` contains a full block to be
+ loaded.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static inline size_t libcrux_sha3_generic_keccak_fill_buffer_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice inputs[1U]) {
+  size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+  size_t consumed = (size_t)0U;
+  if (self->buf_len > (size_t)0U) {
+    if (self->buf_len + input_len >= (size_t)136U) {
+      consumed = (size_t)136U - self->buf_len;
+      for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+        size_t i0 = i;
+        Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
+            (size_t)136U, self->buf[i0], self->buf_len, uint8_t, size_t);
+        Eurydice_slice_copy(
+            uu____0,
+            Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t),
+            uint8_t);
+      }
+      self->buf_len = self->buf_len + consumed;
+    }
+  }
+  return consumed;
+}
+
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static inline size_t libcrux_sha3_generic_keccak_absorb_full_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs0[1U];
+  memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_consumed =
+      libcrux_sha3_generic_keccak_fill_buffer_8b_c6(uu____0, copy_of_inputs0);
+  if (input_consumed > (size_t)0U) {
+    Eurydice_slice borrowed[1U];
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      uint8_t buf[136U] = {0U};
+      borrowed[i] = core_array___Array_T__N__23__as_slice(
+          (size_t)136U, buf, uint8_t, Eurydice_slice);
+    }
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      size_t i0 = i;
+      borrowed[i0] =
+          Eurydice_array_to_slice((size_t)136U, self->buf[i0], uint8_t);
+    }
+    uint64_t(*uu____2)[5U] = self->inner.st;
+    Eurydice_slice uu____3[1U];
+    memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_portable_keccak_load_block_5a_5b(uu____2, uu____3);
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    self->buf_len = (size_t)0U;
+  }
+  size_t input_to_consume =
+      Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed;
+  size_t num_blocks = input_to_consume / (size_t)136U;
+  size_t remainder = input_to_consume % (size_t)136U;
+  for (size_t i = (size_t)0U; i < num_blocks; i++) {
+    size_t i0 = i;
+    uint64_t(*uu____4)[5U] = self->inner.st;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_inputs[1U];
+    memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(
+        copy_of_inputs, input_consumed + i0 * (size_t)136U, (size_t)136U, ret);
+    libcrux_sha3_portable_keccak_load_block_5a_5b(uu____4, ret);
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  return remainder;
+}
+
+/**
+ Absorb
+
+ This function takes any number of bytes to absorb and buffers if it's not
+ enough. The function assumes that all input slices in `blocks` have the same
+ length.
+
+ Only a multiple of `RATE` blocks are absorbed.
+ For the remaining bytes [`absorb_final`] needs to be called.
+
+ This works best with relatively small `inputs`.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs[1U];
+  memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_remainder_len =
+      libcrux_sha3_generic_keccak_absorb_full_8b_c6(uu____0, copy_of_inputs);
+  if (input_remainder_len > (size_t)0U) {
+    size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      size_t i0 = i;
+      Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
+          self->buf[i0], self->buf_len, self->buf_len + input_remainder_len,
+          uint8_t);
+      Eurydice_slice_copy(
+          uu____2,
+          Eurydice_slice_subslice_from(
+              inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
+          uint8_t);
+    }
+    self->buf_len = self->buf_len + input_remainder_len;
+  }
+}
+
+/**
+ Shake256 absorb
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline void libcrux_sha3_portable_incremental_absorb_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
+  Eurydice_slice buf[1U] = {input};
+  libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf);
+}
+
+/**
+ Absorb a final block.
+
+ The `inputs` block may be empty. Everything in the `inputs` block beyond
+ `RATE` bytes is ignored.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+- DELIMITER= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs[1U];
+  memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_remainder_len =
+      libcrux_sha3_generic_keccak_absorb_full_8b_c6(uu____0, copy_of_inputs);
+  size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (self->buf_len > (size_t)0U) {
+      Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, self->buf_len, uint8_t);
+      Eurydice_slice_copy(uu____2,
+                          Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U,
+                                                      self->buf_len, uint8_t),
+                          uint8_t);
+    }
+    if (input_remainder_len > (size_t)0U) {
+      Eurydice_slice uu____3 = Eurydice_array_to_subslice2(
+          blocks[i0], self->buf_len, self->buf_len + input_remainder_len,
+          uint8_t);
+      Eurydice_slice_copy(
+          uu____3,
+          Eurydice_slice_subslice_from(
+              inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
+          uint8_t);
+    }
+    blocks[i0][self->buf_len + input_remainder_len] = 31U;
+    size_t uu____4 = i0;
+    size_t uu____5 = (size_t)136U - (size_t)1U;
+    blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U;
+  }
+  uint64_t(*uu____6)[5U] = self->inner.st;
+  uint8_t uu____7[1U][200U];
+  memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____6, uu____7);
+  libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+}
+
+/**
+ Shake256 absorb final
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline void libcrux_sha3_portable_incremental_absorb_final_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
+  Eurydice_slice buf[1U] = {input};
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf);
+}
+
+/**
+ An all zero block
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static inline void libcrux_sha3_generic_keccak_zero_block_8b_c6(
+    uint8_t ret[136U]) {
+  ret[0U] = 0U;
+  ret[1U] = 0U;
+  ret[2U] = 0U;
+  ret[3U] = 0U;
+  ret[4U] = 0U;
+  ret[5U] = 0U;
+  ret[6U] = 0U;
+  ret[7U] = 0U;
+  ret[8U] = 0U;
+  ret[9U] = 0U;
+  ret[10U] = 0U;
+  ret[11U] = 0U;
+  ret[12U] = 0U;
+  ret[13U] = 0U;
+  ret[14U] = 0U;
+  ret[15U] = 0U;
+  ret[16U] = 0U;
+  ret[17U] = 0U;
+  ret[18U] = 0U;
+  ret[19U] = 0U;
+  ret[20U] = 0U;
+  ret[21U] = 0U;
+  ret[22U] = 0U;
+  ret[23U] = 0U;
+  ret[24U] = 0U;
+  ret[25U] = 0U;
+  ret[26U] = 0U;
+  ret[27U] = 0U;
+  ret[28U] = 0U;
+  ret[29U] = 0U;
+  ret[30U] = 0U;
+  ret[31U] = 0U;
+  ret[32U] = 0U;
+  ret[33U] = 0U;
+  ret[34U] = 0U;
+  ret[35U] = 0U;
+  ret[36U] = 0U;
+  ret[37U] = 0U;
+  ret[38U] = 0U;
+  ret[39U] = 0U;
+  ret[40U] = 0U;
+  ret[41U] = 0U;
+  ret[42U] = 0U;
+  ret[43U] = 0U;
+  ret[44U] = 0U;
+  ret[45U] = 0U;
+  ret[46U] = 0U;
+  ret[47U] = 0U;
+  ret[48U] = 0U;
+  ret[49U] = 0U;
+  ret[50U] = 0U;
+  ret[51U] = 0U;
+  ret[52U] = 0U;
+  ret[53U] = 0U;
+  ret[54U] = 0U;
+  ret[55U] = 0U;
+  ret[56U] = 0U;
+  ret[57U] = 0U;
+  ret[58U] = 0U;
+  ret[59U] = 0U;
+  ret[60U] = 0U;
+  ret[61U] = 0U;
+  ret[62U] = 0U;
+  ret[63U] = 0U;
+  ret[64U] = 0U;
+  ret[65U] = 0U;
+  ret[66U] = 0U;
+  ret[67U] = 0U;
+  ret[68U] = 0U;
+  ret[69U] = 0U;
+  ret[70U] = 0U;
+  ret[71U] = 0U;
+  ret[72U] = 0U;
+  ret[73U] = 0U;
+  ret[74U] = 0U;
+  ret[75U] = 0U;
+  ret[76U] = 0U;
+  ret[77U] = 0U;
+  ret[78U] = 0U;
+  ret[79U] = 0U;
+  ret[80U] = 0U;
+  ret[81U] = 0U;
+  ret[82U] = 0U;
+  ret[83U] = 0U;
+  ret[84U] = 0U;
+  ret[85U] = 0U;
+  ret[86U] = 0U;
+  ret[87U] = 0U;
+  ret[88U] = 0U;
+  ret[89U] = 0U;
+  ret[90U] = 0U;
+  ret[91U] = 0U;
+  ret[92U] = 0U;
+  ret[93U] = 0U;
+  ret[94U] = 0U;
+  ret[95U] = 0U;
+  ret[96U] = 0U;
+  ret[97U] = 0U;
+  ret[98U] = 0U;
+  ret[99U] = 0U;
+  ret[100U] = 0U;
+  ret[101U] = 0U;
+  ret[102U] = 0U;
+  ret[103U] = 0U;
+  ret[104U] = 0U;
+  ret[105U] = 0U;
+  ret[106U] = 0U;
+  ret[107U] = 0U;
+  ret[108U] = 0U;
+  ret[109U] = 0U;
+  ret[110U] = 0U;
+  ret[111U] = 0U;
+  ret[112U] = 0U;
+  ret[113U] = 0U;
+  ret[114U] = 0U;
+  ret[115U] = 0U;
+  ret[116U] = 0U;
+  ret[117U] = 0U;
+  ret[118U] = 0U;
+  ret[119U] = 0U;
+  ret[120U] = 0U;
+  ret[121U] = 0U;
+  ret[122U] = 0U;
+  ret[123U] = 0U;
+  ret[124U] = 0U;
+  ret[125U] = 0U;
+  ret[126U] = 0U;
+  ret[127U] = 0U;
+  ret[128U] = 0U;
+  ret[129U] = 0U;
+  ret[130U] = 0U;
+  ret[131U] = 0U;
+  ret[132U] = 0U;
+  ret[133U] = 0U;
+  ret[134U] = 0U;
+  ret[135U] = 0U;
+}
+
+/**
+ Generate a new keccak xof state.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.new_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
+libcrux_sha3_generic_keccak_new_8b_c6(void) {
+  libcrux_sha3_generic_keccak_KeccakXofState_e2 lit;
+  lit.inner = libcrux_sha3_generic_keccak_new_89_04();
+  uint8_t ret[136U];
+  libcrux_sha3_generic_keccak_zero_block_8b_c6(ret);
+  memcpy(lit.buf[0U], ret, (size_t)136U * sizeof(uint8_t));
+  lit.buf_len = (size_t)0U;
+  lit.sponge = false;
+  return lit;
+}
+
+/**
+ Shake256 new state
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
+libcrux_sha3_portable_incremental_new_68(void) {
+  return libcrux_sha3_generic_keccak_new_8b_c6();
+}
+
+/**
+ `out` has the exact size we want here. It must be less than or equal to `RATE`.
+*/
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b(
+    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
+  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
+  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
+  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+  if (last_block_len != (size_t)0U) {
+    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
+        out[0U], num_full_blocks * (size_t)8U,
+        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(
+        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____1,
+        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+ Squeeze `N` x `LEN` bytes.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice out[1U]) {
+  if (self->sponge) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = out_len / (size_t)136U;
+  size_t last = out_len - out_len % (size_t)136U;
+  size_t mid;
+  if ((size_t)136U >= out_len) {
+    mid = out_len;
+  } else {
+    mid = (size_t)136U;
+  }
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
+  Eurydice_slice out00[1U];
+  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice out_rest[1U];
+  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00);
+  core_ops_range_Range_08 iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                             .end = blocks}),
+          core_ops_range_Range_08, core_ops_range_Range_08);
+  while (true) {
+    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+            &iter, size_t, Option_08)
+            .tag == None) {
+      break;
+    } else {
+      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
+                                                         (size_t)136U);
+      Eurydice_slice out0[1U];
+      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+      Eurydice_slice tmp[1U];
+      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+      libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0);
+      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
+    }
+  }
+  if (last < out_len) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest);
+  }
+  self->sponge = true;
+}
+
+/**
+ Shake256 squeeze
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline void libcrux_sha3_portable_incremental_squeeze_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf);
+}
+
+#define libcrux_sha3_Sha224 0
+#define libcrux_sha3_Sha256 1
+#define libcrux_sha3_Sha384 2
+#define libcrux_sha3_Sha512 3
+
+typedef uint8_t libcrux_sha3_Algorithm;
+
+/**
+ Returns the output size of a digest.
+*/
+static inline size_t libcrux_sha3_digest_size(libcrux_sha3_Algorithm mode) {
+  size_t uu____0;
+  switch (mode) {
+    case libcrux_sha3_Sha224: {
+      uu____0 = (size_t)28U;
+      break;
+    }
+    case libcrux_sha3_Sha256: {
+      uu____0 = (size_t)32U;
+      break;
+    }
+    case libcrux_sha3_Sha384: {
+      uu____0 = (size_t)48U;
+      break;
+    }
+    case libcrux_sha3_Sha512: {
+      uu____0 = (size_t)64U;
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__,
+                        __LINE__);
+      KRML_HOST_EXIT(253U);
+    }
+  }
+  return uu____0;
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c(
+    uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) {
+    size_t i0 = i;
+    uint8_t uu____0[8U];
+    Result_15 dst;
+    Eurydice_slice_to_array2(
+        &dst,
+        Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
+                                 (size_t)8U * i0 + (size_t)8U, uint8_t),
+        Eurydice_slice, uint8_t[8U]);
+    unwrap_26_68(dst, uu____0);
+    size_t uu____1 = i0 / (size_t)5U;
+    size_t uu____2 = i0 % (size_t)5U;
+    s[uu____1][uu____2] =
+        s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_2c(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[1U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_2c(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c61(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) {
+  uint64_t(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[1U];
+  memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5a_2c(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_2c(
+    uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
+  libcrux_sha3_portable_keccak_load_block_2c(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_2c(
+    uint64_t (*a)[5U], uint8_t b[1U][200U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[1U][200U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_2c(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e1(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 6U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)144U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_2c(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_2c(
+    uint64_t (*s)[5U], Eurydice_slice out[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2c(
+    uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
+  uint8_t out[200U] = {0U};
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
+  libcrux_sha3_portable_keccak_store_block_2c(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out[200U];
+  memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_2c(
+    uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
+  libcrux_sha3_portable_keccak_store_block_full_2c(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_c61(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_2c(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
+with const generics
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_2c(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  libcrux_sha3_portable_keccak_store_block_2c(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5a_2c(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+  libcrux_sha3_portable_keccak_store_block_5a_2c(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c61(
+    libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(&s);
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_2c(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 144
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e1(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)144U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)144U,
+                                            (size_t)144U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c61(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)144U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e1(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)144U;
+  size_t last = outlen - outlen % (size_t)144U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c61(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)144U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c61(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)144U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c61(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c61(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 144
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e1(copy_of_data, out);
+}
+
+/**
+ A portable SHA3 224 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_1e(buf0, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 6U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)136U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 136
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e2(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U,
+                                            (size_t)136U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c60(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e2(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)136U;
+  size_t last = outlen - outlen % (size_t)136U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c60(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c60(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c60(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c60(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 136
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e2(copy_of_data, out);
+}
+
+/**
+ A portable SHA3 256 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_ad0(buf0, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_7a(
+    uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) {
+    size_t i0 = i;
+    uint8_t uu____0[8U];
+    Result_15 dst;
+    Eurydice_slice_to_array2(
+        &dst,
+        Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
+                                 (size_t)8U * i0 + (size_t)8U, uint8_t),
+        Eurydice_slice, uint8_t[8U]);
+    unwrap_26_68(dst, uu____0);
+    size_t uu____1 = i0 / (size_t)5U;
+    size_t uu____2 = i0 % (size_t)5U;
+    s[uu____1][uu____2] =
+        s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_7a(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[1U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_7a(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c62(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) {
+  uint64_t(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[1U];
+  memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5a_7a(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a(
+    uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
+  libcrux_sha3_portable_keccak_load_block_7a(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_7a(
+    uint64_t (*a)[5U], uint8_t b[1U][200U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[1U][200U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e3(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 6U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)104U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_7a(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_7a(
+    uint64_t (*s)[5U], Eurydice_slice out[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_7a(
+    uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
+  uint8_t out[200U] = {0U};
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
+  libcrux_sha3_portable_keccak_store_block_7a(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out[200U];
+  memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_7a(
+    uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
+  libcrux_sha3_portable_keccak_store_block_full_7a(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_c62(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_7a(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
+with const generics
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_7a(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  libcrux_sha3_portable_keccak_store_block_7a(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c62(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5a_7a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c62(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+  libcrux_sha3_portable_keccak_store_block_5a_7a(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c62(
+    libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(&s);
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_7a(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 104
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e3(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)104U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)104U,
+                                            (size_t)104U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c62(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)104U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e3(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)104U;
+  size_t last = outlen - outlen % (size_t)104U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c62(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)104U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c62(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)104U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c62(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c62(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 104
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e3(copy_of_data, out);
+}
+
+/**
+ A portable SHA3 384 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_7c(buf0, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_f8(
+    uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) {
+    size_t i0 = i;
+    uint8_t uu____0[8U];
+    Result_15 dst;
+    Eurydice_slice_to_array2(
+        &dst,
+        Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
+                                 (size_t)8U * i0 + (size_t)8U, uint8_t),
+        Eurydice_slice, uint8_t[8U]);
+    unwrap_26_68(dst, uu____0);
+    size_t uu____1 = i0 / (size_t)5U;
+    size_t uu____2 = i0 % (size_t)5U;
+    s[uu____1][uu____2] =
+        s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_f8(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_b[1U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_f8(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c63(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) {
+  uint64_t(*uu____0)[5U] = s->st;
+  Eurydice_slice uu____1[1U];
+  memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_load_block_5a_f8(uu____0, uu____1);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_f8(
+    uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
+  libcrux_sha3_portable_keccak_load_block_f8(s, buf);
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_f8(
+    uint64_t (*a)[5U], uint8_t b[1U][200U]) {
+  uint64_t(*uu____0)[5U] = a;
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_b[1U][200U];
+  memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_f8(uu____0, copy_of_b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e4(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) {
+  size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (last_len > (size_t)0U) {
+      Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, last_len, uint8_t);
+      Eurydice_slice_copy(uu____0, last[i0], uint8_t);
+    }
+    blocks[i0][last_len] = 6U;
+    size_t uu____1 = i0;
+    size_t uu____2 = (size_t)72U - (size_t)1U;
+    blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
+  }
+  uint64_t(*uu____3)[5U] = s->st;
+  uint8_t uu____4[1U][200U];
+  memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_f8(uu____3, uu____4);
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_f8(
+    uint64_t (*s)[5U], Eurydice_slice out[1U]) {
+  for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_f8(
+    uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
+  uint8_t out[200U] = {0U};
+  Eurydice_slice buf[1U] = {
+      Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
+  libcrux_sha3_portable_keccak_store_block_f8(s, buf);
+  /* Passing arrays by value in Rust generates a copy in C */
+  uint8_t copy_of_out[200U];
+  memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
+  memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_f8(
+    uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
+  libcrux_sha3_portable_keccak_store_block_full_f8(a, ret);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_and_last_c63(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_f8(s->st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
+with const generics
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_f8(
+    uint64_t (*a)[5U], Eurydice_slice b[1U]) {
+  libcrux_sha3_portable_keccak_store_block_f8(a, b);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c63(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_portable_keccak_store_block_5a_f8(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c63(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
+  libcrux_sha3_portable_keccak_store_block_5a_f8(s->st, out);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c63(
+    libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(&s);
+  uint8_t b[1U][200U];
+  libcrux_sha3_portable_keccak_store_block_full_5a_f8(s.st, b);
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = out[i0];
+    uint8_t *uu____1 = b[i0];
+    core_ops_range_Range_08 lit;
+    lit.start = (size_t)0U;
+    lit.end = Eurydice_slice_len(out[i0], uint8_t);
+    Eurydice_slice_copy(
+        uu____0,
+        Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
+                                   core_ops_range_Range_08),
+        uint8_t);
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.keccak
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 72
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e4(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_KeccakState_17 s =
+      libcrux_sha3_generic_keccak_new_89_04();
+  for (size_t i = (size_t)0U;
+       i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) {
+    size_t i0 = i;
+    libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_data[1U];
+    memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U,
+                                            (size_t)72U, ret);
+    libcrux_sha3_generic_keccak_absorb_block_c63(uu____0, ret);
+  }
+  size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U;
+  libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice ret[1U];
+  libcrux_sha3_portable_keccak_slice_n_5a(
+      copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
+  libcrux_sha3_generic_keccak_absorb_final_9e4(uu____2, ret);
+  size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = outlen / (size_t)72U;
+  size_t last = outlen - outlen % (size_t)72U;
+  if (blocks == (size_t)0U) {
+    libcrux_sha3_generic_keccak_squeeze_first_and_last_c63(&s, out);
+  } else {
+    Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
+        libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)72U);
+    Eurydice_slice o0[1U];
+    memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice o1[1U];
+    memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_generic_keccak_squeeze_first_block_c63(&s, o0);
+    core_ops_range_Range_08 iter =
+        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+            (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                               .end = blocks}),
+            core_ops_range_Range_08, core_ops_range_Range_08);
+    while (true) {
+      if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+              &iter, size_t, Option_08)
+              .tag == None) {
+        break;
+      } else {
+        Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
+            libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)72U);
+        Eurydice_slice o[1U];
+        memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
+        Eurydice_slice orest[1U];
+        memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
+        libcrux_sha3_generic_keccak_squeeze_next_block_c63(&s, o);
+        memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
+      }
+    }
+    if (last < outlen) {
+      libcrux_sha3_generic_keccak_squeeze_last_c63(s, o1);
+    }
+  }
+}
+
+/**
+A monomorphic instance of libcrux_sha3.portable.keccakx1
+with const generics
+- RATE= 72
+- DELIM= 6
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96(
+    Eurydice_slice data[1U], Eurydice_slice out[1U]) {
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_data[1U];
+  memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_keccak_9e4(copy_of_data, out);
+}
+
+/**
+ A portable SHA3 512 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
+  Eurydice_slice buf0[1U] = {data};
+  Eurydice_slice buf[1U] = {digest};
+  libcrux_sha3_portable_keccakx1_96(buf0, buf);
+}
+
+/**
+ SHA3 224
+
+ Preconditions:
+ - `digest.len() == 28`
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
+  libcrux_sha3_portable_sha224(digest, payload);
+}
+
+/**
+ SHA3 224
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
+                                                uint8_t ret[28U]) {
+  uint8_t out[28U] = {0U};
+  libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
+                          data);
+  memcpy(ret, out, (size_t)28U * sizeof(uint8_t));
+}
+
+/**
+ SHA3 256
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
+  libcrux_sha3_portable_sha256(digest, payload);
+}
+
+/**
+ SHA3 256
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
+                                                uint8_t ret[32U]) {
+  uint8_t out[32U] = {0U};
+  libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
+                          data);
+  memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
+}
+
+/**
+ SHA3 384
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
+  libcrux_sha3_portable_sha384(digest, payload);
+}
+
+/**
+ SHA3 384
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
+                                                uint8_t ret[48U]) {
+  uint8_t out[48U] = {0U};
+  libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
+                          data);
+  memcpy(ret, out, (size_t)48U * sizeof(uint8_t));
+}
+
+/**
+ SHA3 512
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
+  libcrux_sha3_portable_sha512(digest, payload);
+}
+
+/**
+ SHA3 512
+*/
+static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
+                                                uint8_t ret[64U]) {
+  uint8_t out[64U] = {0U};
+  libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
+                          data);
+  memcpy(ret, out, (size_t)64U * sizeof(uint8_t));
+}
+
+/**
+ SHAKE 128
+
+ Writes `out.len()` bytes.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
+  libcrux_sha3_portable_shake128(out, data);
+}
+
+/**
+ SHAKE 256
+
+ Writes `out.len()` bytes.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
+  libcrux_sha3_portable_shake256(out, data);
+}
+
+static const size_t libcrux_sha3_generic_keccak__PI[24U] = {
+    (size_t)6U, (size_t)12U, (size_t)18U, (size_t)24U, (size_t)3U,
+    (size_t)9U, (size_t)10U, (size_t)16U, (size_t)22U, (size_t)1U,
+    (size_t)7U, (size_t)13U, (size_t)19U, (size_t)20U, (size_t)4U,
+    (size_t)5U, (size_t)11U, (size_t)17U, (size_t)23U, (size_t)2U,
+    (size_t)8U, (size_t)14U, (size_t)15U, (size_t)21U};
+
+static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = {
+    (size_t)1U,  (size_t)62U, (size_t)28U, (size_t)27U, (size_t)36U,
+    (size_t)44U, (size_t)6U,  (size_t)55U, (size_t)20U, (size_t)3U,
+    (size_t)10U, (size_t)43U, (size_t)25U, (size_t)39U, (size_t)41U,
+    (size_t)45U, (size_t)15U, (size_t)21U, (size_t)8U,  (size_t)18U,
+    (size_t)2U,  (size_t)61U, (size_t)56U, (size_t)14U};
+
+/**
+ A portable SHA3 224 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ A portable SHA3 256 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ A portable SHA3 384 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ A portable SHA3 512 implementation.
+*/
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Run SHAKE256 on both inputs in parallel.
+
+ Writes the two results into `out0` and `out1`
+*/
+static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
+                                                          Eurydice_slice input1,
+                                                          Eurydice_slice out0,
+                                                          Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s {
+  libcrux_sha3_generic_keccak_KeccakState_17 state[2U];
+} libcrux_sha3_neon_x2_incremental_KeccakState;
+
+/**
+ Initialise the `KeccakState2`.
+*/
+static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
+libcrux_sha3_neon_x2_incremental_init(void) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
+    Eurydice_slice data1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Squeeze 2 times the first three blocks in parallel in the
+ [`KeccakState`] and return the output in `out0` and `out1`.
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
+    Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Squeeze 2 times the next block in parallel in the
+ [`KeccakState`] and return the output in `out0` and `out1`.
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
+    Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Squeeze five blocks
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
+    Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
+    Eurydice_slice data1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Squeeze block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
+    Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+ Squeeze next block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
+    libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
+    Eurydice_slice out1) {
+  KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                    "panic!");
+  KRML_HOST_EXIT(255U);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks
+with types uint64_t
+with const generics
+- N= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
+  Eurydice_slice o0[1U];
+  memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o10[1U];
+  memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_first_block_c6(s, o0);
+  Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U);
+  Eurydice_slice o1[1U];
+  memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice o2[1U];
+  memcpy(o2, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o1);
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o2);
+}
+
+/**
+ Squeeze three blocks
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
+  Eurydice_slice buf[1U] = {out0};
+  libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf);
+}
+
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
+with types uint64_t
+with const generics
+- $1size_t
+- $168size_t
+*/
+typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s {
+  libcrux_sha3_generic_keccak_KeccakState_17 inner;
+  uint8_t buf[1U][168U];
+  size_t buf_len;
+  bool sponge;
+} libcrux_sha3_generic_keccak_KeccakXofState_97;
+
+typedef libcrux_sha3_generic_keccak_KeccakXofState_97
+    libcrux_sha3_portable_incremental_Shake128Xof;
+
+/**
+ Consume the internal buffer and the required amount of the input to pad to
+ `RATE`.
+
+ Returns the `consumed` bytes from `inputs` if there's enough buffered
+ content to consume, and `0` otherwise.
+ If `consumed > 0` is returned, `self.buf` contains a full block to be
+ loaded.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static inline size_t libcrux_sha3_generic_keccak_fill_buffer_8b_c60(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self,
+    Eurydice_slice inputs[1U]) {
+  size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+  size_t consumed = (size_t)0U;
+  if (self->buf_len > (size_t)0U) {
+    if (self->buf_len + input_len >= (size_t)168U) {
+      consumed = (size_t)168U - self->buf_len;
+      for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+        size_t i0 = i;
+        Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
+            (size_t)168U, self->buf[i0], self->buf_len, uint8_t, size_t);
+        Eurydice_slice_copy(
+            uu____0,
+            Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t),
+            uint8_t);
+      }
+      self->buf_len = self->buf_len + consumed;
+    }
+  }
+  return consumed;
+}
+
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static inline size_t libcrux_sha3_generic_keccak_absorb_full_8b_c60(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs0[1U];
+  memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_consumed =
+      libcrux_sha3_generic_keccak_fill_buffer_8b_c60(uu____0, copy_of_inputs0);
+  if (input_consumed > (size_t)0U) {
+    Eurydice_slice borrowed[1U];
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      uint8_t buf[168U] = {0U};
+      borrowed[i] = core_array___Array_T__N__23__as_slice(
+          (size_t)168U, buf, uint8_t, Eurydice_slice);
+    }
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      size_t i0 = i;
+      borrowed[i0] =
+          Eurydice_array_to_slice((size_t)168U, self->buf[i0], uint8_t);
+    }
+    uint64_t(*uu____2)[5U] = self->inner.st;
+    Eurydice_slice uu____3[1U];
+    memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice));
+    libcrux_sha3_portable_keccak_load_block_5a_3a(uu____2, uu____3);
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    self->buf_len = (size_t)0U;
+  }
+  size_t input_to_consume =
+      Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed;
+  size_t num_blocks = input_to_consume / (size_t)168U;
+  size_t remainder = input_to_consume % (size_t)168U;
+  for (size_t i = (size_t)0U; i < num_blocks; i++) {
+    size_t i0 = i;
+    uint64_t(*uu____4)[5U] = self->inner.st;
+    /* Passing arrays by value in Rust generates a copy in C */
+    Eurydice_slice copy_of_inputs[1U];
+    memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+    Eurydice_slice ret[1U];
+    libcrux_sha3_portable_keccak_slice_n_5a(
+        copy_of_inputs, input_consumed + i0 * (size_t)168U, (size_t)168U, ret);
+    libcrux_sha3_portable_keccak_load_block_5a_3a(uu____4, ret);
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  return remainder;
+}
+
+/**
+ Absorb
+
+ This function takes any number of bytes to absorb and buffers if it's not
+ enough. The function assumes that all input slices in `blocks` have the same
+ length.
+
+ Only a multiple of `RATE` blocks are absorbed.
+ For the remaining bytes [`absorb_final`] needs to be called.
+
+ This works best with relatively small `inputs`.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs[1U];
+  memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_remainder_len =
+      libcrux_sha3_generic_keccak_absorb_full_8b_c60(uu____0, copy_of_inputs);
+  if (input_remainder_len > (size_t)0U) {
+    size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+    for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+      size_t i0 = i;
+      Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
+          self->buf[i0], self->buf_len, self->buf_len + input_remainder_len,
+          uint8_t);
+      Eurydice_slice_copy(
+          uu____2,
+          Eurydice_slice_subslice_from(
+              inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
+          uint8_t);
+    }
+    self->buf_len = self->buf_len + input_remainder_len;
+  }
+}
+
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
+*/
+static inline void libcrux_sha3_portable_incremental_absorb_2f(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
+  Eurydice_slice buf[1U] = {input};
+  libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf);
+}
+
+/**
+ Absorb a final block.
+
+ The `inputs` block may be empty. Everything in the `inputs` block beyond
+ `RATE` bytes is ignored.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+- DELIMITER= 31
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self,
+    Eurydice_slice inputs[1U]) {
+  libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self;
+  /* Passing arrays by value in Rust generates a copy in C */
+  Eurydice_slice copy_of_inputs[1U];
+  memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
+  size_t input_remainder_len =
+      libcrux_sha3_generic_keccak_absorb_full_8b_c60(uu____0, copy_of_inputs);
+  size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
+  uint8_t blocks[1U][200U] = {{0U}};
+  for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
+    size_t i0 = i;
+    if (self->buf_len > (size_t)0U) {
+      Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
+          blocks[i0], (size_t)0U, self->buf_len, uint8_t);
+      Eurydice_slice_copy(uu____2,
+                          Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U,
+                                                      self->buf_len, uint8_t),
+                          uint8_t);
+    }
+    if (input_remainder_len > (size_t)0U) {
+      Eurydice_slice uu____3 = Eurydice_array_to_subslice2(
+          blocks[i0], self->buf_len, self->buf_len + input_remainder_len,
+          uint8_t);
+      Eurydice_slice_copy(
+          uu____3,
+          Eurydice_slice_subslice_from(
+              inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
+          uint8_t);
+    }
+    blocks[i0][self->buf_len + input_remainder_len] = 31U;
+    size_t uu____4 = i0;
+    size_t uu____5 = (size_t)168U - (size_t)1U;
+    blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U;
+  }
+  uint64_t(*uu____6)[5U] = self->inner.st;
+  uint8_t uu____7[1U][200U];
+  memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U]));
+  libcrux_sha3_portable_keccak_load_block_full_5a_3a(uu____6, uu____7);
+  libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+}
+
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
+*/
+static inline void libcrux_sha3_portable_incremental_absorb_final_2f(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
+  Eurydice_slice buf[1U] = {input};
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf);
+}
+
+/**
+ An all zero block
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static inline void libcrux_sha3_generic_keccak_zero_block_8b_c60(
+    uint8_t ret[168U]) {
+  ret[0U] = 0U;
+  ret[1U] = 0U;
+  ret[2U] = 0U;
+  ret[3U] = 0U;
+  ret[4U] = 0U;
+  ret[5U] = 0U;
+  ret[6U] = 0U;
+  ret[7U] = 0U;
+  ret[8U] = 0U;
+  ret[9U] = 0U;
+  ret[10U] = 0U;
+  ret[11U] = 0U;
+  ret[12U] = 0U;
+  ret[13U] = 0U;
+  ret[14U] = 0U;
+  ret[15U] = 0U;
+  ret[16U] = 0U;
+  ret[17U] = 0U;
+  ret[18U] = 0U;
+  ret[19U] = 0U;
+  ret[20U] = 0U;
+  ret[21U] = 0U;
+  ret[22U] = 0U;
+  ret[23U] = 0U;
+  ret[24U] = 0U;
+  ret[25U] = 0U;
+  ret[26U] = 0U;
+  ret[27U] = 0U;
+  ret[28U] = 0U;
+  ret[29U] = 0U;
+  ret[30U] = 0U;
+  ret[31U] = 0U;
+  ret[32U] = 0U;
+  ret[33U] = 0U;
+  ret[34U] = 0U;
+  ret[35U] = 0U;
+  ret[36U] = 0U;
+  ret[37U] = 0U;
+  ret[38U] = 0U;
+  ret[39U] = 0U;
+  ret[40U] = 0U;
+  ret[41U] = 0U;
+  ret[42U] = 0U;
+  ret[43U] = 0U;
+  ret[44U] = 0U;
+  ret[45U] = 0U;
+  ret[46U] = 0U;
+  ret[47U] = 0U;
+  ret[48U] = 0U;
+  ret[49U] = 0U;
+  ret[50U] = 0U;
+  ret[51U] = 0U;
+  ret[52U] = 0U;
+  ret[53U] = 0U;
+  ret[54U] = 0U;
+  ret[55U] = 0U;
+  ret[56U] = 0U;
+  ret[57U] = 0U;
+  ret[58U] = 0U;
+  ret[59U] = 0U;
+  ret[60U] = 0U;
+  ret[61U] = 0U;
+  ret[62U] = 0U;
+  ret[63U] = 0U;
+  ret[64U] = 0U;
+  ret[65U] = 0U;
+  ret[66U] = 0U;
+  ret[67U] = 0U;
+  ret[68U] = 0U;
+  ret[69U] = 0U;
+  ret[70U] = 0U;
+  ret[71U] = 0U;
+  ret[72U] = 0U;
+  ret[73U] = 0U;
+  ret[74U] = 0U;
+  ret[75U] = 0U;
+  ret[76U] = 0U;
+  ret[77U] = 0U;
+  ret[78U] = 0U;
+  ret[79U] = 0U;
+  ret[80U] = 0U;
+  ret[81U] = 0U;
+  ret[82U] = 0U;
+  ret[83U] = 0U;
+  ret[84U] = 0U;
+  ret[85U] = 0U;
+  ret[86U] = 0U;
+  ret[87U] = 0U;
+  ret[88U] = 0U;
+  ret[89U] = 0U;
+  ret[90U] = 0U;
+  ret[91U] = 0U;
+  ret[92U] = 0U;
+  ret[93U] = 0U;
+  ret[94U] = 0U;
+  ret[95U] = 0U;
+  ret[96U] = 0U;
+  ret[97U] = 0U;
+  ret[98U] = 0U;
+  ret[99U] = 0U;
+  ret[100U] = 0U;
+  ret[101U] = 0U;
+  ret[102U] = 0U;
+  ret[103U] = 0U;
+  ret[104U] = 0U;
+  ret[105U] = 0U;
+  ret[106U] = 0U;
+  ret[107U] = 0U;
+  ret[108U] = 0U;
+  ret[109U] = 0U;
+  ret[110U] = 0U;
+  ret[111U] = 0U;
+  ret[112U] = 0U;
+  ret[113U] = 0U;
+  ret[114U] = 0U;
+  ret[115U] = 0U;
+  ret[116U] = 0U;
+  ret[117U] = 0U;
+  ret[118U] = 0U;
+  ret[119U] = 0U;
+  ret[120U] = 0U;
+  ret[121U] = 0U;
+  ret[122U] = 0U;
+  ret[123U] = 0U;
+  ret[124U] = 0U;
+  ret[125U] = 0U;
+  ret[126U] = 0U;
+  ret[127U] = 0U;
+  ret[128U] = 0U;
+  ret[129U] = 0U;
+  ret[130U] = 0U;
+  ret[131U] = 0U;
+  ret[132U] = 0U;
+  ret[133U] = 0U;
+  ret[134U] = 0U;
+  ret[135U] = 0U;
+  ret[136U] = 0U;
+  ret[137U] = 0U;
+  ret[138U] = 0U;
+  ret[139U] = 0U;
+  ret[140U] = 0U;
+  ret[141U] = 0U;
+  ret[142U] = 0U;
+  ret[143U] = 0U;
+  ret[144U] = 0U;
+  ret[145U] = 0U;
+  ret[146U] = 0U;
+  ret[147U] = 0U;
+  ret[148U] = 0U;
+  ret[149U] = 0U;
+  ret[150U] = 0U;
+  ret[151U] = 0U;
+  ret[152U] = 0U;
+  ret[153U] = 0U;
+  ret[154U] = 0U;
+  ret[155U] = 0U;
+  ret[156U] = 0U;
+  ret[157U] = 0U;
+  ret[158U] = 0U;
+  ret[159U] = 0U;
+  ret[160U] = 0U;
+  ret[161U] = 0U;
+  ret[162U] = 0U;
+  ret[163U] = 0U;
+  ret[164U] = 0U;
+  ret[165U] = 0U;
+  ret[166U] = 0U;
+  ret[167U] = 0U;
+}
+
+/**
+ Generate a new keccak xof state.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.new_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static inline libcrux_sha3_generic_keccak_KeccakXofState_97
+libcrux_sha3_generic_keccak_new_8b_c60(void) {
+  libcrux_sha3_generic_keccak_KeccakXofState_97 lit;
+  lit.inner = libcrux_sha3_generic_keccak_new_89_04();
+  uint8_t ret[168U];
+  libcrux_sha3_generic_keccak_zero_block_8b_c60(ret);
+  memcpy(lit.buf[0U], ret, (size_t)168U * sizeof(uint8_t));
+  lit.buf_len = (size_t)0U;
+  lit.sponge = false;
+  return lit;
+}
+
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
+*/
+static inline libcrux_sha3_generic_keccak_KeccakXofState_97
+libcrux_sha3_portable_incremental_new_2f(void) {
+  return libcrux_sha3_generic_keccak_new_8b_c60();
+}
+
+/**
+ `out` has the exact size we want here. It must be less than or equal to `RATE`.
+*/
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
+with const generics
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_3a(
+    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
+  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
+  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
+  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+  if (last_block_len != (size_t)0U) {
+    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
+        out[0U], num_full_blocks * (size_t)8U,
+        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(
+        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____1,
+        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+ Squeeze `N` x `LEN` bytes.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 168
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self,
+    Eurydice_slice out[1U]) {
+  if (self->sponge) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = out_len / (size_t)168U;
+  size_t last = out_len - out_len % (size_t)168U;
+  size_t mid;
+  if ((size_t)168U >= out_len) {
+    mid = out_len;
+  } else {
+    mid = (size_t)168U;
+  }
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
+  Eurydice_slice out00[1U];
+  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice out_rest[1U];
+  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out00);
+  core_ops_range_Range_08 iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                             .end = blocks}),
+          core_ops_range_Range_08, core_ops_range_Range_08);
+  while (true) {
+    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+            &iter, size_t, Option_08)
+            .tag == None) {
+      break;
+    } else {
+      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
+                                                         (size_t)168U);
+      Eurydice_slice out0[1U];
+      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+      Eurydice_slice tmp[1U];
+      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+      libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out0);
+      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
+    }
+  }
+  if (last < out_len) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out_rest);
+  }
+  self->sponge = true;
+}
+
+/**
+ Shake128 squeeze
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
+*/
+static inline void libcrux_sha3_portable_incremental_squeeze_2f(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf);
+}
+
+/**
+This function found in impl {(core::clone::Clone for
+libcrux_sha3::portable::KeccakState)}
+*/
+static inline libcrux_sha3_generic_keccak_KeccakState_17
+libcrux_sha3_portable_clone_3d(
+    libcrux_sha3_generic_keccak_KeccakState_17 *self) {
+  return self[0U];
+}
+
+/**
+This function found in impl {(core::convert::From<libcrux_sha3::Algorithm> for
+u32)#1}
+*/
+static inline uint32_t libcrux_sha3_from_eb(libcrux_sha3_Algorithm v) {
+  uint32_t uu____0;
+  switch (v) {
+    case libcrux_sha3_Sha224: {
+      uu____0 = 1U;
+      break;
+    }
+    case libcrux_sha3_Sha256: {
+      uu____0 = 2U;
+      break;
+    }
+    case libcrux_sha3_Sha384: {
+      uu____0 = 3U;
+      break;
+    }
+    case libcrux_sha3_Sha512: {
+      uu____0 = 4U;
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__,
+                        __LINE__);
+      KRML_HOST_EXIT(253U);
+    }
+  }
+  return uu____0;
+}
+
+/**
+This function found in impl {(core::convert::From<u32> for
+libcrux_sha3::Algorithm)}
+*/
+static inline libcrux_sha3_Algorithm libcrux_sha3_from_2d(uint32_t v) {
+  libcrux_sha3_Algorithm uu____0;
+  switch (v) {
+    case 1U: {
+      uu____0 = libcrux_sha3_Sha224;
+      break;
+    }
+    case 2U: {
+      uu____0 = libcrux_sha3_Sha256;
+      break;
+    }
+    case 3U: {
+      uu____0 = libcrux_sha3_Sha384;
+      break;
+    }
+    case 4U: {
+      uu____0 = libcrux_sha3_Sha512;
+      break;
+    }
+    default: {
+      KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
+                        "panic!");
+      KRML_HOST_EXIT(255U);
+    }
+  }
+  return uu____0;
+}
+
+typedef uint8_t libcrux_sha3_Sha3_512Digest[64U];
+
+typedef uint8_t libcrux_sha3_Sha3_384Digest[48U];
+
+typedef uint8_t libcrux_sha3_Sha3_256Digest[32U];
+
+typedef uint8_t libcrux_sha3_Sha3_224Digest[28U];
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_sha3_portable_H_DEFINED
+#endif
diff --git a/libcrux-ml-dsa/cg/tests/mldsa65.cc b/libcrux-ml-dsa/cg/tests/mldsa65.cc
new file mode 100644
index 000000000..ea77a81b2
--- /dev/null
+++ b/libcrux-ml-dsa/cg/tests/mldsa65.cc
@@ -0,0 +1,57 @@
+/*
+ *    Copyright 2023 Cryspen Sarl
+ *
+ *    Licensed under the Apache License, Version 2.0 or MIT.
+ *    - http://www.apache.org/licenses/LICENSE-2.0
+ *    - http://opensource.org/licenses/MIT
+ */
+
+#include <gtest/gtest.h>
+
+#include "libcrux_mldsa65_portable.h"
+
+template <typename T>
+Eurydice_slice mk_slice(T *x, size_t len)
+{
+    Eurydice_slice s;
+    s.ptr = (void *)x;
+    s.len = len;
+    return s;
+}
+
+TEST(MlDsa65TestPortable, ConsistencyTest)
+{
+    // Generate key pair
+    uint8_t randomness[32];
+    for (int i = 0; i < 32; i++)
+    {
+        randomness[i] = 13;
+    }
+    auto key_pair = libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(randomness);
+
+    // Sign
+    uint8_t msg[79] = {0};
+    for (int i = 0; i < 32; i++)
+    {
+        randomness[i] = 0x55;
+    }
+    uint8_t context[3];
+
+    auto msg_slice = mk_slice(&msg, 79);
+    auto context_slice = mk_slice(&context, 3);
+    auto signature_result = libcrux_ml_dsa_ml_dsa_65_portable_sign(
+        &key_pair.signing_key, msg_slice,
+        context_slice,
+        randomness);
+    EXPECT_EQ(signature_result.tag, Ok);
+    auto signature = signature_result.val.case_Ok;
+
+    // Verify
+    auto result = libcrux_ml_dsa_ml_dsa_65_portable_verify(
+        &key_pair.verification_key,
+        msg_slice,
+        context_slice,
+        &signature);
+
+    EXPECT_EQ(result.tag, Ok);
+}
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst
index 8634dfbe9..bfbcf309d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst
@@ -11,111 +11,54 @@ let _ =
 
 let serialize
       (#v_SIMDUnit: Type0)
-      (v_OUTPUT_SIZE: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 128uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
-          <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 4)
-                      simd_unit
+  let output_bytes_per_simd_unit:usize =
+    (Core.Slice.impl__len #u8 serialized <: usize) /! (sz 8 *! sz 4 <: usize)
+  in
+  let serialized:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+        <:
+        t_Slice v_SIMDUnit)
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let _:usize = temp_1_ in
+          true)
+      serialized
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+            ({
+                Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+                Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+              }
+              <:
+              Core.Ops.Range.t_Range usize)
+            (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit
+                #FStar.Tactics.Typeclasses.solve
+                simd_unit
+                (serialized.[ {
+                      Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+                      Core.Ops.Range.f_end
+                      =
+                      (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+                    }
                     <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_SIZE)
-    in
-    serialized
-  | 192uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+                    Core.Ops.Range.t_Range usize ]
+                  <:
+                  t_Slice u8)
+              <:
+              t_Slice u8)
           <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start
-                        =
-                        i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 6)
-                      simd_unit
-                    <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_SIZE)
-    in
-    serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-        <:
-        Rust_primitives.Hax.t_Never)
+          t_Slice u8)
+  in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  serialized
 
 let serialize_vector
       (#v_SIMDUnit: Type0)
@@ -151,7 +94,8 @@ let serialize_vector
                 }
                 <:
                 Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
+              (serialize #v_SIMDUnit
+                  ring_element
                   (serialized.[ {
                         Core.Ops.Range.f_start = offset;
                         Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize
@@ -160,7 +104,6 @@ let serialize_vector
                       Core.Ops.Range.t_Range usize ]
                     <:
                     t_Slice u8)
-                  (serialize #v_SIMDUnit v_RING_ELEMENT_SIZE ring_element <: t_Slice u8)
                 <:
                 t_Slice u8)
           in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti
index 0becaf037..53816fd08 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti
@@ -9,16 +9,12 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4
-
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6
-
 val serialize
       (#v_SIMDUnit: Type0)
-      (v_OUTPUT_SIZE: usize)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
 val serialize_vector
       (#v_SIMDUnit: Type0)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
index 84a413aa5..e95ba0a90 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
@@ -16,73 +16,50 @@ let deserialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let serialized_chunks:Core.Slice.Iter.t_Chunks u8 =
-    match cast (v_ETA <: usize) <: u8 with
-    | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3)
-    | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4)
-    | _ ->
-      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-          <:
-          Rust_primitives.Hax.t_Never)
-  in
+  let chunk_size:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in
   let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit ()
-  in
-  let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Core.Slice.Iter.t_Chunks u8) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #v_SIMDUnit
           (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
         <:
         usize)
-      (fun temp_0_ temp_1_ ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      (fun result temp_1_ ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let _:usize = temp_1_ in
           true)
-      (result, serialized_chunks
-        <:
-        (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8)
-      )
-      (fun temp_0_ i ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      result
+      (fun result i ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let i:usize = i in
-          let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) =
-            Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              serialized_chunks
-          in
-          let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in
-          ({
-              result with
-              Libcrux_ml_dsa.Polynomial.f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                  .Libcrux_ml_dsa.Polynomial.f_simd_units
-                i
-                (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    v_ETA
-                    (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8)
-                  <:
-                  v_SIMDUnit)
-            }
+          {
+            result with
+            Libcrux_ml_dsa.Polynomial.f_simd_units
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                .Libcrux_ml_dsa.Polynomial.f_simd_units
+              i
+              (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit
+                  #FStar.Tactics.Typeclasses.solve
+                  v_ETA
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = i *! chunk_size <: usize;
+                        Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! chunk_size <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                <:
+                v_SIMDUnit)
             <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit),
-          serialized_chunks
+            t_Array v_SIMDUnit (sz 32)
+          }
           <:
-          (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8))
+          Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   result
 
 let deserialize_to_vector_then_ntt
@@ -102,18 +79,15 @@ let deserialize_to_vector_then_ntt
   in
   let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     v_DIMENSION =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Chunks u8))
-          #FStar.Tactics.Typeclasses.solve
-          (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              (Core.Slice.impl__chunks #u8 serialized v_RING_ELEMENT_SIZE
-                <:
-                Core.Slice.Iter.t_Chunks u8)
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8))
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice v_RING_ELEMENT_SIZE
+      serialized
+      (fun ring_elements temp_1_ ->
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            ring_elements
+          in
+          let _:usize = temp_1_ in
+          true)
       ring_elements
       (fun ring_elements temp_1_ ->
           let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
@@ -121,16 +95,31 @@ let deserialize_to_vector_then_ntt
             ring_elements
           in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
-            i
-            (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
-                (deserialize #v_SIMDUnit v_ETA bytes
-                  <:
-                  Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-              <:
-              Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-          <:
-          t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
+              i
+              (deserialize #v_SIMDUnit
+                  v_ETA
+                  bytes
+                  (ring_elements.[ i ]
+                    <:
+                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                <:
+                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          in
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
+              i
+              (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+                  (ring_elements.[ i ]
+                    <:
+                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                <:
+                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          in
+          ring_elements)
   in
   ring_elements
 
@@ -141,103 +130,46 @@ let serialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  match cast (v_ETA <: usize) <: u8 with
-  | 2uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
-          <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 3)
-                      simd_unit
+  let output_bytes_per_simd_unit:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in
+  let serialized:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+        <:
+        t_Slice v_SIMDUnit)
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let _:usize = temp_1_ in
+          true)
+      serialized
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+            ({
+                Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+                Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+              }
+              <:
+              Core.Ops.Range.t_Range usize)
+            (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit
+                #FStar.Tactics.Typeclasses.solve
+                v_ETA
+                simd_unit
+                (serialized.[ {
+                      Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+                      Core.Ops.Range.f_end
+                      =
+                      (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+                    }
                     <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_SIZE)
-    in
-    serialized
-  | 4uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+                    Core.Ops.Range.t_Range usize ]
+                  <:
+                  t_Slice u8)
+              <:
+              t_Slice u8)
           <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start
-                        =
-                        i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 4)
-                      simd_unit
-                    <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_SIZE)
-    in
-    serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-        <:
-        Rust_primitives.Hax.t_Never)
+          t_Slice u8)
+  in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
index 199d62d48..2136a90ef 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
@@ -9,15 +9,12 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3
-
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4
-
 val deserialize
       (#v_SIMDUnit: Type0)
       (v_ETA: usize)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
@@ -37,4 +34,5 @@ val serialize
       (v_ETA v_OUTPUT_SIZE: usize)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
index 470cf8ab6..a55f19fe7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
@@ -16,179 +16,101 @@ let deserialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let serialized_chunks:Core.Slice.Iter.t_Chunks u8 =
-    match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
-    | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18)
-    | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20)
-    | _ ->
-      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-          <:
-          Rust_primitives.Hax.t_Never)
-  in
   let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit ()
-  in
-  let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Core.Slice.Iter.t_Chunks u8) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #v_SIMDUnit
           (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
         <:
         usize)
-      (fun temp_0_ temp_1_ ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      (fun result temp_1_ ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let _:usize = temp_1_ in
           true)
-      (result, serialized_chunks
-        <:
-        (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8)
-      )
-      (fun temp_0_ i ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      result
+      (fun result i ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let i:usize = i in
-          let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) =
-            Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              serialized_chunks
-          in
-          let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in
-          ({
-              result with
-              Libcrux_ml_dsa.Polynomial.f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                  .Libcrux_ml_dsa.Polynomial.f_simd_units
-                i
-                (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    v_GAMMA1_EXPONENT
-                    (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8)
-                  <:
-                  v_SIMDUnit)
-            }
+          {
+            result with
+            Libcrux_ml_dsa.Polynomial.f_simd_units
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                .Libcrux_ml_dsa.Polynomial.f_simd_units
+              i
+              (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit
+                  #FStar.Tactics.Typeclasses.solve
+                  v_GAMMA1_EXPONENT
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize;
+                        Core.Ops.Range.f_end
+                        =
+                        (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                <:
+                v_SIMDUnit)
             <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit),
-          serialized_chunks
+            t_Array v_SIMDUnit (sz 32)
+          }
           <:
-          (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8))
+          Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   result
 
 let serialize
       (#v_SIMDUnit: Type0)
-      (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize)
+      (v_GAMMA1_EXPONENT: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in
-  match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
-  | 17uy ->
-    let serialized:t_Array u8 v_OUTPUT_BYTES =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
-          <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 18)
-                      simd_unit
+  let serialized:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+        <:
+        t_Slice v_SIMDUnit)
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let _:usize = temp_1_ in
+          true)
+      serialized
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
+          let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+            ({
+                Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize;
+                Core.Ops.Range.f_end
+                =
+                (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize
+              }
+              <:
+              Core.Ops.Range.t_Range usize)
+            (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit
+                #FStar.Tactics.Typeclasses.solve
+                v_GAMMA1_EXPONENT
+                simd_unit
+                (serialized.[ {
+                      Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize;
+                      Core.Ops.Range.f_end
+                      =
+                      (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize
+                    }
                     <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_BYTES)
-    in
-    serialized
-  | 19uy ->
-    let serialized:t_Array u8 v_OUTPUT_BYTES =
-      Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+                    Core.Ops.Range.t_Range usize ]
+                  <:
+                  t_Slice u8)
+              <:
+              t_Slice u8)
           <:
-          t_Slice v_SIMDUnit)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in
-            let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                  Core.Ops.Range.f_end
-                  =
-                  (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start
-                        =
-                        i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize;
-                        Core.Ops.Range.f_end
-                        =
-                        (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (sz 20)
-                      simd_unit
-                    <:
-                    t_Slice u8)
-                <:
-                t_Slice u8)
-            <:
-            t_Array u8 v_OUTPUT_BYTES)
-    in
-    serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-        <:
-        Rust_primitives.Hax.t_Never)
+          t_Slice u8)
+  in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
index c6b16420b..9c35efc9f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
@@ -9,22 +9,20 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18
-
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20
-
 val deserialize
       (#v_SIMDUnit: Type0)
       (v_GAMMA1_EXPONENT: usize)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 val serialize
       (#v_SIMDUnit: Type0)
-      (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize)
+      (v_GAMMA1_EXPONENT: usize)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
index 3c0ff240a..c351af8bb 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
@@ -14,7 +14,7 @@ let impl__deserialize
       (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (serialized: t_Array u8 v_SIGNATURE_SIZE)
      =
@@ -65,6 +65,9 @@ let impl__deserialize
                     Core.Ops.Range.t_Range usize ]
                   <:
                   t_Slice u8)
+                (signer_response.[ i ]
+                  <:
+                  Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
               <:
               Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
           <:
@@ -274,7 +277,11 @@ let impl__serialize
                 }
                 <:
                 Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
+              (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit
+                  v_GAMMA1_EXPONENT
+                  (self.f_signer_response.[ i ]
+                    <:
+                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
                   (signature.[ {
                         Core.Ops.Range.f_start = offset;
                         Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize
@@ -283,14 +290,6 @@ let impl__serialize
                       Core.Ops.Range.t_Range usize ]
                     <:
                     t_Slice u8)
-                  (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit
-                      v_GAMMA1_EXPONENT
-                      v_GAMMA1_RING_ELEMENT_SIZE
-                      (self.f_signer_response.[ i ]
-                        <:
-                        Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-                    <:
-                    t_Slice u8)
                 <:
                 t_Slice u8)
           in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
index 0ef8c6563..53b1e72ed 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
@@ -25,7 +25,7 @@ val impl__deserialize
       (#v_SIMDUnit: Type0)
       (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE:
           usize)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (serialized: t_Array u8 v_SIGNATURE_SIZE)
     : Prims.Pure
       (Core.Result.t_Result
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst
index 1394c5939..36b4a612d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst
@@ -102,7 +102,7 @@ let generate_serialized
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i3:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (seed_for_A seed_for_signing verification_key: t_Slice u8)
       (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
       (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A)
@@ -215,7 +215,10 @@ let generate_serialized
                 }
                 <:
                 Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
+              (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit
+                  v_ETA
+                  v_ERROR_RING_ELEMENT_SIZE
+                  ring_element
                   (signing_key_serialized.[ {
                         Core.Ops.Range.f_start = offset;
                         Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize
@@ -224,12 +227,6 @@ let generate_serialized
                       Core.Ops.Range.t_Range usize ]
                     <:
                     t_Slice u8)
-                  (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit
-                      v_ETA
-                      v_ERROR_RING_ELEMENT_SIZE
-                      ring_element
-                    <:
-                    t_Slice u8)
                 <:
                 t_Slice u8)
           in
@@ -260,7 +257,10 @@ let generate_serialized
                 }
                 <:
                 Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
+              (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit
+                  v_ETA
+                  v_ERROR_RING_ELEMENT_SIZE
+                  ring_element
                   (signing_key_serialized.[ {
                         Core.Ops.Range.f_start = offset;
                         Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize
@@ -269,12 +269,6 @@ let generate_serialized
                       Core.Ops.Range.t_Range usize ]
                     <:
                     t_Slice u8)
-                  (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit
-                      v_ETA
-                      v_ERROR_RING_ELEMENT_SIZE
-                      ring_element
-                    <:
-                    t_Slice u8)
                 <:
                 t_Slice u8)
           in
@@ -307,7 +301,8 @@ let generate_serialized
                 }
                 <:
                 Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
+              (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit
+                  ring_element
                   (signing_key_serialized.[ {
                         Core.Ops.Range.f_start = offset;
                         Core.Ops.Range.f_end
@@ -318,7 +313,6 @@ let generate_serialized
                       Core.Ops.Range.t_Range usize ]
                     <:
                     t_Slice u8)
-                  (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit ring_element <: t_Slice u8)
                 <:
                 t_Slice u8)
           in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti
index b8a8f2d90..bad7c34f3 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti
@@ -27,7 +27,7 @@ val generate_serialized
       (#v_SIMDUnit #v_Shake256: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize)
       {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
       (seed_for_A seed_for_signing verification_key: t_Slice u8)
       (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
       (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
index b1193d6cd..2fda1d74c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
@@ -15,65 +15,50 @@ let deserialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let serialized_chunks:Core.Slice.Iter.t_Chunks u8 =
-    Core.Slice.impl__chunks #u8 serialized (sz 13)
-  in
   let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit ()
-  in
-  let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Core.Slice.Iter.t_Chunks u8) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #v_SIMDUnit
           (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
         <:
         usize)
-      (fun temp_0_ temp_1_ ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      (fun result temp_1_ ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let _:usize = temp_1_ in
           true)
-      (result, serialized_chunks
-        <:
-        (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8)
-      )
-      (fun temp_0_ i ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      result
+      (fun result i ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let i:usize = i in
-          let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) =
-            Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              serialized_chunks
-          in
-          let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in
-          ({
-              result with
-              Libcrux_ml_dsa.Polynomial.f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                  .Libcrux_ml_dsa.Polynomial.f_simd_units
-                i
-                (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8)
-                  <:
-                  v_SIMDUnit)
-            }
+          {
+            result with
+            Libcrux_ml_dsa.Polynomial.f_simd_units
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                .Libcrux_ml_dsa.Polynomial.f_simd_units
+              i
+              (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit
+                  #FStar.Tactics.Typeclasses.solve
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+                        Core.Ops.Range.f_end
+                        =
+                        (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                <:
+                v_SIMDUnit)
             <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit),
-          serialized_chunks
+            t_Array v_SIMDUnit (sz 32)
+          }
           <:
-          (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8))
+          Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   result
 
 let deserialize_to_vector_then_ntt
@@ -93,20 +78,15 @@ let deserialize_to_vector_then_ntt
   in
   let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     v_DIMENSION =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Chunks u8))
-          #FStar.Tactics.Typeclasses.solve
-          (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              (Core.Slice.impl__chunks #u8
-                  serialized
-                  Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE
-                <:
-                Core.Slice.Iter.t_Chunks u8)
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8))
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE
+      serialized
+      (fun ring_elements temp_1_ ->
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            ring_elements
+          in
+          let _:usize = temp_1_ in
+          true)
       ring_elements
       (fun ring_elements temp_1_ ->
           let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
@@ -114,16 +94,30 @@ let deserialize_to_vector_then_ntt
             ring_elements
           in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
-            i
-            (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
-                (deserialize #v_SIMDUnit bytes
-                  <:
-                  Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-              <:
-              Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-          <:
-          t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
+              i
+              (deserialize #v_SIMDUnit
+                  bytes
+                  (ring_elements.[ i ]
+                    <:
+                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                <:
+                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          in
+          let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_DIMENSION =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements
+              i
+              (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+                  (ring_elements.[ i ]
+                    <:
+                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                <:
+                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          in
+          ring_elements)
   in
   ring_elements
 
@@ -133,35 +127,33 @@ let serialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in
-  let serialized:t_Array u8 (sz 416) =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
         <:
         t_Slice v_SIMDUnit)
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 (sz 416) = serialized in
+          let serialized:t_Slice u8 = serialized in
           let _:usize = temp_1_ in
           true)
       serialized
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 (sz 416) = serialized in
+          let serialized:t_Slice u8 = serialized in
           let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
           Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
             ({
-                Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
-                Core.Ops.Range.f_end
-                =
-                (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+                Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+                Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
               }
               <:
               Core.Ops.Range.t_Range usize)
             (Core.Slice.impl__copy_from_slice #u8
                 (serialized.[ {
-                      Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+                      Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
                       Core.Ops.Range.f_end
                       =
-                      (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+                      (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
                     }
                     <:
                     Core.Ops.Range.t_Range usize ]
@@ -175,6 +167,7 @@ let serialize
               <:
               t_Slice u8)
           <:
-          t_Array u8 (sz 416))
+          t_Slice u8)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
index 3969d9d7c..94ac260a2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
@@ -9,12 +9,13 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13
+let v_OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13
 
 val deserialize
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
@@ -33,4 +34,5 @@ val serialize
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
index 6a59315c3..4e42a3c10 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
@@ -15,65 +15,48 @@ let deserialize
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let serialized_chunks:Core.Slice.Iter.t_Chunks u8 =
-    Core.Slice.impl__chunks #u8 serialized (sz 10)
-  in
   let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit ()
-  in
-  let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Core.Slice.Iter.t_Chunks u8) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #v_SIMDUnit
           (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
         <:
         usize)
-      (fun temp_0_ temp_1_ ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      (fun result temp_1_ ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let _:usize = temp_1_ in
           true)
-      (result, serialized_chunks
-        <:
-        (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8)
-      )
-      (fun temp_0_ i ->
-          let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
-            v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8) =
-            temp_0_
-          in
+      result
+      (fun result i ->
+          let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in
           let i:usize = i in
-          let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) =
-            Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8)
-              #FStar.Tactics.Typeclasses.solve
-              serialized_chunks
-          in
-          let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in
-          ({
-              result with
-              Libcrux_ml_dsa.Polynomial.f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                  .Libcrux_ml_dsa.Polynomial.f_simd_units
-                i
-                (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8)
-                  <:
-                  v_SIMDUnit)
-            }
+          {
+            result with
+            Libcrux_ml_dsa.Polynomial.f_simd_units
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                .Libcrux_ml_dsa.Polynomial.f_simd_units
+              i
+              (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit
+                  #FStar.Tactics.Typeclasses.solve
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = i *! deserialize__WINDOW <: usize;
+                        Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! deserialize__WINDOW <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                <:
+                v_SIMDUnit)
             <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit),
-          serialized_chunks
+            t_Array v_SIMDUnit (sz 32)
+          }
           <:
-          (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-            Core.Slice.Iter.t_Chunks u8))
+          Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   result
 
 let serialize
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
index f05c66a13..b1b59a0dc 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
@@ -9,12 +9,15 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
+let deserialize__WINDOW: usize = sz 10
+
 let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10
 
 val deserialize
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (serialized: t_Slice u8)
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
index 94a614a45..f36227839 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
@@ -62,6 +62,7 @@ let deserialize
                     Core.Ops.Range.t_Range usize ]
                   <:
                   t_Slice u8)
+                (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
               <:
               Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
           <:
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst
new file mode 100644
index 000000000..7d78d62f2
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst
@@ -0,0 +1,107 @@
+module Libcrux_ml_dsa.Hash_functions.Neon
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+assume
+val t_Shake128x4': eqtype
+
+let t_Shake128x4 = t_Shake128x4'
+
+assume
+val t_Shake256x4': eqtype
+
+let t_Shake256x4 = t_Shake256x4'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
+
+let impl_1 = impl_1'
+
+assume
+val init_absorb':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb = init_absorb'
+
+assume
+val init_absorb_x4':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_x4 = init_absorb_x4'
+
+assume
+val shake256_x4':
+    v_OUT_LEN: usize ->
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8 ->
+    out0: t_Array u8 v_OUT_LEN ->
+    out1: t_Array u8 v_OUT_LEN ->
+    out2: t_Array u8 v_OUT_LEN ->
+    out3: t_Array u8 v_OUT_LEN
+  -> Prims.Pure
+      (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
+
+assume
+val squeeze_first_block_x4': state: t_Shake256x4
+  -> Prims.Pure
+      (t_Shake256x4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_first_block_x4 = squeeze_first_block_x4'
+
+assume
+val squeeze_first_five_blocks':
+    state: t_Shake128x4 ->
+    out0: t_Array u8 (sz 840) ->
+    out1: t_Array u8 (sz 840) ->
+    out2: t_Array u8 (sz 840) ->
+    out3: t_Array u8 (sz 840)
+  -> Prims.Pure
+      (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+        t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
+
+assume
+val squeeze_next_block': state: t_Shake128x4
+  -> Prims.Pure
+      (t_Shake128x4 &
+        (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block = squeeze_next_block'
+
+assume
+val squeeze_next_block_x4': state: t_Shake256x4
+  -> Prims.Pure
+      (t_Shake256x4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block_x4 = squeeze_next_block_x4'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
index a7762dfe1..d27a20455 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
@@ -3,10 +3,10 @@ module Libcrux_ml_dsa.Hash_functions.Neon
 open Core
 open FStar.Mul
 
-val t_Shake128x4:Type0
+val t_Shake128x4:eqtype
 
 /// Neon SHAKE 256 x4 state
-val t_Shake256x4:Type0
+val t_Shake256x4:eqtype
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst
new file mode 100644
index 000000000..b93e63c07
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst
@@ -0,0 +1,152 @@
+module Libcrux_ml_dsa.Hash_functions.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+assume
+val t_Shake128': eqtype
+
+let t_Shake128 = t_Shake128'
+
+assume
+val t_Shake128X4': eqtype
+
+let t_Shake128X4 = t_Shake128X4'
+
+assume
+val t_Shake256': eqtype
+
+let t_Shake256 = t_Shake256'
+
+assume
+val t_Shake256X4': eqtype
+
+let t_Shake256X4 = t_Shake256X4'
+
+assume
+val t_Shake256Xof': eqtype
+
+let t_Shake256Xof = t_Shake256Xof'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
+
+let impl_1 = impl_1'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+
+let impl_2 = impl_2'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_3': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
+
+let impl_3 = impl_3'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_4': Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
+
+let impl_4 = impl_4'
+
+assume
+val init_absorb':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb = init_absorb'
+
+assume
+val init_absorb_final_shake256': input: t_Slice u8
+  -> Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_final_shake256 = init_absorb_final_shake256'
+
+assume
+val init_absorb_x4':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_x4 = init_absorb_x4'
+
+assume
+val shake128': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
+  -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+
+let shake128 (v_OUTPUT_LENGTH: usize) = shake128' v_OUTPUT_LENGTH
+
+assume
+val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
+  -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+
+let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
+
+assume
+val squeeze_first_block_shake256': state: t_Shake256
+  -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_first_block_shake256 = squeeze_first_block_shake256'
+
+assume
+val squeeze_first_block_x4': state: t_Shake256X4
+  -> Prims.Pure
+      (t_Shake256X4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_first_block_x4 = squeeze_first_block_x4'
+
+assume
+val squeeze_first_five_blocks':
+    state: t_Shake128X4 ->
+    out0: t_Array u8 (sz 840) ->
+    out1: t_Array u8 (sz 840) ->
+    out2: t_Array u8 (sz 840) ->
+    out3: t_Array u8 (sz 840)
+  -> Prims.Pure
+      (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+        t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
+
+assume
+val squeeze_next_block': state: t_Shake128X4
+  -> Prims.Pure
+      (t_Shake128X4 &
+        (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block = squeeze_next_block'
+
+assume
+val squeeze_next_block_shake256': state: t_Shake256
+  -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+
+assume
+val squeeze_next_block_x4': state: t_Shake256X4
+  -> Prims.Pure
+      (t_Shake256X4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block_x4 = squeeze_next_block_x4'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
index 0a59a5cc8..0b7e313f7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
@@ -4,22 +4,20 @@ open Core
 open FStar.Mul
 
 /// Portable SHAKE 128 state
-val t_Shake128:Type0
+val t_Shake128:eqtype
 
 /// Portable SHAKE 128 x4 state.
 /// We\'re using a portable implementation so this is actually sequential.
-val t_Shake128X4:Type0
+val t_Shake128X4:eqtype
 
 /// Portable SHAKE 256 state
-val t_Shake256:Type0
+val t_Shake256:eqtype
 
 /// Portable SHAKE 256 x4 state.
 /// We\'re using a portable implementation so this is actually sequential.
-val t_Shake256X4:Type0
+val t_Shake256X4:eqtype
 
-val t_Shake256Absorb:Type0
-
-val t_Shake256Squeeze:Type0
+val t_Shake256Xof:eqtype
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4
@@ -28,15 +26,18 @@ val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4
 val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256
+val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
+
 val init_absorb (input0 input1 input2 input3: t_Slice u8)
     : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
 
-val init_absorb_shake256 (input: t_Slice u8)
+val init_absorb_final_shake256 (input: t_Slice u8)
     : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
 
 val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
@@ -48,17 +49,6 @@ val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUT
 val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
     : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
 
-val shake256_absorb (st: t_Shake256Absorb) (input: t_Slice u8)
-    : Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True)
-
-val shake256_absorb_final (st: t_Shake256Absorb) (input: t_Slice u8)
-    : Prims.Pure t_Shake256Squeeze Prims.l_True (fun _ -> Prims.l_True)
-
-val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True)
-
-val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8)
-    : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
 val squeeze_first_block_shake256 (state: t_Shake256)
     : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
index bd150aa95..de5a31b65 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
@@ -3,7 +3,10 @@ module Libcrux_ml_dsa.Hash_functions.Shake256
 open Core
 open FStar.Mul
 
-class t_Xof (v_Self: Type0) = {
+/// An ML-DSA specific Xof trait
+/// This trait is not actually a full Xof implementation but opererates only
+/// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`].
+class t_DsaXof (v_Self: Type0) = {
   f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0;
   f_shake256_post:
       v_OUTPUT_LENGTH: usize ->
@@ -15,10 +18,12 @@ class t_Xof (v_Self: Type0) = {
     -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH)
         (f_shake256_pre v_OUTPUT_LENGTH x0 x1)
         (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result);
-  f_init_absorb_pre:t_Slice u8 -> Type0;
-  f_init_absorb_post:t_Slice u8 -> v_Self -> Type0;
-  f_init_absorb:x0: t_Slice u8
-    -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result);
+  f_init_absorb_final_pre:t_Slice u8 -> Type0;
+  f_init_absorb_final_post:t_Slice u8 -> v_Self -> Type0;
+  f_init_absorb_final:x0: t_Slice u8
+    -> Prims.Pure v_Self
+        (f_init_absorb_final_pre x0)
+        (fun result -> f_init_absorb_final_post x0 result);
   f_squeeze_first_block_pre:v_Self -> Type0;
   f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0;
   f_squeeze_first_block:x0: v_Self
@@ -33,6 +38,27 @@ class t_Xof (v_Self: Type0) = {
         (fun result -> f_squeeze_next_block_post x0 result)
 }
 
+/// A generic Xof trait
+class t_Xof (v_Self: Type0) = {
+  f_init_pre:Prims.unit -> Type0;
+  f_init_post:Prims.unit -> v_Self -> Type0;
+  f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result);
+  f_absorb_pre:v_Self -> t_Slice u8 -> Type0;
+  f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
+  f_absorb:x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result);
+  f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0;
+  f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
+  f_absorb_final:x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result);
+  f_squeeze_pre:v_Self -> t_Slice u8 -> Type0;
+  f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0;
+  f_squeeze:x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure (v_Self & t_Slice u8)
+        (f_squeeze_pre x0 x1)
+        (fun result -> f_squeeze_post x0 x1 result)
+}
+
 class t_XofX4 (v_Self: Type0) = {
   f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0;
   f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0;
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst
new file mode 100644
index 000000000..fe67aa9fc
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst
@@ -0,0 +1,142 @@
+module Libcrux_ml_dsa.Hash_functions.Simd256
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+assume
+val t_Shake128x4': eqtype
+
+let t_Shake128x4 = t_Shake128x4'
+
+assume
+val t_Shake256': eqtype
+
+let t_Shake256 = t_Shake256'
+
+assume
+val t_Shake256x4': eqtype
+
+let t_Shake256x4 = t_Shake256x4'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+
+let impl_1 = impl_1'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
+
+let impl_2 = impl_2'
+
+assume
+val init_absorb':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb = init_absorb'
+
+assume
+val init_absorb_final_shake256': input: t_Slice u8
+  -> Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_final_shake256 = init_absorb_final_shake256'
+
+assume
+val init_absorb_x4':
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8
+  -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_x4 = init_absorb_x4'
+
+assume
+val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
+  -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+
+let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
+
+assume
+val shake256_x4':
+    v_OUT_LEN: usize ->
+    input0: t_Slice u8 ->
+    input1: t_Slice u8 ->
+    input2: t_Slice u8 ->
+    input3: t_Slice u8 ->
+    out0: t_Array u8 v_OUT_LEN ->
+    out1: t_Array u8 v_OUT_LEN ->
+    out2: t_Array u8 v_OUT_LEN ->
+    out3: t_Array u8 v_OUT_LEN
+  -> Prims.Pure
+      (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
+
+assume
+val squeeze_first_block_shake256': state: t_Shake256
+  -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_first_block_shake256 = squeeze_first_block_shake256'
+
+assume
+val squeeze_first_block_x4': state: t_Shake256x4
+  -> Prims.Pure
+      (t_Shake256x4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_first_block_x4 = squeeze_first_block_x4'
+
+assume
+val squeeze_first_five_blocks':
+    state: t_Shake128x4 ->
+    out0: t_Array u8 (sz 840) ->
+    out1: t_Array u8 (sz 840) ->
+    out2: t_Array u8 (sz 840) ->
+    out3: t_Array u8 (sz 840)
+  -> Prims.Pure
+      (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+        t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
+
+assume
+val squeeze_next_block': state: t_Shake128x4
+  -> Prims.Pure
+      (t_Shake128x4 &
+        (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block = squeeze_next_block'
+
+assume
+val squeeze_next_block_shake256': state: t_Shake256
+  -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
+let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+
+assume
+val squeeze_next_block_x4': state: t_Shake256x4
+  -> Prims.Pure
+      (t_Shake256x4 &
+        (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let squeeze_next_block_x4 = squeeze_next_block_x4'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
index 32174758b..109c7ccf9 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
@@ -6,19 +6,19 @@ open FStar.Mul
 /// AVX2 SHAKE 128 state
 /// This only implements the XofX4 API. For the single Xof, the portable
 /// version is used.
-val t_Shake128x4:Type0
-
-/// AVX2 SHAKE 256 x4 state.
-val t_Shake256x4:Type0
+val t_Shake128x4:eqtype
 
 /// AVX2 SHAKE 256 state
-val t_Shake256:Type0
+val t_Shake256:eqtype
+
+/// AVX2 SHAKE 256 x4 state.
+val t_Shake256x4:eqtype
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256
+val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
@@ -27,7 +27,7 @@ val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
 val init_absorb (input0 input1 input2 input3: t_Slice u8)
     : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
 
-val init_absorb_shake256 (input: t_Slice u8)
+val init_absorb_final_shake256 (input: t_Slice u8)
     : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
 
 val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
index 2ba6033e2..a5339e177 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
@@ -121,6 +121,18 @@ let compute_A_times_mask
         Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       v_ROWS_IN_A
   in
+  let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A
+  =
+    Core.Array.impl_23__map #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      v_COLUMNS_IN_A
+      #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      mask
+      (fun s ->
+          let s:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = s in
+          Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit s
+          <:
+          Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+  in
   let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A =
     Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt
         <:
@@ -168,10 +180,7 @@ let compute_A_times_mask
                   let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
                     Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit
                       ring_element
-                      (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
-                          (mask.[ j ]
-                            <:
-                            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                      (mask_ntt.[ j ]
                         <:
                         Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
                   in
@@ -339,6 +348,39 @@ let compute_w_approx
         Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       v_ROWS_IN_A
   in
+  let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    v_COLUMNS_IN_A =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          (signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          )
+        <:
+        usize)
+      (fun signer_response temp_1_ ->
+          let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_COLUMNS_IN_A =
+            signer_response
+          in
+          let _:usize = temp_1_ in
+          true)
+      signer_response
+      (fun signer_response i ->
+          let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+            v_COLUMNS_IN_A =
+            signer_response
+          in
+          let i:usize = i in
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response
+            i
+            (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+                (signer_response.[ i ]
+                  <:
+                  Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+              <:
+              Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          <:
+          t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+  in
   let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A =
     Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt
         <:
@@ -386,10 +428,7 @@ let compute_w_approx
                   let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
                     Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit
                       ring_element
-                      (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
-                          (signer_response.[ j ]
-                            <:
-                            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+                      (signer_response.[ j ]
                         <:
                         Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
                   in
@@ -412,13 +451,14 @@ let compute_w_approx
               13l
               (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
           in
+          let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+            Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted
+          in
           let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement
           v_SIMDUnit =
             Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit
               verifier_challenge_as_ntt
-              (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted
-                <:
-                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+              t1_shifted
           in
           let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             v_ROWS_IN_A =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst
index 57daef3c6..c923aaf46 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l
     (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2)
     (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17)
     (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4)
     (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst
index 881529d16..cbfcb41f1 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l
     (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2)
     (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17)
     (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4)
     (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst
index 47feb8acb..5ecf58ac3 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17)
     95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4)
     (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560)
-    (sz 2420) (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560))
+    (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560))
     message context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312)
     (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4)
     (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
index de9e24809..fd9368339 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l
     (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96)
     (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17)
     (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420)
     (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst
index 93a4a47d2..fb56ab400 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19)
     261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4)
     (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19)
     (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5)
     (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst
index 52cd13c55..06692d1d7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19)
     261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4)
     (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19)
     (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5)
     (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst
index 272c8f309..d696b883f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19)
     261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5)
     (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032)
-    (sz 3309) (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032))
+    (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032))
     message context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952)
     (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5)
     (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
index 47f6598f5..9029cf9f8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l
     (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128)
     (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19)
     (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309)
     (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst
index a5cb7cc82..bed872537 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19)
     261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2)
     (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19)
     (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7)
     (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst
index bec5c242e..f4bc8340a 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19)
     261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2)
     (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19)
     (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7)
     (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst
index a5b4a3a2a..6f6364908 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19)
     261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7)
     (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896)
-    (sz 4627) (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896))
+    (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896))
     message context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592)
     (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7)
     (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
index b7bfad8f1..a72c5865b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
@@ -29,7 +29,7 @@ let sign
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l
     (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let sign_pre_hashed_shake128
@@ -39,7 +39,7 @@ let sign_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96)
     (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627)
-    (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
+    (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message
     context randomness
 
 let verify
@@ -49,8 +49,8 @@ let verify
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19)
     (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
 
 let verify_pre_hashed_shake128
       (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
@@ -59,5 +59,5 @@ let verify_pre_hashed_shake128
      =
   Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627)
     (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75)
-    (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
-    context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627))
+    (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message
+    context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
index db410963c..c1553434f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
@@ -6,10 +6,13 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Hash_functions.Simd256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Avx2 in
   let open Libcrux_ml_dsa.Simd.Avx2 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
@@ -20,8 +23,9 @@ let generate_key_pair
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness
 
@@ -35,8 +39,9 @@ let sign
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
@@ -53,8 +58,10 @@ let sign_pre_hashed_shake128
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
     (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
     v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
@@ -72,10 +79,11 @@ let verify
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE
-    v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA
-    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+    #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A
+    v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
+    v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
     v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature
 
 let verify_pre_hashed_shake128
@@ -89,8 +97,10 @@ let verify_pre_hashed_shake128
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
     (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
     v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti
index f5492bbb9..aaa4d5643 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti
@@ -6,10 +6,13 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Hash_functions.Simd256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Avx2 in
   let open Libcrux_ml_dsa.Simd.Avx2 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst
index 9e12c192d..c81b51ec3 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst
@@ -11,6 +11,8 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Neon in
   let open Libcrux_ml_dsa.Simd.Portable in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
@@ -21,8 +23,9 @@ let generate_key_pair
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
+    #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness
 
@@ -36,8 +39,9 @@ let sign
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
+    #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
@@ -54,8 +58,10 @@ let sign_pre_hashed_shake128
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256)
     v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
     v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
@@ -73,10 +79,11 @@ let verify
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE
-    v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA
-    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+    #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A
+    v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
+    v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
     v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature
 
 let verify_pre_hashed_shake128
@@ -90,8 +97,10 @@ let verify_pre_hashed_shake128
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
     (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
     v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti
index 93c40dc34..45fac8db0 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti
@@ -11,6 +11,8 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Neon in
   let open Libcrux_ml_dsa.Simd.Portable in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst
index 3ed0bdc8f..fba006d14 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst
@@ -10,6 +10,8 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Portable in
   let open Libcrux_ml_dsa.Simd.Portable in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
@@ -20,8 +22,10 @@ let generate_key_pair
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness
 
@@ -35,8 +39,10 @@ let sign
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
     v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
@@ -53,8 +59,11 @@ let sign_pre_hashed_shake128
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
     (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
     v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
@@ -72,10 +81,12 @@ let verify
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE
-    v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA
-    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A
+    v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
+    v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
     v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature
 
 let verify_pre_hashed_shake128
@@ -89,8 +100,11 @@ let verify_pre_hashed_shake128
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
   Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
+    #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
     #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
     (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
     v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti
index 1e4399d64..9bd1f00f2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti
@@ -10,6 +10,8 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
+  let open Libcrux_ml_dsa.Samplex4.Portable in
   let open Libcrux_ml_dsa.Simd.Portable in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
index 0af8aebcb..1fec04ec9 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
@@ -9,28 +9,37 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
 let derive_message_representative
+      (#v_Shake256Xof: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
       (verification_key_hash: t_Array u8 (sz 64))
       (domain_separation_context:
           Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
       (message: t_Slice u8)
       (message_representative: t_Array u8 (sz 64))
      =
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_init ()
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
       (verification_key_hash <: t_Slice u8)
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
+  let shake:v_Shake256Xof =
     match domain_separation_context with
     | Core.Option.Option_Some domain_separation_context ->
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
           ((let list =
                 [
                   cast (Core.Option.impl__is_some #(t_Array u8 (sz 11))
@@ -48,8 +57,10 @@ let derive_message_representative
             <:
             t_Slice u8)
       in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
           ((let list =
                 [
                   cast (Core.Slice.impl__len #u8
@@ -67,44 +78,343 @@ let derive_message_representative
             <:
             t_Slice u8)
       in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
           (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8)
       in
       (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with
         | Core.Option.Option_Some pre_hash_oid ->
-          Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (pre_hash_oid <: t_Slice u8)
+          Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+            #FStar.Tactics.Typeclasses.solve
+            shake
+            (pre_hash_oid <: t_Slice u8)
         | _ -> shake)
     | _ -> shake
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake message
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      message
   in
-  let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake message_representative
+  let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      message_representative
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in
+  let shake:v_Shake256Xof = tmp0 in
   let message_representative:t_Array u8 (sz 64) = tmp1 in
   let _:Prims.unit = () in
   message_representative
 
+let verify_internal
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i5:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i7:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i8:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message: t_Slice u8)
+      (domain_separation_context:
+          Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
+     =
+  let seed_for_A, t1:(t_Array u8 (sz 32) &
+    t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) =
+    Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
+      v_ROWS_IN_A
+      v_VERIFICATION_KEY_SIZE
+      verification_key_serialized
+  in
+  match
+    Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit
+      v_COMMITMENT_HASH_SIZE
+      v_COLUMNS_IN_A
+      v_ROWS_IN_A
+      v_GAMMA1_EXPONENT
+      v_GAMMA1_RING_ELEMENT_SIZE
+      v_MAX_ONES_IN_HINT
+      v_SIGNATURE_SIZE
+      signature_serialized
+  with
+  | Core.Result.Result_Ok s ->
+    let signature:Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit
+      v_COMMITMENT_HASH_SIZE
+      v_COLUMNS_IN_A
+      v_ROWS_IN_A =
+      s
+    in
+    if
+      Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
+        v_COLUMNS_IN_A
+        signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response
+        ((2l <<! v_GAMMA1_EXPONENT <: i32) -! v_BETA <: i32)
+    then
+      Core.Result.Result_Err
+      (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError
+        <:
+        Libcrux_ml_dsa.Types.t_VerificationError)
+      <:
+      Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+    else
+      let v_A_as_ntt:t_Array
+        (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+        v_ROWS_IN_A =
+        Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler
+          #FStar.Tactics.Typeclasses.solve
+          #v_SIMDUnit
+          v_ROWS_IN_A
+          v_COLUMNS_IN_A
+          (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8)
+            <:
+            t_Array u8 (sz 34))
+      in
+      let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+      let verification_key_hash:t_Array u8 (sz 64) =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+          #FStar.Tactics.Typeclasses.solve
+          (sz 64)
+          (verification_key_serialized <: t_Slice u8)
+          verification_key_hash
+      in
+      let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+      let message_representative:t_Array u8 (sz 64) =
+        derive_message_representative #v_Shake256Xof
+          verification_key_hash
+          domain_separation_context
+          message
+          message_representative
+      in
+      let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+        Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+          (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit
+              #v_Shake256
+              v_ONES_IN_VERIFIER_CHALLENGE
+              v_COMMITMENT_HASH_SIZE
+              signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash
+            <:
+            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      in
+      let w_approx:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+        v_ROWS_IN_A =
+        Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
+          v_ROWS_IN_A
+          v_COLUMNS_IN_A
+          v_A_as_ntt
+          signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response
+          verifier_challenge_as_ntt
+          t1
+      in
+      let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE =
+        Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE
+      in
+      let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+        v_ROWS_IN_A =
+        Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
+          v_ROWS_IN_A
+          v_GAMMA2
+          signature.Libcrux_ml_dsa.Encoding.Signature.f_hint
+          w_approx
+      in
+      let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE =
+        Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
+          v_ROWS_IN_A
+          v_COMMITMENT_RING_ELEMENT_SIZE
+          v_COMMITMENT_VECTOR_SIZE
+          commitment
+      in
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          ()
+      in
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
+          (message_representative <: t_Slice u8)
+      in
+      let shake:v_Shake256Xof =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
+          (commitment_serialized <: t_Slice u8)
+      in
+      let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+          #FStar.Tactics.Typeclasses.solve
+          shake
+          commitment_hash
+      in
+      let shake:v_Shake256Xof = tmp0 in
+      let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in
+      let _:Prims.unit = () in
+      let _:Prims.unit = () in
+      if signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash =. commitment_hash
+      then
+        Core.Result.Result_Ok (() <: Prims.unit)
+        <:
+        Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+      else
+        Core.Result.Result_Err
+        (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
+          <:
+          Libcrux_ml_dsa.Types.t_VerificationError)
+        <:
+        Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+  | Core.Result.Result_Err e ->
+    Core.Result.Result_Err e
+    <:
+    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+
+let verify
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i5:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i7:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i8:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
+     =
+  match
+    Libcrux_ml_dsa.Pre_hash.impl_1__new context
+      (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+  with
+  | Core.Result.Result_Ok dsc ->
+    let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+    verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A
+      v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
+      v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
+      v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE
+      v_MAX_ONES_IN_HINT verification_key_serialized message
+      (Core.Option.Option_Some domain_separation_context
+        <:
+        Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
+  | Core.Result.Result_Err _ ->
+    Core.Result.Result_Err
+    (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+      <:
+      Libcrux_ml_dsa.Types.t_VerificationError)
+    <:
+    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+
+let verify_pre_hashed
+      (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
+      (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i7:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i10:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i11:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i12:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i13:
+          Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN)
+      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
+     =
+  let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN =
+    Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
+      #v_PH_DIGEST_LEN
+      #FStar.Tactics.Typeclasses.solve
+      #v_Shake128
+      message
+  in
+  match
+    Libcrux_ml_dsa.Pre_hash.impl_1__new context
+      (Core.Option.Option_Some
+        (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve ()
+          <:
+          t_Array u8 (sz 11))
+        <:
+        Core.Option.t_Option (t_Array u8 (sz 11)))
+  with
+  | Core.Result.Result_Ok dsc ->
+    let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+    verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A
+      v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
+      v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
+      v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE
+      v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8)
+      (Core.Option.Option_Some domain_separation_context
+        <:
+        Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
+  | Core.Result.Result_Err _ ->
+    Core.Result.Result_Err
+    (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+      <:
+      Libcrux_ml_dsa.Types.t_VerificationError)
+    <:
+    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+
 let sign_internal
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
       (v_GAMMA2: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
+          i6:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
+          i8:
           Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i6:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i7:
+          i10:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i11:
           Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
       (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
       (message: t_Slice u8)
@@ -130,7 +440,9 @@ let sign_internal
   let v_A_as_ntt:t_Array
     (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
     v_ROWS_IN_A =
-    Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit
+    Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler
+      #FStar.Tactics.Typeclasses.solve
+      #v_SIMDUnit
       v_ROWS_IN_A
       v_COLUMNS_IN_A
       (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8)
@@ -139,29 +451,41 @@ let sign_internal
   in
   let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
   let message_representative:t_Array u8 (sz 64) =
-    derive_message_representative verification_key_hash
+    derive_message_representative #v_Shake256Xof
+      verification_key_hash
       domain_separation_context
       message
       message_representative
   in
   let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_init ()
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (seed_for_signing <: t_Slice u8)
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      (seed_for_signing <: t_Slice u8)
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8)
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      (randomness <: t_Slice u8)
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
       (message_representative <: t_Slice u8)
   in
-  let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake mask_seed
+  let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      mask_seed
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in
+  let shake:v_Shake256Xof = tmp0 in
   let mask_seed:t_Array u8 (sz 64) = tmp1 in
   let _:Prims.unit = () in
   let _:Prims.unit = () in
@@ -258,22 +582,30 @@ let sign_internal
               v_COMMITMENT_VECTOR_SIZE
               commitment
           in
-          let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-            Libcrux_ml_dsa.Hash_functions.Portable.shake256_init ()
+          let shake:v_Shake256Xof =
+            Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
+              #FStar.Tactics.Typeclasses.solve
+              ()
           in
-          let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-            Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
+          let shake:v_Shake256Xof =
+            Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+              #FStar.Tactics.Typeclasses.solve
+              shake
               (message_representative <: t_Slice u8)
           in
-          let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze =
-            Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake
+          let shake:v_Shake256Xof =
+            Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+              #FStar.Tactics.Typeclasses.solve
+              shake
               (commitment_serialized <: t_Slice u8)
           in
-          let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze &
-            t_Array u8 v_COMMITMENT_HASH_SIZE) =
-            Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash_candidate
+          let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) =
+            Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+              #FStar.Tactics.Typeclasses.solve
+              shake
+              commitment_hash_candidate
           in
-          let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in
+          let shake:v_Shake256Xof = tmp0 in
           let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in
           let _:Prims.unit = () in
           let _:Prims.unit = () in
@@ -412,57 +744,18 @@ let sign_internal
                     (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
                         v_COLUMNS_IN_A)))
   in
-  match
-    match commitment_hash with
-    | Core.Option.Option_Some commitment_hash ->
-      Core.Result.Result_Ok commitment_hash
-      <:
-      Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError
-    | Core.Option.Option_None  ->
-      Core.Result.Result_Err
-      (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError
-        <:
-        Libcrux_ml_dsa.Types.t_SigningError)
-      <:
-      Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError
-  with
-  | Core.Result.Result_Ok commitment_hash ->
-    (match
-        match signer_response with
-        | Core.Option.Option_Some signer_response ->
-          Core.Result.Result_Ok signer_response
-          <:
-          Core.Result.t_Result
-            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-            Libcrux_ml_dsa.Types.t_SigningError
-        | Core.Option.Option_None  ->
-          Core.Result.Result_Err
-          (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError
-            <:
-            Libcrux_ml_dsa.Types.t_SigningError)
-          <:
-          Core.Result.t_Result
-            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-            Libcrux_ml_dsa.Types.t_SigningError
-      with
-      | Core.Result.Result_Ok signer_response ->
-        (match
-            match hint with
-            | Core.Option.Option_Some hint ->
-              Core.Result.Result_Ok hint
-              <:
-              Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A)
-                Libcrux_ml_dsa.Types.t_SigningError
-            | Core.Option.Option_None  ->
-              Core.Result.Result_Err
-              (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError
-                <:
-                Libcrux_ml_dsa.Types.t_SigningError)
-              <:
-              Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A)
-                Libcrux_ml_dsa.Types.t_SigningError
-          with
-          | Core.Result.Result_Ok hint ->
+  match commitment_hash with
+  | Core.Option.Option_Some commitment_hash ->
+    let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = commitment_hash in
+    (match signer_response with
+      | Core.Option.Option_Some signer_response ->
+        let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          v_COLUMNS_IN_A =
+          signer_response
+        in
+        (match hint with
+          | Core.Option.Option_Some hint ->
+            let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = hint in
             let signature:t_Array u8 v_SIGNATURE_SIZE =
               Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit
                 v_COMMITMENT_HASH_SIZE
@@ -487,39 +780,51 @@ let sign_internal
             <:
             Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
               Libcrux_ml_dsa.Types.t_SigningError
-          | Core.Result.Result_Err err ->
-            Core.Result.Result_Err err
+          | Core.Option.Option_None  ->
+            Core.Result.Result_Err
+            (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError
+              <:
+              Libcrux_ml_dsa.Types.t_SigningError)
             <:
             Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
               Libcrux_ml_dsa.Types.t_SigningError)
-      | Core.Result.Result_Err err ->
-        Core.Result.Result_Err err
+      | Core.Option.Option_None  ->
+        Core.Result.Result_Err
+        (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError
+          <:
+          Libcrux_ml_dsa.Types.t_SigningError)
         <:
         Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
           Libcrux_ml_dsa.Types.t_SigningError)
-  | Core.Result.Result_Err err ->
-    Core.Result.Result_Err err
+  | Core.Option.Option_None  ->
+    Core.Result.Result_Err
+    (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError
+    )
     <:
     Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
       Libcrux_ml_dsa.Types.t_SigningError
 
 let sign
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
       (v_GAMMA2: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
+          i6:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
+          i8:
           Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i6:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i7:
+          i10:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i11:
           Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
       (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
       (message context: t_Slice u8)
@@ -529,46 +834,52 @@ let sign
     Libcrux_ml_dsa.Pre_hash.impl_1__new context
       (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
   with
-  | Core.Result.Result_Ok hoist36 ->
-    sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A
-      v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
-      v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE
-      v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key
-      message
-      (Core.Option.Option_Some hoist36
+  | Core.Result.Result_Ok dsc ->
+    let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+    sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+      v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
+      v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+      v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE
+      v_SIGNATURE_SIZE signing_key message
+      (Core.Option.Option_Some domain_separation_context
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
-  | Core.Result.Result_Err err ->
+  | Core.Result.Result_Err _ ->
     Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
+    (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
     <:
     Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
       Libcrux_ml_dsa.Types.t_SigningError
 
 let sign_pre_hashed
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
+          Type0)
       (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT:
           usize)
       (v_GAMMA2: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
+          i8:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i6:
+          i10:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i11:
           Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i7:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          i12:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i8:
+          i13:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i14:
           Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i9:
+          i15:
           Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN)
       (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
       (message context: t_Slice u8)
@@ -583,7 +894,11 @@ let sign_pre_hashed
       Libcrux_ml_dsa.Types.t_SigningError
   else
     let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN =
-      Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message
+      Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
+        #v_PH_DIGEST_LEN
+        #FStar.Tactics.Typeclasses.solve
+        #v_Shake128
+        message
     in
     match
       Libcrux_ml_dsa.Pre_hash.impl_1__new context
@@ -594,313 +909,75 @@ let sign_pre_hashed
           <:
           Core.Option.t_Option (t_Array u8 (sz 11)))
     with
-    | Core.Result.Result_Ok hoist39 ->
-      sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A
-        v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
-        v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE
-        v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE
-        signing_key (pre_hashed_message <: t_Slice u8)
-        (Core.Option.Option_Some hoist39
+    | Core.Result.Result_Ok dsc ->
+      let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+      sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+        v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
+        v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+        v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE
+        v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8)
+        (Core.Option.Option_Some domain_separation_context
           <:
           Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
-    | Core.Result.Result_Err err ->
+    | Core.Result.Result_Err _ ->
       Core.Result.Result_Err
-      (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
-          #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-          #FStar.Tactics.Typeclasses.solve
-          err)
+      (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
       <:
       Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
         Libcrux_ml_dsa.Types.t_SigningError
 
-let verify_internal
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
-          usize)
-      (v_GAMMA2 v_BETA: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
-          usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
-      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
-      (message: t_Slice u8)
-      (domain_separation_context:
-          Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
-      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
-     =
-  let seed_for_A, t1:(t_Array u8 (sz 32) &
-    t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) =
-    Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
-      v_ROWS_IN_A
-      v_VERIFICATION_KEY_SIZE
-      verification_key_serialized
-  in
-  match
-    Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit
-      v_COMMITMENT_HASH_SIZE
-      v_COLUMNS_IN_A
-      v_ROWS_IN_A
-      v_GAMMA1_EXPONENT
-      v_GAMMA1_RING_ELEMENT_SIZE
-      v_MAX_ONES_IN_HINT
-      v_SIGNATURE_SIZE
-      signature_serialized
-  with
-  | Core.Result.Result_Ok signature ->
-    if
-      ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
-          v_COLUMNS_IN_A
-          signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response
-          ((2l <<! v_GAMMA1_EXPONENT <: i32) -! v_BETA <: i32)
-        <:
-        bool)
-    then
-      let v_A_as_ntt:t_Array
-        (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-        v_ROWS_IN_A =
-        Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit
-          v_ROWS_IN_A
-          v_COLUMNS_IN_A
-          (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8)
-            <:
-            t_Array u8 (sz 34))
-      in
-      let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
-      let verification_key_hash:t_Array u8 (sz 64) =
-        Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
-          #FStar.Tactics.Typeclasses.solve
-          (sz 64)
-          (verification_key_serialized <: t_Slice u8)
-          verification_key_hash
-      in
-      let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
-      let message_representative:t_Array u8 (sz 64) =
-        derive_message_representative verification_key_hash
-          domain_separation_context
-          message
-          message_representative
-      in
-      let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-        Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
-          (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit
-              #v_Shake256
-              v_ONES_IN_VERIFIER_CHALLENGE
-              v_COMMITMENT_HASH_SIZE
-              signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash
-            <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-      in
-      let w_approx:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-        v_ROWS_IN_A =
-        Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
-          v_ROWS_IN_A
-          v_COLUMNS_IN_A
-          v_A_as_ntt
-          signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response
-          verifier_challenge_as_ntt
-          t1
-      in
-      let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE =
-        Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE
-      in
-      let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-        v_ROWS_IN_A =
-        Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
-          v_ROWS_IN_A
-          v_GAMMA2
-          signature.Libcrux_ml_dsa.Encoding.Signature.f_hint
-          w_approx
-      in
-      let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE =
-        Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
-          v_ROWS_IN_A
-          v_COMMITMENT_RING_ELEMENT_SIZE
-          v_COMMITMENT_VECTOR_SIZE
-          commitment
-      in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_init ()
-      in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake
-          (message_representative <: t_Slice u8)
-      in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake
-          (commitment_serialized <: t_Slice u8)
-      in
-      let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze &
-        t_Array u8 v_COMMITMENT_HASH_SIZE) =
-        Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash
-      in
-      let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in
-      let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in
-      let _:Prims.unit = () in
-      let _:Prims.unit = () in
-      if signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash <>. commitment_hash
-      then
-        Core.Result.Result_Err
-        (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
-          <:
-          Libcrux_ml_dsa.Types.t_VerificationError)
-        <:
-        Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-      else
-        Core.Result.Result_Ok (() <: Prims.unit)
-        <:
-        Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-    else
-      Core.Result.Result_Err
-      (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError
-        <:
-        Libcrux_ml_dsa.Types.t_VerificationError)
-      <:
-      Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-  | Core.Result.Result_Err err ->
-    Core.Result.Result_Err err
-    <:
-    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
-          usize)
-      (v_GAMMA2 v_BETA: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
-          usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
-      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
-      (message context: t_Slice u8)
-      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
-     =
-  match
-    Libcrux_ml_dsa.Pre_hash.impl_1__new context
-      (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
-  with
-  | Core.Result.Result_Ok hoist41 ->
-    verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A
-      v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
-      v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
-      v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message
-      (Core.Option.Option_Some hoist41
-        <:
-        Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
-  | Core.Result.Result_Err err ->
-    Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
-    <:
-    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify_pre_hashed
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0)
-      (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
-          usize)
-      (v_GAMMA2 v_BETA: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
-          usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
-          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i6:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i7:
-          Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN)
-      (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
-      (message context: t_Slice u8)
-      (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
-     =
-  let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN =
-    Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message
-  in
-  match
-    Libcrux_ml_dsa.Pre_hash.impl_1__new context
-      (Core.Option.Option_Some
-        (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve ()
-          <:
-          t_Array u8 (sz 11))
-        <:
-        Core.Option.t_Option (t_Array u8 (sz 11)))
-  with
-  | Core.Result.Result_Ok hoist43 ->
-    verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A
-      v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
-      v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
-      v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized
-      (pre_hashed_message <: t_Slice u8)
-      (Core.Option.Option_Some hoist43
-        <:
-        Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
-  | Core.Result.Result_Err err ->
-    Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
-    <:
-    Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
 let generate_key_pair
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
+          i6:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i5:
+          i8:
           Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i6:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          i9:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i7:
+          i10:
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i11:
           Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
       (randomness: t_Array u8 (sz 32))
      =
   let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_init ()
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8)
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      (randomness <: t_Slice u8)
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake
+  let shake:v_Shake256Xof =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
       ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in
           FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
           Rust_primitives.Hax.array_of_list 2 list)
         <:
         t_Slice u8)
   in
-  let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 128)) =
-    Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake seed_expanded
+  let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+      #FStar.Tactics.Typeclasses.solve
+      shake
+      seed_expanded
   in
-  let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in
+  let shake:v_Shake256Xof = tmp0 in
   let seed_expanded:t_Array u8 (sz 128) = tmp1 in
   let _:Prims.unit = () in
+  let _:Prims.unit = () in
   let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
     Core.Slice.impl__split_at #u8
       (seed_expanded <: t_Slice u8)
@@ -914,7 +991,9 @@ let generate_key_pair
   let a_as_ntt:t_Array
     (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
     v_ROWS_IN_A =
-    Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit
+    Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler
+      #FStar.Tactics.Typeclasses.solve
+      #v_SIMDUnit
       v_ROWS_IN_A
       v_COLUMNS_IN_A
       (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti
index abf9c8d7c..a1ac213b3 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti
@@ -9,6 +9,7 @@ let _ =
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Samplex4 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
@@ -30,6 +31,8 @@ let _ =
 /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA
 /// variant.
 val derive_message_representative
+      (#v_Shake256Xof: Type0)
+      {| i1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
       (verification_key_hash: t_Array u8 (sz 64))
       (domain_separation_context:
           Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
@@ -37,77 +40,21 @@ val derive_message_representative
       (message_representative: t_Array u8 (sz 64))
     : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True)
 
-/// The internal signing API.
-/// If no `domain_separation_context` is supplied, it is assumed that
-/// `message` already contains the domain separation.
-val sign_internal
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
-      (v_GAMMA2: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
-          usize)
-      {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
-      {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
-      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
-      (message: t_Slice u8)
-      (domain_separation_context:
-          Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure
-      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
-          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-
-val sign
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
-      (v_GAMMA2: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
-          usize)
-      {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
-      {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
-      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
-      (message context: t_Slice u8)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure
-      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
-          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-
-val sign_pre_hashed
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0)
-      (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT:
-          usize)
-      (v_GAMMA2: i32)
-      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
-          usize)
-      {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
-      {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
-      {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |}
-      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
-      (message context: t_Slice u8)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure
-      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
-          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-
 /// The internal verification API.
 /// If no `domain_separation_context` is supplied, it is assumed that
 /// `message` already contains the domain separation.
 val verify_internal
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
           usize)
       (v_GAMMA2 v_BETA: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
           usize)
-      {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
       (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
       (message: t_Slice u8)
       (domain_separation_context:
@@ -118,15 +65,17 @@ val verify_internal
       (fun _ -> Prims.l_True)
 
 val verify
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
           usize)
       (v_GAMMA2 v_BETA: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
           usize)
-      {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
       (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
       (message context: t_Slice u8)
       (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
@@ -135,16 +84,19 @@ val verify
       (fun _ -> Prims.l_True)
 
 val verify_pre_hashed
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
       (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
           usize)
       (v_GAMMA2 v_BETA: i32)
       (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
           usize)
-      {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
-      {| i7: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |}
+      {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
+      {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+      {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |}
       (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE)
       (message context: t_Slice u8)
       (signature_serialized: t_Array u8 v_SIGNATURE_SIZE)
@@ -152,15 +104,83 @@ val verify_pre_hashed
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// The internal signing API.
+/// If no `domain_separation_context` is supplied, it is assumed that
+/// `message` already contains the domain separation.
+val sign_internal
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+      {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message: t_Slice u8)
+      (domain_separation_context:
+          Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure
+      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
+          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+val sign
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+      {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure
+      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
+          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+val sign_pre_hashed
+      (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
+          Type0)
+      (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT:
+          usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
+      {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+      {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+      {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |}
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure
+      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
+          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Generate a key pair.
 val generate_key_pair
-      (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0)
+      (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
           usize)
-      {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
-      {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
-      {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+      {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+      {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+      {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+      {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+      {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE)
       Prims.l_True
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
index 92db55cce..99e46c0e2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
@@ -9,6 +9,38 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1':
+    #v_SIMDUnit: Type0 ->
+    {| i1: Core.Clone.t_Clone v_SIMDUnit |} ->
+    {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+  -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit)
+
+let impl_1
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+     = impl_1' #v_SIMDUnit #i1 #i2
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2':
+    #v_SIMDUnit: Type0 ->
+    {| i1: Core.Marker.t_Copy v_SIMDUnit |} ->
+    {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+  -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit)
+
+let impl_2
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+     = impl_2' #v_SIMDUnit #i1 #i2
+
 let impl__ZERO
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -32,7 +64,7 @@ let impl__ZERO
 let impl__from_i32_array
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (array: t_Slice i32)
      =
@@ -44,57 +76,55 @@ let impl__from_i32_array
       in
       ()
   in
-  let array_chunks:Core.Slice.Iter.t_Chunks i32 =
-    Core.Slice.impl__chunks #i32 array Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
   let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in
-  let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) =
+  let result:t_PolynomialRingElement v_SIMDUnit =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT
-      (fun temp_0_ temp_1_ ->
-          let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 &
-            t_PolynomialRingElement v_SIMDUnit) =
-            temp_0_
-          in
+      (fun result temp_1_ ->
+          let result:t_PolynomialRingElement v_SIMDUnit = result in
           let _:usize = temp_1_ in
           true)
-      (array_chunks, result <: (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit))
-      (fun temp_0_ i ->
-          let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 &
-            t_PolynomialRingElement v_SIMDUnit) =
-            temp_0_
-          in
+      result
+      (fun result i ->
+          let result:t_PolynomialRingElement v_SIMDUnit = result in
           let i:usize = i in
-          let tmp0, out:(Core.Slice.Iter.t_Chunks i32 & Core.Option.t_Option (t_Slice i32)) =
-            Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks i32)
-              #FStar.Tactics.Typeclasses.solve
-              array_chunks
-          in
-          let array_chunks:Core.Slice.Iter.t_Chunks i32 = tmp0 in
-          array_chunks,
-          ({
-              result with
-              f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units
-                i
-                (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    (Core.Option.impl__unwrap #(t_Slice i32) out <: t_Slice i32)
-                  <:
-                  v_SIMDUnit)
-            }
+          {
+            result with
+            f_simd_units
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units
+              i
+              (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit
+                  #FStar.Tactics.Typeclasses.solve
+                  (array.[ {
+                        Core.Ops.Range.f_start
+                        =
+                        i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize;
+                        Core.Ops.Range.f_end
+                        =
+                        (i +! sz 1 <: usize) *!
+                        Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+                        <:
+                        usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice i32)
+                <:
+                v_SIMDUnit)
             <:
-            t_PolynomialRingElement v_SIMDUnit)
+            t_Array v_SIMDUnit (sz 32)
+          }
           <:
-          (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit))
+          t_PolynomialRingElement v_SIMDUnit)
   in
   result
 
 let impl__add
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (self rhs: t_PolynomialRingElement v_SIMDUnit)
      =
@@ -133,7 +163,7 @@ let impl__add
 let impl__infinity_norm_exceeds
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (self: t_PolynomialRingElement v_SIMDUnit)
       (bound: i32)
@@ -163,7 +193,7 @@ let impl__infinity_norm_exceeds
 let impl__subtract
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (self rhs: t_PolynomialRingElement v_SIMDUnit)
      =
@@ -202,7 +232,7 @@ let impl__subtract
 let impl__to_i32_array
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (self: t_PolynomialRingElement v_SIMDUnit)
      =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
index 6f7a5837e..b9648e9ab 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
@@ -13,6 +13,20 @@ type t_PolynomialRingElement
   (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
   = { f_simd_units:t_Array v_SIMDUnit (sz 32) }
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1
+      (#v_SIMDUnit: Type0)
+      {| i1: Core.Clone.t_Clone v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+    : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2
+      (#v_SIMDUnit: Type0)
+      {| i1: Core.Marker.t_Copy v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+    : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit)
+
 val impl__ZERO:
     #v_SIMDUnit: Type0 ->
     {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} ->
@@ -21,31 +35,31 @@ val impl__ZERO:
 
 val impl__from_i32_array
       (#v_SIMDUnit: Type0)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (array: t_Slice i32)
     : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
 
 val impl__add
       (#v_SIMDUnit: Type0)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (self rhs: t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
 
 val impl__infinity_norm_exceeds
       (#v_SIMDUnit: Type0)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (self: t_PolynomialRingElement v_SIMDUnit)
       (bound: i32)
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
 val impl__subtract
       (#v_SIMDUnit: Type0)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (self rhs: t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
 
 val impl__to_i32_array
       (#v_SIMDUnit: Type0)
-      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (self: t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
index 839ac9c79..a9b6eddc8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
@@ -6,7 +6,6 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   ()
 
@@ -14,18 +13,6 @@ let impl_1__context (self: t_DomainSeparationContext) = self.f_context
 
 let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid
 
-let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) =
-  if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN
-  then
-    Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError)
-    <:
-    Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError
-  else
-    Core.Result.Result_Ok
-    ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext)
-    <:
-    Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError
-
 let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) =
   match x with | DomainSeparationError_ContextTooLongError  -> isz 0
 
@@ -56,30 +43,62 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai
     fun (e: t_DomainSeparationError) ->
       match e with
       | DomainSeparationError_ContextTooLongError  ->
-        Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError
+        Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
         <:
         Libcrux_ml_dsa.Types.t_VerificationError
   }
 
+let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) =
+  if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN
+  then
+    Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError)
+    <:
+    Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError
+  else
+    Core.Result.Result_Ok
+    ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext)
+    <:
+    Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 let impl: t_PreHash t_SHAKE128_PH (sz 256) =
   {
     f_oid_pre = (fun (_: Prims.unit) -> true);
     f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true);
-    f_oid
+    f_oid = (fun (_: Prims.unit) -> v_SHAKE128_OID);
+    f_hash_pre
+    =
+    (fun
+        (#v_Shake128: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
+        (message: t_Slice u8)
+        ->
+        true);
+    f_hash_post
     =
-    (fun (_: Prims.unit) ->
-        let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in
-        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11);
-        Rust_primitives.Hax.array_of_list 11 list);
-    f_hash_pre = (fun (message: t_Slice u8) -> true);
-    f_hash_post = (fun (message: t_Slice u8) (out: t_Array u8 (sz 256)) -> true);
+    (fun
+        (#v_Shake128: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
+        (message: t_Slice u8)
+        (out: t_Array u8 (sz 256))
+        ->
+        true);
     f_hash
     =
-    fun (message: t_Slice u8) ->
+    fun
+      (#v_Shake128: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+        i1:
+        Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
+      (message: t_Slice u8)
+      ->
       let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in
       let output:t_Array u8 (sz 256) =
-        Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128
+        Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #v_Shake128
           #FStar.Tactics.Typeclasses.solve
           (sz 256)
           message
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
index 2dc40559b..c23391618 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
@@ -6,7 +6,6 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   ()
 
@@ -27,12 +26,6 @@ val impl_1__pre_hash_oid (self: t_DomainSeparationContext)
 
 type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError
 
-/// `context` must be at most 255 bytes long.
-val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11)))
-    : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
 val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError)
     : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
 
@@ -41,10 +34,24 @@ class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = {
   f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0;
   f_oid:x0: Prims.unit
     -> Prims.Pure (t_Array u8 (sz 11)) (f_oid_pre x0) (fun result -> f_oid_post x0 result);
-  f_hash_pre:t_Slice u8 -> Type0;
-  f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0;
-  f_hash:x0: t_Slice u8
-    -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result)
+  f_hash_pre:
+      #v_Shake128: Type0 ->
+      {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} ->
+      t_Slice u8
+    -> Type0;
+  f_hash_post:
+      #v_Shake128: Type0 ->
+      {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} ->
+      t_Slice u8 ->
+      t_Array u8 v_DIGEST_LEN
+    -> Type0;
+  f_hash:
+      #v_Shake128: Type0 ->
+      {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} ->
+      x0: t_Slice u8
+    -> Prims.Pure (t_Array u8 v_DIGEST_LEN)
+        (f_hash_pre #v_Shake128 #i1 x0)
+        (fun result -> f_hash_post #v_Shake128 #i1 x0 result)
 }
 
 /// An implementation of the pre-hash trait for the SHAKE-128 XOF with
@@ -53,11 +60,22 @@ type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH
 
 let v_PRE_HASH_OID_LEN: usize = sz 11
 
+let v_SHAKE128_OID: t_Array u8 (sz 11) =
+  let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11);
+  Rust_primitives.Hax.array_of_list 11 list
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError
 
+/// `context` must be at most 255 bytes long.
+val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11)))
+    : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
 val impl:t_PreHash t_SHAKE128_PH (sz 256)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
index 2c3c28d2f..da6c38417 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
@@ -6,12 +6,14 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
+let generate_domain_separator (row, column: (u8 & u8)) =
+  (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <<! 8l <: u16)
+
 let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) =
   let seed:t_Array u8 (sz 66) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed
@@ -27,6 +29,34 @@ let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) =
   let hax_temp_output:t_Array u8 (sz 66) = seed in
   domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66))
 
+let update_matrix
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (m:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+      (i j: usize)
+      (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let m:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize m
+      i
+      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (m.[ i ]
+            <:
+            t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+          j
+          v
+        <:
+        t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+  in
+  m
+
 let rejection_sample_less_than_eta_equals_2_
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -38,12 +68,12 @@ let rejection_sample_less_than_eta_equals_2_
      =
   let done:bool = false in
   let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
             u8)
           #FStar.Tactics.Typeclasses.solve
-          (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8)
+          (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
         <:
-        Core.Slice.Iter.t_Chunks u8)
+        Core.Slice.Iter.t_ChunksExact u8)
       (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
       (fun temp_0_ random_bytes ->
           let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
@@ -90,12 +120,12 @@ let rejection_sample_less_than_eta_equals_4_
      =
   let done:bool = false in
   let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
             u8)
           #FStar.Tactics.Typeclasses.solve
-          (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8)
+          (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
         <:
-        Core.Slice.Iter.t_Chunks u8)
+        Core.Slice.Iter.t_ChunksExact u8)
       (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
       (fun temp_0_ random_bytes ->
           let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
@@ -183,12 +213,12 @@ let rejection_sample_less_than_field_modulus
      =
   let done:bool = false in
   let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
             u8)
           #FStar.Tactics.Typeclasses.solve
-          (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8)
+          (Core.Slice.impl__chunks_exact #u8 randomness (sz 24) <: Core.Slice.Iter.t_ChunksExact u8)
         <:
-        Core.Slice.Iter.t_Chunks u8)
+        Core.Slice.Iter.t_ChunksExact u8)
       (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
       (fun temp_0_ random_bytes ->
           let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
@@ -232,9 +262,10 @@ let inside_out_shuffle
      =
   let done:bool = false in
   let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8)
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
+            u8)
           #FStar.Tactics.Typeclasses.solve
-          randomness
+          (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8)
         <:
         Core.Slice.Iter.t_Iter u8)
       (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64))
@@ -281,11 +312,11 @@ let sample_challenge_ring_element
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i3:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (seed: t_Array u8 v_SEED_SIZE)
      =
   let state:v_Shake256 =
-    Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256
+    Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256
       #FStar.Tactics.Typeclasses.solve
       (seed <: t_Slice u8)
   in
@@ -681,364 +712,6 @@ let sample_four_error_ring_elements
     Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
     Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
 
-let sample_four_ring_elements
-      (#v_SIMDUnit: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (seed0: t_Array u8 (sz 34))
-      (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16)
-     =
-  let seed0:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0
-      (sz 32)
-      (cast (domain_separator0 <: u16) <: u8)
-  in
-  let seed0:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0
-      (sz 33)
-      (cast (domain_separator0 >>! 8l <: u16) <: u8)
-  in
-  let seed1:t_Array u8 (sz 34) = seed0 in
-  let seed1:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1
-      (sz 32)
-      (cast (domain_separator1 <: u16) <: u8)
-  in
-  let seed1:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1
-      (sz 33)
-      (cast (domain_separator1 >>! 8l <: u16) <: u8)
-  in
-  let seed2:t_Array u8 (sz 34) = seed0 in
-  let seed2:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2
-      (sz 32)
-      (cast (domain_seperator2 <: u16) <: u8)
-  in
-  let seed2:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2
-      (sz 33)
-      (cast (domain_seperator2 >>! 8l <: u16) <: u8)
-  in
-  let seed3:t_Array u8 (sz 34) = seed0 in
-  let seed3:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3
-      (sz 32)
-      (cast (domain_separator3 <: u16) <: u8)
-  in
-  let seed3:t_Array u8 (sz 34) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3
-      (sz 33)
-      (cast (domain_separator3 >>! 8l <: u16) <: u8)
-  in
-  let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 =
-    Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
-      #FStar.Tactics.Typeclasses.solve
-      (seed0 <: t_Slice u8)
-      (seed1 <: t_Slice u8)
-      (seed2 <: t_Slice u8)
-      (seed3 <: t_Slice u8)
-  in
-  let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
-  let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
-  let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
-  let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
-  let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 &
-    t_Array u8 (sz 840) &
-    t_Array u8 (sz 840) &
-    t_Array u8 (sz 840) &
-    t_Array u8 (sz 840)) =
-    Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
-      #FStar.Tactics.Typeclasses.solve
-      state
-      randomness0
-      randomness1
-      randomness2
-      randomness3
-  in
-  let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 = tmp0 in
-  let randomness0:t_Array u8 (sz 840) = tmp1 in
-  let randomness1:t_Array u8 (sz 840) = tmp2 in
-  let randomness2:t_Array u8 (sz 840) = tmp3 in
-  let randomness3:t_Array u8 (sz 840) = tmp4 in
-  let _:Prims.unit = () in
-  let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in
-  let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in
-  let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in
-  let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in
-  let sampled0:usize = sz 0 in
-  let sampled1:usize = sz 0 in
-  let sampled2:usize = sz 0 in
-  let sampled3:usize = sz 0 in
-  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-    rejection_sample_less_than_field_modulus #v_SIMDUnit
-      (randomness0 <: t_Slice u8)
-      sampled0
-      coefficients0
-  in
-  let sampled0:usize = tmp0 in
-  let coefficients0:t_Array i32 (sz 263) = tmp1 in
-  let done0:bool = out in
-  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-    rejection_sample_less_than_field_modulus #v_SIMDUnit
-      (randomness1 <: t_Slice u8)
-      sampled1
-      coefficients1
-  in
-  let sampled1:usize = tmp0 in
-  let coefficients1:t_Array i32 (sz 263) = tmp1 in
-  let done1:bool = out in
-  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-    rejection_sample_less_than_field_modulus #v_SIMDUnit
-      (randomness2 <: t_Slice u8)
-      sampled2
-      coefficients2
-  in
-  let sampled2:usize = tmp0 in
-  let coefficients2:t_Array i32 (sz 263) = tmp1 in
-  let done2:bool = out in
-  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-    rejection_sample_less_than_field_modulus #v_SIMDUnit
-      (randomness3 <: t_Slice u8)
-      sampled3
-      coefficients3
-  in
-  let sampled3:usize = tmp0 in
-  let coefficients3:t_Array i32 (sz 263) = tmp1 in
-  let done3:bool = out in
-  let
-  coefficients0,
-  coefficients1,
-  coefficients2,
-  coefficients3,
-  done0,
-  done1,
-  done2,
-  done3,
-  sampled0,
-  sampled1,
-  sampled2,
-  sampled3,
-  state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-    bool &
-    bool &
-    bool &
-    bool &
-    usize &
-    usize &
-    usize &
-    usize &
-    Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) =
-    Rust_primitives.f_while_loop (fun temp_0_ ->
-          let
-          coefficients0,
-          coefficients1,
-          coefficients2,
-          coefficients3,
-          done0,
-          done1,
-          done2,
-          done3,
-          sampled0,
-          sampled1,
-          sampled2,
-          sampled3,
-          state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-            t_Array i32 (sz 263) &
-            bool &
-            bool &
-            bool &
-            bool &
-            usize &
-            usize &
-            usize &
-            usize &
-            Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) =
-            temp_0_
-          in
-          (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool))
-      (coefficients0,
-        coefficients1,
-        coefficients2,
-        coefficients3,
-        done0,
-        done1,
-        done2,
-        done3,
-        sampled0,
-        sampled1,
-        sampled2,
-        sampled3,
-        state
-        <:
-        (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-          bool &
-          bool &
-          bool &
-          bool &
-          usize &
-          usize &
-          usize &
-          usize &
-          Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4))
-      (fun temp_0_ ->
-          let
-          coefficients0,
-          coefficients1,
-          coefficients2,
-          coefficients3,
-          done0,
-          done1,
-          done2,
-          done3,
-          sampled0,
-          sampled1,
-          sampled2,
-          sampled3,
-          state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-            t_Array i32 (sz 263) &
-            bool &
-            bool &
-            bool &
-            bool &
-            usize &
-            usize &
-            usize &
-            usize &
-            Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) =
-            temp_0_
-          in
-          let tmp0, out:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 &
-            (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
-          =
-            Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
-              #FStar.Tactics.Typeclasses.solve
-              state
-          in
-          let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 = tmp0 in
-          let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) &
-            t_Array u8 (sz 168)) =
-            out
-          in
-          let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) =
-            if ~.done0
-            then
-              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-                rejection_sample_less_than_field_modulus #v_SIMDUnit
-                  (randomnesses._1 <: t_Slice u8)
-                  sampled0
-                  coefficients0
-              in
-              let sampled0:usize = tmp0 in
-              let coefficients0:t_Array i32 (sz 263) = tmp1 in
-              let done0:bool = out in
-              coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize)
-            else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize)
-          in
-          let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) =
-            if ~.done1
-            then
-              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-                rejection_sample_less_than_field_modulus #v_SIMDUnit
-                  (randomnesses._2 <: t_Slice u8)
-                  sampled1
-                  coefficients1
-              in
-              let sampled1:usize = tmp0 in
-              let coefficients1:t_Array i32 (sz 263) = tmp1 in
-              let done1:bool = out in
-              coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize)
-            else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize)
-          in
-          let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) =
-            if ~.done2
-            then
-              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-                rejection_sample_less_than_field_modulus #v_SIMDUnit
-                  (randomnesses._3 <: t_Slice u8)
-                  sampled2
-                  coefficients2
-              in
-              let sampled2:usize = tmp0 in
-              let coefficients2:t_Array i32 (sz 263) = tmp1 in
-              let done2:bool = out in
-              coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize)
-            else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize)
-          in
-          if ~.done3
-          then
-            let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
-              rejection_sample_less_than_field_modulus #v_SIMDUnit
-                (randomnesses._4 <: t_Slice u8)
-                sampled3
-                coefficients3
-            in
-            let sampled3:usize = tmp0 in
-            let coefficients3:t_Array i32 (sz 263) = tmp1 in
-            let done3:bool = out in
-            coefficients0,
-            coefficients1,
-            coefficients2,
-            coefficients3,
-            done0,
-            done1,
-            done2,
-            done3,
-            sampled0,
-            sampled1,
-            sampled2,
-            sampled3,
-            state
-            <:
-            (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-              t_Array i32 (sz 263) &
-              bool &
-              bool &
-              bool &
-              bool &
-              usize &
-              usize &
-              usize &
-              usize &
-              Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4)
-          else
-            coefficients0,
-            coefficients1,
-            coefficients2,
-            coefficients3,
-            done0,
-            done1,
-            done2,
-            done3,
-            sampled0,
-            sampled1,
-            sampled2,
-            sampled3,
-            state
-            <:
-            (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) &
-              t_Array i32 (sz 263) &
-              bool &
-              bool &
-              bool &
-              bool &
-              usize &
-              usize &
-              usize &
-              usize &
-              Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4))
-  in
-  Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients0 <: t_Slice i32),
-  Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients1 <: t_Slice i32),
-  Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients2 <: t_Slice i32),
-  Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients3 <: t_Slice i32)
-  <:
-  (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-
 let sample_mask_ring_element
       (#v_SIMDUnit #v_Shake256: Type0)
       (v_GAMMA1_EXPONENT: usize)
@@ -1047,35 +720,55 @@ let sample_mask_ring_element
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i3:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (seed: t_Array u8 (sz 66))
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
-  | 17uy ->
-    let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
-    let out:t_Array u8 (sz 576) =
-      Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
-        #FStar.Tactics.Typeclasses.solve
-        (sz 576)
-        (seed <: t_Slice u8)
-        out
-    in
-    Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8)
-  | 19uy ->
-    let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in
-    let out:t_Array u8 (sz 640) =
-      Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
-        #FStar.Tactics.Typeclasses.solve
-        (sz 640)
-        (seed <: t_Slice u8)
-        out
-    in
-    Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8)
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let result, hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
+    Prims.unit) =
+    match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
+    | 17uy ->
+      let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+      let out:t_Array u8 (sz 576) =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+          #FStar.Tactics.Typeclasses.solve
+          (sz 576)
+          (seed <: t_Slice u8)
+          out
+      in
+      let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+        Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
+          v_GAMMA1_EXPONENT
+          (out <: t_Slice u8)
+          result
+      in
+      result, () <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit)
+    | 19uy ->
+      let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in
+      let out:t_Array u8 (sz 640) =
+        Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+          #FStar.Tactics.Typeclasses.solve
+          (sz 640)
+          (seed <: t_Slice u8)
+          out
+      in
+      let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+        Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
+          v_GAMMA1_EXPONENT
+          (out <: t_Slice u8)
+          result
+      in
+      result, () <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit)
+    | _ ->
+      result,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit)
+  in
+  result
 
 let sample_mask_vector
       (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0)
@@ -1085,7 +778,7 @@ let sample_mask_vector
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i4:
-          Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256)
+          Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i5:
           Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
@@ -1143,6 +836,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out0 <: t_Slice u8)
+              (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1152,6 +846,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out1 <: t_Slice u8)
+              (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1161,6 +856,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out2 <: t_Slice u8)
+              (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1170,6 +866,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out3 <: t_Slice u8)
+              (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1196,6 +893,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out0 <: t_Slice u8)
+              (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1205,6 +903,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out1 <: t_Slice u8)
+              (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1214,6 +913,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out2 <: t_Slice u8)
+              (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1223,6 +923,7 @@ let sample_mask_vector
           (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
               v_GAMMA1_EXPONENT
               (out3 <: t_Slice u8)
+              (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       in
@@ -1268,7 +969,11 @@ let sample_mask_vector
             v_DIMENSION =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask
               i
-              (sample_mask_ring_element #v_SIMDUnit #v_Shake256 v_GAMMA1_EXPONENT seed
+              (sample_mask_ring_element #v_SIMDUnit
+                  #v_Shake256
+                  v_GAMMA1_EXPONENT
+                  seed
+                  (mask.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
                 <:
                 Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
           in
@@ -1284,3 +989,324 @@ let sample_mask_vector
   domain_separator, hax_temp_output
   <:
   (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)
+
+let sample_up_to_four_ring_elements
+      (#v_SIMDUnit #v_Shake128: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
+      (seed0: t_Array u8 (sz 34))
+      (matrix:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+      (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
+      (tmp_stack: t_Slice (t_Array i32 (sz 263)))
+      (indices: t_Array (u8 & u8) (sz 4))
+      (elements_requested: usize)
+     =
+  let _:Prims.unit =
+    if true
+    then
+      let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in
+      ()
+  in
+  let domain_separator0:u16 = generate_domain_separator (indices.[ sz 0 ] <: (u8 & u8)) in
+  let domain_separator1:u16 = generate_domain_separator (indices.[ sz 1 ] <: (u8 & u8)) in
+  let domain_separator2:u16 = generate_domain_separator (indices.[ sz 2 ] <: (u8 & u8)) in
+  let domain_separator3:u16 = generate_domain_separator (indices.[ sz 3 ] <: (u8 & u8)) in
+  let seed0:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0
+      (sz 32)
+      (cast (domain_separator0 <: u16) <: u8)
+  in
+  let seed0:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0
+      (sz 33)
+      (cast (domain_separator0 >>! 8l <: u16) <: u8)
+  in
+  let seed1:t_Array u8 (sz 34) = seed0 in
+  let seed1:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1
+      (sz 32)
+      (cast (domain_separator1 <: u16) <: u8)
+  in
+  let seed1:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1
+      (sz 33)
+      (cast (domain_separator1 >>! 8l <: u16) <: u8)
+  in
+  let seed2:t_Array u8 (sz 34) = seed0 in
+  let seed2:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2
+      (sz 32)
+      (cast (domain_separator2 <: u16) <: u8)
+  in
+  let seed2:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2
+      (sz 33)
+      (cast (domain_separator2 >>! 8l <: u16) <: u8)
+  in
+  let seed3:t_Array u8 (sz 34) = seed0 in
+  let seed3:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3
+      (sz 32)
+      (cast (domain_separator3 <: u16) <: u8)
+  in
+  let seed3:t_Array u8 (sz 34) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3
+      (sz 33)
+      (cast (domain_separator3 >>! 8l <: u16) <: u8)
+  in
+  let state:v_Shake128 =
+    Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128
+      #FStar.Tactics.Typeclasses.solve
+      (seed0 <: t_Slice u8)
+      (seed1 <: t_Slice u8)
+      (seed2 <: t_Slice u8)
+      (seed3 <: t_Slice u8)
+  in
+  let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840)) =
+    Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128
+      #FStar.Tactics.Typeclasses.solve
+      state
+      rand_stack0
+      rand_stack1
+      rand_stack2
+      rand_stack3
+  in
+  let state:v_Shake128 = tmp0 in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let _:Prims.unit = () in
+  let sampled0:usize = sz 0 in
+  let sampled1:usize = sz 0 in
+  let sampled2:usize = sz 0 in
+  let sampled3:usize = sz 0 in
+  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+    rejection_sample_less_than_field_modulus #v_SIMDUnit
+      (rand_stack0 <: t_Slice u8)
+      sampled0
+      (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
+  in
+  let sampled0:usize = tmp0 in
+  let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
+  in
+  let done0:bool = out in
+  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+    rejection_sample_less_than_field_modulus #v_SIMDUnit
+      (rand_stack1 <: t_Slice u8)
+      sampled1
+      (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
+  in
+  let sampled1:usize = tmp0 in
+  let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
+  in
+  let done1:bool = out in
+  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+    rejection_sample_less_than_field_modulus #v_SIMDUnit
+      (rand_stack2 <: t_Slice u8)
+      sampled2
+      (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
+  in
+  let sampled2:usize = tmp0 in
+  let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
+  in
+  let done2:bool = out in
+  let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+    rejection_sample_less_than_field_modulus #v_SIMDUnit
+      (rand_stack3 <: t_Slice u8)
+      sampled3
+      (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
+  in
+  let sampled3:usize = tmp0 in
+  let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
+  in
+  let done3:bool = out in
+  let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
+    bool &
+    bool &
+    bool &
+    usize &
+    usize &
+    usize &
+    usize &
+    v_Shake128 &
+    t_Slice (t_Array i32 (sz 263))) =
+    Rust_primitives.f_while_loop (fun temp_0_ ->
+          let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
+            bool &
+            bool &
+            bool &
+            usize &
+            usize &
+            usize &
+            usize &
+            v_Shake128 &
+            t_Slice (t_Array i32 (sz 263))) =
+            temp_0_
+          in
+          (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool))
+      (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
+        <:
+        (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+          t_Slice (t_Array i32 (sz 263))))
+      (fun temp_0_ ->
+          let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
+            bool &
+            bool &
+            bool &
+            usize &
+            usize &
+            usize &
+            usize &
+            v_Shake128 &
+            t_Slice (t_Array i32 (sz 263))) =
+            temp_0_
+          in
+          let tmp0, out:(v_Shake128 &
+            (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+          =
+            Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128
+              #FStar.Tactics.Typeclasses.solve
+              state
+          in
+          let state:v_Shake128 = tmp0 in
+          let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) &
+            t_Array u8 (sz 168)) =
+            out
+          in
+          let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
+            if ~.done0
+            then
+              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+                rejection_sample_less_than_field_modulus #v_SIMDUnit
+                  (randomnesses._1 <: t_Slice u8)
+                  sampled0
+                  (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
+              in
+              let sampled0:usize = tmp0 in
+              let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
+              in
+              let done0:bool = out in
+              done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+            else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+          in
+          let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
+            if ~.done1
+            then
+              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+                rejection_sample_less_than_field_modulus #v_SIMDUnit
+                  (randomnesses._2 <: t_Slice u8)
+                  sampled1
+                  (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
+              in
+              let sampled1:usize = tmp0 in
+              let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
+              in
+              let done1:bool = out in
+              done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+            else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+          in
+          let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
+            if ~.done2
+            then
+              let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+                rejection_sample_less_than_field_modulus #v_SIMDUnit
+                  (randomnesses._3 <: t_Slice u8)
+                  sampled2
+                  (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
+              in
+              let sampled2:usize = tmp0 in
+              let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
+              in
+              let done2:bool = out in
+              done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+            else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+          in
+          if ~.done3
+          then
+            let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+              rejection_sample_less_than_field_modulus #v_SIMDUnit
+                (randomnesses._4 <: t_Slice u8)
+                sampled3
+                (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
+            in
+            let sampled3:usize = tmp0 in
+            let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
+            in
+            let done3:bool = out in
+            done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
+            <:
+            (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+              t_Slice (t_Array i32 (sz 263)))
+          else
+            done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
+            <:
+            (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+              t_Slice (t_Array i32 (sz 263))))
+  in
+  let matrix:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      elements_requested
+      (fun matrix temp_1_ ->
+          let matrix:t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A =
+            matrix
+          in
+          let _:usize = temp_1_ in
+          true)
+      matrix
+      (fun matrix k ->
+          let matrix:t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A =
+            matrix
+          in
+          let k:usize = k in
+          let i, j:(u8 & u8) = indices.[ k ] in
+          let matrix:t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A =
+            update_matrix #v_SIMDUnit
+              v_ROWS_IN_A
+              v_COLUMNS_IN_A
+              matrix
+              (cast (i <: u8) <: usize)
+              (cast (j <: u8) <: usize)
+              (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
+                  (tmp_stack.[ k ] <: t_Slice i32)
+                <:
+                Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+          in
+          matrix)
+  in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack
+  <:
+  (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Slice (t_Array i32 (sz 263)))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
index 6f4c4d09d..5e6082b9b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
@@ -6,15 +6,31 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
   let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
+val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+
 val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16)
     : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True)
 
+val update_matrix
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (m:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+      (i j: usize)
+      (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure
+      (t_Array
+          (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+          v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
+
 val rejection_sample_less_than_eta_equals_2_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -59,7 +75,7 @@ val sample_challenge_ring_element
       (#v_SIMDUnit #v_Shake256: Type0)
       (v_NUMBER_OF_ONES v_SEED_SIZE: usize)
       {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
       (seed: t_Array u8 v_SEED_SIZE)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
@@ -80,25 +96,13 @@ val sample_four_error_ring_elements
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val sample_four_ring_elements
-      (#v_SIMDUnit: Type0)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (seed0: t_Array u8 (sz 34))
-      (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16)
-    : Prims.Pure
-      (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-        Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-        Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-        Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
 val sample_mask_ring_element
       (#v_SIMDUnit #v_Shake256: Type0)
       (v_GAMMA1_EXPONENT: usize)
       {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
       (seed: t_Array u8 (sz 66))
+      (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
     : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
@@ -107,7 +111,7 @@ val sample_mask_vector
       (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0)
       (v_DIMENSION v_GAMMA1_EXPONENT: usize)
       {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |}
+      {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
       {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
       (seed: t_Array u8 (sz 66))
       (domain_separator: u16)
@@ -115,3 +119,34 @@ val sample_mask_vector
       (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Sample and write out up to four ring elements.
+/// If i <= `elements_requested`, a field element with domain separated
+/// seed according to the provided index is generated in
+/// `tmp_stack[i]`. After successful rejection sampling in
+/// `tmp_stack[i]`, the ring element is written to `matrix` at the
+/// provided index in `indices[i]`.
+/// `rand_stack` is a working buffer that holds initial Shake output.
+val sample_up_to_four_ring_elements
+      (#v_SIMDUnit #v_Shake128: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
+      (seed0: t_Array u8 (sz 34))
+      (matrix:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+      (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
+      (tmp_stack: t_Slice (t_Array i32 (sz 263)))
+      (indices: t_Array (u8 & u8) (sz 4))
+      (elements_requested: usize)
+    : Prims.Pure
+      (t_Array
+          (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+          v_ROWS_IN_A &
+        t_Array u8 (sz 840) &
+        t_Array u8 (sz 840) &
+        t_Array u8 (sz 840) &
+        t_Array u8 (sz 840) &
+        t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst
new file mode 100644
index 000000000..96cf97528
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst
@@ -0,0 +1,92 @@
+module Libcrux_ml_dsa.Samplex4.Avx2
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+let matrix_A_avx2
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (seed: t_Array u8 (sz 34))
+     =
+  match
+    (cast (v_ROWS_IN_A <: usize) <: u8), (cast (v_COLUMNS_IN_A <: usize) <: u8) <: (u8 & u8)
+  with
+  | 4uy, 4uy ->
+    Libcrux_ml_dsa.Samplex4.matrix_A_4_by_4_ #v_SIMDUnit
+      #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+      v_ROWS_IN_A
+      v_COLUMNS_IN_A
+      seed
+  | 6uy, 5uy ->
+    Libcrux_ml_dsa.Samplex4.matrix_A_6_by_5_ #v_SIMDUnit
+      #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+      v_ROWS_IN_A
+      v_COLUMNS_IN_A
+      seed
+  | 8uy, 7uy ->
+    Libcrux_ml_dsa.Samplex4.matrix_A_8_by_7_ #v_SIMDUnit
+      #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+      v_ROWS_IN_A
+      v_COLUMNS_IN_A
+      seed
+  | _ ->
+    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+        <:
+        Rust_primitives.Hax.t_Never)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler =
+  {
+    f_matrix_A_pre
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        ->
+        true);
+    f_matrix_A_post
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        (out:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+        ->
+        true);
+    f_matrix_A
+    =
+    fun
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A: usize)
+      (v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+        i1:
+        Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (seed: t_Array u8 (sz 34))
+      ->
+      matrix_A_avx2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed
+  }
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti
new file mode 100644
index 000000000..618fe2e20
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti
@@ -0,0 +1,27 @@
+module Libcrux_ml_dsa.Samplex4.Avx2
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+type t_AVX2Sampler = | AVX2Sampler : t_AVX2Sampler
+
+val matrix_A_avx2
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (seed: t_Array u8 (sz 34))
+    : Prims.Pure
+      (t_Array
+          (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+          v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst
new file mode 100644
index 000000000..9d975149f
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst
@@ -0,0 +1,61 @@
+module Libcrux_ml_dsa.Samplex4.Neon
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Neon in
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_NeonSampler =
+  {
+    f_matrix_A_pre
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        ->
+        true);
+    f_matrix_A_post
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        (out:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+        ->
+        true);
+    f_matrix_A
+    =
+    fun
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A: usize)
+      (v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+        i1:
+        Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (seed: t_Array u8 (sz 34))
+      ->
+      Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit
+        #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4
+        v_ROWS_IN_A
+        v_COLUMNS_IN_A
+        seed
+  }
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti
new file mode 100644
index 000000000..3a407290f
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti
@@ -0,0 +1,17 @@
+module Libcrux_ml_dsa.Samplex4.Neon
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Neon in
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+type t_NeonSampler = | NeonSampler : t_NeonSampler
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_NeonSampler
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst
new file mode 100644
index 000000000..47473f479
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst
@@ -0,0 +1,61 @@
+module Libcrux_ml_dsa.Samplex4.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Portable in
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_PortableSampler =
+  {
+    f_matrix_A_pre
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        ->
+        true);
+    f_matrix_A_post
+    =
+    (fun
+        (#v_SIMDUnit: Type0)
+        (v_ROWS_IN_A: usize)
+        (v_COLUMNS_IN_A: usize)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+        (seed: t_Array u8 (sz 34))
+        (out:
+          t_Array
+            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+            v_ROWS_IN_A)
+        ->
+        true);
+    f_matrix_A
+    =
+    fun
+      (#v_SIMDUnit: Type0)
+      (v_ROWS_IN_A: usize)
+      (v_COLUMNS_IN_A: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+        i1:
+        Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (seed: t_Array u8 (sz 34))
+      ->
+      Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit
+        #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4
+        v_ROWS_IN_A
+        v_COLUMNS_IN_A
+        seed
+  }
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti
new file mode 100644
index 000000000..8764f68b8
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti
@@ -0,0 +1,17 @@
+module Libcrux_ml_dsa.Samplex4.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Portable in
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+type t_PortableSampler = | PortableSampler : t_PortableSampler
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_PortableSampler
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst
index 06a86b638..e4e0c4571 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst
@@ -6,47 +6,20 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let generate_domain_separator (row column: u8) =
-  (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <<! 8l <: u16)
-
-let update_matrix
-      (#v_SIMDUnit: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (m:
-          t_Array
-            (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-            v_ROWS_IN_A)
-      (i j: usize)
-      (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-     =
-  let m:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize m
-      i
-      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (m.[ i ]
-            <:
-            t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-          j
-          v
-        <:
-        t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-  in
-  m
-
 let matrix_A_4_by_4_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i2:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
       (seed: t_Array u8 (sz 34))
      =
   let
@@ -64,138 +37,161 @@ let matrix_A_4_by_4_
         t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
       v_ROWS_IN_A
   in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 0uy 0uy <: u16)
-      (generate_domain_separator 0uy 1uy <: u16)
-      (generate_domain_separator 0uy 2uy <: u16)
-      (generate_domain_separator 0uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 1uy 0uy <: u16)
-      (generate_domain_separator 1uy 1uy <: u16)
-      (generate_domain_separator 1uy 2uy <: u16)
-      (generate_domain_separator 1uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 2uy 0uy <: u16)
-      (generate_domain_separator 2uy 1uy <: u16)
-      (generate_domain_separator 2uy 2uy <: u16)
-      (generate_domain_separator 2uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 3uy 0uy <: u16)
-      (generate_domain_separator 3uy 1uy <: u16)
-      (generate_domain_separator 3uy 2uy <: u16)
-      (generate_domain_separator 3uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 3) four_ring_elements._4
-  in
+  let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) =
+    let list =
+      [
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263)
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+    Rust_primitives.Hax.array_of_list 4 list
+  in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            0uy, 0uy <: (u8 & u8);
+            0uy, 1uy <: (u8 & u8);
+            0uy, 2uy <: (u8 & u8);
+            0uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            1uy, 0uy <: (u8 & u8);
+            1uy, 1uy <: (u8 & u8);
+            1uy, 2uy <: (u8 & u8);
+            1uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            2uy, 0uy <: (u8 & u8);
+            2uy, 1uy <: (u8 & u8);
+            2uy, 2uy <: (u8 & u8);
+            2uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            3uy, 0uy <: (u8 & u8);
+            3uy, 1uy <: (u8 & u8);
+            3uy, 2uy <: (u8 & u8);
+            3uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
   v_A
 
 let matrix_A_6_by_5_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i2:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
       (seed: t_Array u8 (sz 34))
      =
   let v_A:t_Array
@@ -210,252 +206,289 @@ let matrix_A_6_by_5_
         t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
       v_ROWS_IN_A
   in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 0uy 0uy <: u16)
-      (generate_domain_separator 0uy 1uy <: u16)
-      (generate_domain_separator 0uy 2uy <: u16)
-      (generate_domain_separator 0uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 0uy 4uy <: u16)
-      (generate_domain_separator 1uy 0uy <: u16)
-      (generate_domain_separator 1uy 1uy <: u16)
-      (generate_domain_separator 1uy 2uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 4) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 0) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 1) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 2) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 1uy 3uy <: u16)
-      (generate_domain_separator 1uy 4uy <: u16)
-      (generate_domain_separator 2uy 0uy <: u16)
-      (generate_domain_separator 2uy 1uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 3) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 4) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 0) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 1) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 2uy 2uy <: u16)
-      (generate_domain_separator 2uy 3uy <: u16)
-      (generate_domain_separator 2uy 4uy <: u16)
-      (generate_domain_separator 3uy 0uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 2) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 3) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 4) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 0) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 3uy 1uy <: u16)
-      (generate_domain_separator 3uy 2uy <: u16)
-      (generate_domain_separator 3uy 3uy <: u16)
-      (generate_domain_separator 3uy 4uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 1) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 2) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 3) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 4) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 4uy 0uy <: u16)
-      (generate_domain_separator 4uy 1uy <: u16)
-      (generate_domain_separator 4uy 2uy <: u16)
-      (generate_domain_separator 4uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 4uy 4uy <: u16)
-      (generate_domain_separator 5uy 0uy <: u16)
-      (generate_domain_separator 5uy 1uy <: u16)
-      (generate_domain_separator 5uy 2uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 4) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 0) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 1) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 2) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 5uy 3uy <: u16)
-      (generate_domain_separator 5uy 4uy <: u16)
-      (generate_domain_separator 5uy 5uy <: u16)
-      (generate_domain_separator 5uy 6uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 3) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 4) four_ring_elements._2
-  in
+  let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) =
+    let list =
+      [
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263)
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+    Rust_primitives.Hax.array_of_list 4 list
+  in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            0uy, 0uy <: (u8 & u8);
+            0uy, 1uy <: (u8 & u8);
+            0uy, 2uy <: (u8 & u8);
+            0uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            0uy, 4uy <: (u8 & u8);
+            1uy, 0uy <: (u8 & u8);
+            1uy, 1uy <: (u8 & u8);
+            1uy, 2uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            1uy, 3uy <: (u8 & u8);
+            1uy, 4uy <: (u8 & u8);
+            2uy, 0uy <: (u8 & u8);
+            2uy, 1uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            2uy, 2uy <: (u8 & u8);
+            2uy, 3uy <: (u8 & u8);
+            2uy, 4uy <: (u8 & u8);
+            3uy, 0uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            3uy, 1uy <: (u8 & u8);
+            3uy, 2uy <: (u8 & u8);
+            3uy, 3uy <: (u8 & u8);
+            3uy, 4uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            4uy, 0uy <: (u8 & u8);
+            4uy, 1uy <: (u8 & u8);
+            4uy, 2uy <: (u8 & u8);
+            4uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            4uy, 4uy <: (u8 & u8);
+            5uy, 0uy <: (u8 & u8);
+            5uy, 1uy <: (u8 & u8);
+            5uy, 2uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            5uy, 3uy <: (u8 & u8);
+            5uy, 4uy <: (u8 & u8);
+            5uy, 5uy <: (u8 & u8);
+            5uy, 6uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 2)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
   v_A
 
 let matrix_A_8_by_7_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i2:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
       (seed: t_Array u8 (sz 34))
      =
   let v_A:t_Array
@@ -470,456 +503,489 @@ let matrix_A_8_by_7_
         t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
       v_ROWS_IN_A
   in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 0uy 0uy <: u16)
-      (generate_domain_separator 0uy 1uy <: u16)
-      (generate_domain_separator 0uy 2uy <: u16)
-      (generate_domain_separator 0uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 0uy 4uy <: u16)
-      (generate_domain_separator 0uy 5uy <: u16)
-      (generate_domain_separator 0uy 6uy <: u16)
-      (generate_domain_separator 1uy 0uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 4) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 5) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 0) (sz 6) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 0) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 1uy 1uy <: u16)
-      (generate_domain_separator 1uy 2uy <: u16)
-      (generate_domain_separator 1uy 3uy <: u16)
-      (generate_domain_separator 1uy 4uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 1) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 2) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 3) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 4) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 1uy 5uy <: u16)
-      (generate_domain_separator 1uy 6uy <: u16)
-      (generate_domain_separator 2uy 0uy <: u16)
-      (generate_domain_separator 2uy 1uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 5) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 1) (sz 6) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 0) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 1) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 2uy 2uy <: u16)
-      (generate_domain_separator 2uy 3uy <: u16)
-      (generate_domain_separator 2uy 4uy <: u16)
-      (generate_domain_separator 2uy 5uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 2) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 3) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 4) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 5) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 2uy 6uy <: u16)
-      (generate_domain_separator 3uy 0uy <: u16)
-      (generate_domain_separator 3uy 1uy <: u16)
-      (generate_domain_separator 3uy 2uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 2) (sz 6) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 0) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 1) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 2) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 3uy 3uy <: u16)
-      (generate_domain_separator 3uy 4uy <: u16)
-      (generate_domain_separator 3uy 5uy <: u16)
-      (generate_domain_separator 3uy 6uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 3) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 4) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 5) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 3) (sz 6) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 4uy 0uy <: u16)
-      (generate_domain_separator 4uy 1uy <: u16)
-      (generate_domain_separator 4uy 2uy <: u16)
-      (generate_domain_separator 4uy 3uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 0) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 1) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 2) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 3) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 4uy 4uy <: u16)
-      (generate_domain_separator 4uy 5uy <: u16)
-      (generate_domain_separator 4uy 6uy <: u16)
-      (generate_domain_separator 5uy 0uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 4) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 5) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 4) (sz 6) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 0) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 5uy 1uy <: u16)
-      (generate_domain_separator 5uy 2uy <: u16)
-      (generate_domain_separator 5uy 3uy <: u16)
-      (generate_domain_separator 5uy 4uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 1) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 2) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 3) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 4) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 5uy 5uy <: u16)
-      (generate_domain_separator 5uy 6uy <: u16)
-      (generate_domain_separator 6uy 0uy <: u16)
-      (generate_domain_separator 6uy 1uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 5) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 5) (sz 6) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 0) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 1) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 6uy 2uy <: u16)
-      (generate_domain_separator 6uy 3uy <: u16)
-      (generate_domain_separator 6uy 4uy <: u16)
-      (generate_domain_separator 6uy 5uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 2) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 3) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 4) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 5) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 6uy 6uy <: u16)
-      (generate_domain_separator 7uy 0uy <: u16)
-      (generate_domain_separator 7uy 1uy <: u16)
-      (generate_domain_separator 7uy 2uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 6) (sz 6) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 0) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 1) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 2) four_ring_elements._4
-  in
-  let four_ring_elements:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit &
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    Libcrux_ml_dsa.Sample.sample_four_ring_elements #v_SIMDUnit
-      seed
-      (generate_domain_separator 7uy 3uy <: u16)
-      (generate_domain_separator 7uy 4uy <: u16)
-      (generate_domain_separator 7uy 5uy <: u16)
-      (generate_domain_separator 7uy 6uy <: u16)
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 3) four_ring_elements._1
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 4) four_ring_elements._2
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 5) four_ring_elements._3
-  in
-  let v_A:t_Array
-    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-    v_ROWS_IN_A =
-    update_matrix #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A v_A (sz 7) (sz 6) four_ring_elements._4
-  in
+  let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let rand_stack3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) =
+    let list =
+      [
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263);
+        Rust_primitives.Hax.repeat 0l (sz 263)
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+    Rust_primitives.Hax.array_of_list 4 list
+  in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            0uy, 0uy <: (u8 & u8);
+            0uy, 1uy <: (u8 & u8);
+            0uy, 2uy <: (u8 & u8);
+            0uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            0uy, 4uy <: (u8 & u8);
+            0uy, 5uy <: (u8 & u8);
+            0uy, 6uy <: (u8 & u8);
+            1uy, 0uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            1uy, 1uy <: (u8 & u8);
+            1uy, 2uy <: (u8 & u8);
+            1uy, 3uy <: (u8 & u8);
+            1uy, 4uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            1uy, 5uy <: (u8 & u8);
+            1uy, 6uy <: (u8 & u8);
+            2uy, 0uy <: (u8 & u8);
+            2uy, 1uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            2uy, 2uy <: (u8 & u8);
+            2uy, 3uy <: (u8 & u8);
+            2uy, 4uy <: (u8 & u8);
+            2uy, 5uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            2uy, 6uy <: (u8 & u8);
+            3uy, 0uy <: (u8 & u8);
+            3uy, 1uy <: (u8 & u8);
+            3uy, 2uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            3uy, 3uy <: (u8 & u8);
+            3uy, 4uy <: (u8 & u8);
+            3uy, 5uy <: (u8 & u8);
+            3uy, 6uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            4uy, 0uy <: (u8 & u8);
+            4uy, 1uy <: (u8 & u8);
+            4uy, 2uy <: (u8 & u8);
+            4uy, 3uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            4uy, 4uy <: (u8 & u8);
+            4uy, 5uy <: (u8 & u8);
+            4uy, 6uy <: (u8 & u8);
+            5uy, 0uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            5uy, 1uy <: (u8 & u8);
+            5uy, 2uy <: (u8 & u8);
+            5uy, 3uy <: (u8 & u8);
+            5uy, 4uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            5uy, 5uy <: (u8 & u8);
+            5uy, 6uy <: (u8 & u8);
+            6uy, 0uy <: (u8 & u8);
+            6uy, 1uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            6uy, 2uy <: (u8 & u8);
+            6uy, 3uy <: (u8 & u8);
+            6uy, 4uy <: (u8 & u8);
+            6uy, 5uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            6uy, 6uy <: (u8 & u8);
+            7uy, 0uy <: (u8 & u8);
+            7uy, 1uy <: (u8 & u8);
+            7uy, 2uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
+  let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array
+      (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+      v_ROWS_IN_A &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array u8 (sz 840) &
+    t_Array (t_Array i32 (sz 263)) (sz 4)) =
+    Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A
+      v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack
+      (let list =
+          [
+            7uy, 3uy <: (u8 & u8);
+            7uy, 4uy <: (u8 & u8);
+            7uy, 5uy <: (u8 & u8);
+            7uy, 6uy <: (u8 & u8)
+          ]
+        in
+        FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4);
+        Rust_primitives.Hax.array_of_list 4 list) (sz 4)
+  in
+  let v_A:t_Array
+    (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+    v_ROWS_IN_A =
+    tmp0
+  in
+  let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+  let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+  let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+  let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+  let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in
+  let _:Prims.unit = () in
   v_A
 
-let matrix_A
-      (#v_SIMDUnit: Type0)
+let matrix_A_generic
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i2:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
       (seed: t_Array u8 (sz 34))
      =
   match
     (cast (v_ROWS_IN_A <: usize) <: u8), (cast (v_COLUMNS_IN_A <: usize) <: u8) <: (u8 & u8)
   with
-  | 4uy, 4uy -> matrix_A_4_by_4_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed
-  | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed
-  | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed
+  | 4uy, 4uy -> matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed
+  | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed
+  | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed
   | _ ->
     Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti
index e1b9a56dc..13aa21421 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti
@@ -6,31 +6,49 @@ open FStar.Mul
 let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
   let open Libcrux_ml_dsa.Hash_functions.Shake256 in
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-val generate_domain_separator (row column: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
-
-val update_matrix
-      (#v_SIMDUnit: Type0)
-      (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (m:
-          t_Array
+/// The x4 sampling implementation that is selected during multiplexing.
+class t_X4Sampler (v_Self: Type0) = {
+  f_matrix_A_pre:
+      #v_SIMDUnit: Type0 ->
+      v_ROWS_IN_A: usize ->
+      v_COLUMNS_IN_A: usize ->
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} ->
+      t_Array u8 (sz 34)
+    -> Type0;
+  f_matrix_A_post:
+      #v_SIMDUnit: Type0 ->
+      v_ROWS_IN_A: usize ->
+      v_COLUMNS_IN_A: usize ->
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} ->
+      t_Array u8 (sz 34) ->
+      t_Array
+          (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
+          v_ROWS_IN_A
+    -> Type0;
+  f_matrix_A:
+      #v_SIMDUnit: Type0 ->
+      v_ROWS_IN_A: usize ->
+      v_COLUMNS_IN_A: usize ->
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} ->
+      x0: t_Array u8 (sz 34)
+    -> Prims.Pure
+        (t_Array
             (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
             v_ROWS_IN_A)
-      (i j: usize)
-      (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure
-      (t_Array
-          (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
-          v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
+        (f_matrix_A_pre #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0)
+        (fun result -> f_matrix_A_post #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0 result)
+}
 
 val matrix_A_4_by_4_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
       (seed: t_Array u8 (sz 34))
     : Prims.Pure
       (t_Array
@@ -38,9 +56,10 @@ val matrix_A_4_by_4_
           v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
 
 val matrix_A_6_by_5_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
       (seed: t_Array u8 (sz 34))
     : Prims.Pure
       (t_Array
@@ -48,19 +67,21 @@ val matrix_A_6_by_5_
           v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
 
 val matrix_A_8_by_7_
-      (#v_SIMDUnit: Type0)
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
       (seed: t_Array u8 (sz 34))
     : Prims.Pure
       (t_Array
           (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)
           v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True)
 
-val matrix_A
-      (#v_SIMDUnit: Type0)
+val matrix_A_generic
+      (#v_SIMDUnit #v_Shake128: Type0)
       (v_ROWS_IN_A v_COLUMNS_IN_A: usize)
-      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
       (seed: t_Array u8 (sz 34))
     : Prims.Pure
       (t_Array
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
index 6c88f5ff3..3dd67c65e 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
@@ -3,27 +3,30 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic
 open Core
 open FStar.Mul
 
-let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs
+let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs
 
-let compute_hint (v_GAMMA2: i32) (low high: u8) =
-  let gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 in
-  let minus_gamma2:u8 =
+let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2
+  in
+  let minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32)
   in
-  let low_within_bound:u8 =
+  let low_within_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32
           low
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       gamma2
   in
-  let low_equals_minus_gamma2:u8 =
+  let low_equals_minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2
   in
-  let low_equals_minus_gamma2_and_high_is_nonzero:u8 =
+  let low_equals_minus_gamma2_and_high_is_nonzero:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high
   in
-  let hints:u8 =
+  let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound
       low_equals_minus_gamma2_and_high_is_nonzero
   in
@@ -35,14 +38,19 @@ let compute_hint (v_GAMMA2: i32) (low high: u8) =
   in
   (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize),
   Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: u8)
+    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: Libcrux_intrinsics.Avx2_extract.t_Vec256
+    )
   <:
-  (usize & u8)
+  (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let infinity_norm_exceeds (simd_unit: u8) (bound: i32) =
-  let absolute_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit in
-  let bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) in
-  let compare_with_bound:u8 =
+let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) =
+  let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit
+  in
+  let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32)
+  in
+  let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound
   in
   let result:i32 =
@@ -50,36 +58,45 @@ let infinity_norm_exceeds (simd_unit: u8) (bound: i32) =
   in
   if result =. 1l then false else true
 
-let subtract (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs
+let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs
 
-let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) =
-  let shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit in
-  let quotient:u8 =
+let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit
+  in
+  let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 22l <: i32) <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 22l <: i32)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 23l quotient
   in
-  let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 23l quotient in
-  let quotient_times_field_modulus:u8 =
+  let quotient_times_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 shifted quotient_times_field_modulus
 
-let to_unsigned_representatives (t: u8) =
-  let signs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l t in
-  let conditional_add_field_modulus:u8 =
+let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l t
+  in
+  let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 signs
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus
 
-let power2round (r: u8) =
-  let r:u8 = to_unsigned_representatives r in
-  let r1:u8 =
+let power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r in
+  let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l <<!
               (Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T -! sz 1 <: usize)
@@ -89,83 +106,119 @@ let power2round (r: u8) =
             <:
             i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 13l r1
+  in
+  let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 13l r1
+  in
+  let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0
   in
-  let r1:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 13l r1 in
-  let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 13l r1 in
-  let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 in
-  r0, r1 <: (u8 & u8)
+  r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let montgomery_multiply (lhs rhs: u8) =
-  let field_modulus:u8 =
+let montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
   in
-  let inverse_of_modulus_mod_montgomery_r:u8 =
+  let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
             <:
             u64)
         <:
         i32)
   in
-  let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs in
-  let prod13:u8 =
+  let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs
+  in
+  let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
           245l
           lhs
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k02:u8 =
+  let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
   in
-  let k13:u8 =
+  let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
   in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus
+  in
+  let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus
+  in
+  let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02
+  in
+  let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13
+  in
+  let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13
 
-let montgomery_multiply_by_constant (lhs: u8) (constant: i32) =
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant in
-  let field_modulus:u8 =
+let montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) =
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant
+  in
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
   in
-  let inverse_of_modulus_mod_montgomery_r:u8 =
+  let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
             <:
             u64)
         <:
         i32)
   in
-  let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs in
-  let prod13:u8 =
+  let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs
+  in
+  let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
           245l
           lhs
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k02:u8 =
+  let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
   in
-  let k13:u8 =
+  let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
   in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus
+  in
+  let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus
+  in
+  let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02
+  in
+  let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13
+  in
+  let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13
 
-let decompose (v_GAMMA2: i32) (r: u8) =
-  let r:u8 = to_unsigned_representatives r in
-  let field_modulus_halved:u8 =
+let decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r in
+  let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -!
           1l
           <:
@@ -175,83 +228,127 @@ let decompose (v_GAMMA2: i32) (r: u8) =
         i32)
   in
   let (v_ALPHA: i32):i32 = v_GAMMA2 *! 2l in
-  let ceil_of_r_by_128_:u8 =
+  let ceil_of_r_by_128_:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 127l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 127l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let ceil_of_r_by_128_:u8 =
+  let ceil_of_r_by_128_:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l ceil_of_r_by_128_
   in
-  let r1:u8 =
+  let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     match v_ALPHA with
     | 190464l ->
-      let result:u8 =
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
         Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_
-          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l <: u8)
+          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
       in
-      let result:u8 =
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
         Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result
-          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 23l <: i32) <: u8)
+          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 23l <: i32)
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 24l result
       in
-      let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 24l result in
-      let mask:u8 =
+      let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
         Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
               43l
             <:
-            u8)
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
           result
       in
-      let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in
-      let not_result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 result mask in
+      let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask
+      in
+      let not_result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 result mask
+      in
       Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result not_result
     | 523776l ->
-      let result:u8 =
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
         Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_
-          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l <: u8)
+          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
       in
-      let result:u8 =
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
         Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result
-          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 21l <: i32) <: u8)
+          (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! 21l <: i32)
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 22l result
       in
-      let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 22l result in
       Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result
-        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: u8)
+        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l
+          <:
+          Libcrux_intrinsics.Avx2_extract.t_Vec256)
     | _ ->
       Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
           <:
           Rust_primitives.Hax.t_Never)
   in
-  let r0:u8 =
+  let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 in
-  let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 in
-  let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in
-  let field_modulus_and_mask:u8 =
+  let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0
+  in
+  let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0
+  in
+  let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask
+  in
+  let field_modulus_and_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask in
-  r0, r1 <: (u8 & u8)
+  let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask
+  in
+  r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let use_hint (v_GAMMA2: i32) (r hint: u8) =
-  let r0, r1:(u8 & u8) = decompose v_GAMMA2 r in
-  let all_zeros:u8 = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () in
-  let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 in
-  let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints in
-  let hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints in
-  let r1_plus_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints in
+let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let r0, r1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    decompose v_GAMMA2 r
+  in
+  let all_zeros:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 ()
+  in
+  let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0
+  in
+  let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints
+  in
+  let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints
+  in
+  let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints
+  in
   match v_GAMMA2 with
   | 95232l ->
-    let max:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in
-    let r1_plus_hints:u8 =
+    let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+      Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l
+    in
+    let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
       Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints
     in
-    let greater_than_or_equal_to_max:u8 =
+    let greater_than_or_equal_to_max:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
       Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max
     in
     Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints
@@ -259,7 +356,9 @@ let use_hint (v_GAMMA2: i32) (r hint: u8) =
       greater_than_or_equal_to_max
   | 261888l ->
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   | _ ->
     Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti
index e11e02fab..a8ec4e3d7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti
@@ -3,28 +3,43 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic
 open Core
 open FStar.Mul
 
-val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val compute_hint (v_GAMMA2: i32) (low high: u8)
-    : Prims.Pure (usize & u8) Prims.l_True (fun _ -> Prims.l_True)
+val compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val infinity_norm_exceeds (simd_unit: u8) (bound: i32)
+val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32)
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-val subtract (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val to_unsigned_representatives (t: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val power2round (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+val power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val montgomery_multiply (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val montgomery_multiply_by_constant (lhs: u8) (constant: i32)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val decompose (v_GAMMA2: i32) (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+val decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val use_hint (v_GAMMA2: i32) (r hint: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst
index fba456933..a9d609566 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst
@@ -3,139 +3,155 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment
 open Core
 open FStar.Mul
 
-let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
+let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) =
   let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 4uy ->
-    let adjacent_2_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8)
-    in
-    let adjacent_2_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined
-    in
-    let adjacent_4_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8)
-    in
-    let adjacent_4_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
-    in
-    let adjacent_4_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined
-        (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy
-            240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy
-          <:
-          u8)
-    in
-    let serialized:t_Array u8 (sz 19) =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-        ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
-          <:
-          Core.Ops.Range.t_Range usize)
-        (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
-                  Core.Ops.Range.f_start = sz 0;
-                  Core.Ops.Range.f_end = sz 16
-                }
+  let (out, serialized), hax_temp_output:((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit) =
+    match cast (Core.Slice.impl__len #u8 out <: usize) <: u8 with
+    | 4uy ->
+      let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined
+      in
+      let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+        Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
+      in
+      let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+        Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined
+          (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy
+              240uy 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec128)
+      in
+      let serialized:t_Array u8 (sz 19) =
+        Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+          ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
+            <:
+            Core.Ops.Range.t_Range usize)
+          (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end = sz 16
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize ]
                 <:
-                Core.Ops.Range.t_Range usize ]
-              <:
-              t_Slice u8)
-            adjacent_4_combined
-          <:
-          t_Slice u8)
-    in
-    Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-      #Core.Array.t_TryFromSliceError
-      (Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_OUTPUT_SIZE)
-          #FStar.Tactics.Typeclasses.solve
+                t_Slice u8)
+              adjacent_4_combined
+            <:
+            t_Slice u8)
+      in
+      let out:t_Slice u8 =
+        Core.Slice.impl__copy_from_slice #u8
+          out
           (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 }
               <:
               Core.Ops.Range.t_Range usize ]
             <:
             t_Slice u8)
-        <:
-        Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
-  | 6uy ->
-    let adjacent_2_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8)
-    in
-    let adjacent_2_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined
-    in
-    let adjacent_3_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
-            (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
-            (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y
-          <:
-          u8)
-    in
-    let adjacent_3_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s <<! 4l <: i16) 1s
-            1s 1s 1s 1s 1s 1s (1s <<! 4l <: i16)
-          <:
-          u8)
-    in
-    let adjacent_3_combined:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 adjacent_3_combined
-        (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 4l 0l 0l 0l 4l <: u8)
-    in
-    let lower_3_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_3_combined in
-    let serialized:t_Array u8 (sz 19) =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-        ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
-          <:
-          Core.Ops.Range.t_Range usize)
-        (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
-                  Core.Ops.Range.f_start = sz 0;
-                  Core.Ops.Range.f_end = sz 16
-                }
+      in
+      (out, serialized <: (t_Slice u8 & t_Array u8 (sz 19))), ()
+      <:
+      ((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit)
+    | 6uy ->
+      let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined
+      in
+      let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+              (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+              (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s <<! 4l <: i16)
+              1s 1s 1s 1s 1s 1s 1s (1s <<! 4l <: i16)
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+        Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 adjacent_3_combined
+          (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 4l 0l 0l 0l 4l
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      in
+      let lower_3_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+        Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_3_combined
+      in
+      let serialized:t_Array u8 (sz 19) =
+        Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+          ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
+            <:
+            Core.Ops.Range.t_Range usize)
+          (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end = sz 16
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize ]
                 <:
-                Core.Ops.Range.t_Range usize ]
-              <:
-              t_Slice u8)
-            lower_3_
-          <:
-          t_Slice u8)
-    in
-    let upper_3_:u8 =
-      Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_3_combined
-    in
-    let serialized:t_Array u8 (sz 19) =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-        ({ Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 19 }
-          <:
-          Core.Ops.Range.t_Range usize)
-        (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
-                  Core.Ops.Range.f_start = sz 3;
-                  Core.Ops.Range.f_end = sz 19
-                }
+                t_Slice u8)
+              lower_3_
+            <:
+            t_Slice u8)
+      in
+      let upper_3_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+        Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_3_combined
+      in
+      let serialized:t_Array u8 (sz 19) =
+        Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+          ({ Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 19 }
+            <:
+            Core.Ops.Range.t_Range usize)
+          (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
+                    Core.Ops.Range.f_start = sz 3;
+                    Core.Ops.Range.f_end = sz 19
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize ]
                 <:
-                Core.Ops.Range.t_Range usize ]
-              <:
-              t_Slice u8)
-            upper_3_
-          <:
-          t_Slice u8)
-    in
-    Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-      #Core.Array.t_TryFromSliceError
-      (Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_OUTPUT_SIZE)
-          #FStar.Tactics.Typeclasses.solve
+                t_Slice u8)
+              upper_3_
+            <:
+            t_Slice u8)
+      in
+      let out:t_Slice u8 =
+        Core.Slice.impl__copy_from_slice #u8
+          out
           (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 6 }
               <:
               Core.Ops.Range.t_Range usize ]
             <:
             t_Slice u8)
-        <:
-        Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+      in
+      (out, serialized <: (t_Slice u8 & t_Array u8 (sz 19))), ()
+      <:
+      ((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit)
+    | _ ->
+      (out, serialized <: (t_Slice u8 & t_Array u8 (sz 19))),
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      ((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit)
+  in
+  out
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti
index 74c8d9c15..850f59cd2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti
@@ -3,5 +3,5 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment
 open Core
 open FStar.Mul
 
-val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
index be78d6aba..b1b0922d2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
@@ -12,7 +12,7 @@ let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) =
       in
       ()
   in
-  let bytes_in_simd_unit:u8 =
+  let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32)
       (cast (bytes.[ sz 2 ] <: u8) <: i32)
       (((cast (bytes.[ sz 2 ] <: u8) <: i32) <<! 8l <: i32) |. (cast (bytes.[ sz 1 ] <: u8) <: i32)
@@ -26,15 +26,17 @@ let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) =
       (cast (bytes.[ sz 0 ] <: u8) <: i32)
       (cast (bytes.[ sz 0 ] <: u8) <: i32)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 bytes_in_simd_unit
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 5l 2l 7l 4l 1l 6l 3l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 5l 2l 7l 4l 1l 6l 3l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
     (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK
 
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) =
   let _:Prims.unit =
@@ -45,7 +47,7 @@ let deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) =
       in
       ()
   in
-  let bytes_in_simd_unit:u8 =
+  let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 3 ] <: u8) <: i32)
       (cast (bytes.[ sz 3 ] <: u8) <: i32)
       (cast (bytes.[ sz 2 ] <: u8) <: i32)
@@ -55,15 +57,17 @@ let deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) =
       (cast (bytes.[ sz 0 ] <: u8) <: i32)
       (cast (bytes.[ sz 0 ] <: u8) <: i32)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 bytes_in_simd_unit
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
     (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_to_unsigned_when_eta_is_4___COEFFICIENT_MASK
 
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) =
   match cast (v_ETA <: usize) <: u8 with
@@ -76,56 +80,64 @@ let deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) =
         Rust_primitives.Hax.t_Never)
 
 let deserialize (v_ETA: usize) (serialized: t_Slice u8) =
-  let unsigned:u8 = deserialize_to_unsigned v_ETA serialized in
+  let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    deserialize_to_unsigned v_ETA serialized
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (
           cast (v_ETA <: usize) <: i32)
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
     unsigned
 
-let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
+let serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) =
   let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let simd_unit_shifted:u8 =
+  let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           serialize_when_eta_is_2___ETA
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       simd_unit
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 29l adjacent_2_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
           (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
           (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 adjacent_4_combined
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 0s 0s 0s 0s 0s 0s (1s <<! 6l <: i16) 1s 0s 0s
           0s 0s 0s 0s (1s <<! 6l <: i16) 1s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_6_combined:u8 =
+  let adjacent_6_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_6_combined:u8 =
+  let adjacent_6_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_6_combined
   in
-  let adjacent_6_combined:u8 =
+  let adjacent_6_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_sllv_epi32 adjacent_6_combined
-      (Libcrux_intrinsics.Avx2_extract.mm_set_epi32 0l 0l 0l 20l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm_set_epi32 0l 0l 0l 20l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
   in
-  let adjacent_6_combined:u8 =
+  let adjacent_6_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_srli_epi64 20l adjacent_6_combined
   in
   let serialized:t_Array u8 (sz 16) =
@@ -145,48 +157,50 @@ let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-    #Core.Array.t_TryFromSliceError
-    (Core.Convert.f_try_into #(t_Slice u8)
-        #(t_Array u8 v_OUTPUT_SIZE)
-        #FStar.Tactics.Typeclasses.solve
-        (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 }
-            <:
-            Core.Ops.Range.t_Range usize ]
+  let out:t_Slice u8 =
+    Core.Slice.impl__copy_from_slice #u8
+      out
+      (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 }
           <:
-          t_Slice u8)
-      <:
-      Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+  in
+  out
 
-let serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
+let serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) =
   let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let simd_unit_shifted:u8 =
+  let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           serialize_when_eta_is_4___ETA
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       simd_unit
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined
       (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy
           240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
   in
   let serialized:t_Array u8 (sz 16) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
@@ -205,25 +219,36 @@ let serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-    #Core.Array.t_TryFromSliceError
-    (Core.Convert.f_try_into #(t_Slice u8)
-        #(t_Array u8 v_OUTPUT_SIZE)
-        #FStar.Tactics.Typeclasses.solve
-        (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 }
-            <:
-            Core.Ops.Range.t_Range usize ]
+  let hax_temp_output, out:(Prims.unit & t_Slice u8) =
+    (),
+    Core.Slice.impl__copy_from_slice #u8
+      out
+      (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 }
           <:
-          t_Slice u8)
-      <:
-      Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+    <:
+    (Prims.unit & t_Slice u8)
+  in
+  out
 
-let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 3uy -> serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit
-  | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+let serialize
+      (v_ETA: usize)
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (serialized: t_Slice u8)
+     =
+  let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) =
+    match cast (v_ETA <: usize) <: u8 with
+    | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      serialized,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
+  in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
index 45782f6dc..9513a3f02 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
@@ -12,22 +12,25 @@ let serialize_when_eta_is_2___ETA: i32 = 2l
 let serialize_when_eta_is_4___ETA: i32 = 4l
 
 val deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize (v_ETA: usize) (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val serialize
+      (v_ETA: usize)
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
index 929fa141e..03445e6a8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
@@ -12,7 +12,7 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) =
       in
       ()
   in
-  let serialized_lower:u8 =
+  let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
             Core.Ops.Range.f_start = sz 0;
             Core.Ops.Range.f_end = sz 16
@@ -22,7 +22,7 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let serialized_upper:u8 =
+  let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
             Core.Ops.Range.f_start = sz 2;
             Core.Ops.Range.f_end = sz 18
@@ -32,31 +32,33 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let serialized:u8 =
+  let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y
           10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK
 
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1
 
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
     coefficients
 
 let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) =
@@ -68,7 +70,7 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) =
       in
       ()
   in
-  let serialized_lower:u8 =
+  let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
             Core.Ops.Range.f_start = sz 0;
             Core.Ops.Range.f_end = sz 16
@@ -78,7 +80,7 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let serialized_upper:u8 =
+  let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
             Core.Ops.Range.f_start = sz 4;
             Core.Ops.Range.f_end = sz 20
@@ -88,31 +90,33 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let serialized:u8 =
+  let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y
           9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK
 
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1
 
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
     coefficients
 
 let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) =
@@ -125,36 +129,45 @@ let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) =
         <:
         Rust_primitives.Hax.t_Never)
 
-let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
+let serialize_when_gamma1_is_2_pow_17_
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (out: t_Slice u8)
+     =
   let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let simd_unit_shifted:u8 =
+  let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           serialize_when_gamma1_is_2_pow_17___GAMMA1
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       simd_unit
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined
   in
-  let every_second_element:u8 =
+  let every_second_element:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined
   in
-  let every_second_element_shifted:u8 =
+  let every_second_element_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
   in
-  let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -172,7 +185,7 @@ let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  let upper_4_:u8 =
+  let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined
   in
   let serialized:t_Array u8 (sz 32) =
@@ -192,44 +205,49 @@ let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-    #Core.Array.t_TryFromSliceError
-    (Core.Convert.f_try_into #(t_Slice u8)
-        #(t_Array u8 v_OUTPUT_SIZE)
-        #FStar.Tactics.Typeclasses.solve
-        (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 }
-            <:
-            Core.Ops.Range.t_Range usize ]
+  let out:t_Slice u8 =
+    Core.Slice.impl__copy_from_slice #u8
+      out
+      (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 }
           <:
-          t_Slice u8)
-      <:
-      Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+  in
+  out
 
-let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
+let serialize_when_gamma1_is_2_pow_19_
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (out: t_Slice u8)
+     =
   let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let simd_unit_shifted:u8 =
+  let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           serialize_when_gamma1_is_2_pow_19___GAMMA1
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       simd_unit
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y
           10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y
           0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
   in
-  let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -247,7 +265,7 @@ let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  let upper_4_:u8 =
+  let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined
   in
   let serialized:t_Array u8 (sz 32) =
@@ -267,25 +285,38 @@ let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE)
-    #Core.Array.t_TryFromSliceError
-    (Core.Convert.f_try_into #(t_Slice u8)
-        #(t_Array u8 v_OUTPUT_SIZE)
-        #FStar.Tactics.Typeclasses.solve
-        (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 }
-            <:
-            Core.Ops.Range.t_Range usize ]
+  let hax_temp_output, out:(Prims.unit & t_Slice u8) =
+    (),
+    Core.Slice.impl__copy_from_slice #u8
+      out
+      (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 }
           <:
-          t_Slice u8)
-      <:
-      Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError)
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+    <:
+    (Prims.unit & t_Slice u8)
+  in
+  out
 
-let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) =
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit
-  | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+let serialize
+      (v_GAMMA1_EXPONENT: usize)
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (serialized: t_Slice u8)
+     =
+  let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) =
+    match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
+    | 17uy ->
+      serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | 19uy ->
+      serialize_when_gamma1_is_2_pow_19_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      serialized,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
+  in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
index 655c1c899..052cac8ee 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
@@ -18,19 +18,26 @@ let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l <<! 17l
 let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l <<! 19l
 
 val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_when_gamma1_is_2_pow_17_
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_when_gamma1_is_2_pow_19_
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize
+      (v_GAMMA1_EXPONENT: usize)
+      (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
index f60e7085a..cf9feff51 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
@@ -3,8 +3,8 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0
 open Core
 open FStar.Mul
 
-let change_interval (simd_unit: u8) =
-  let interval_end:u8 =
+let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let interval_end:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<!
         (Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T -! sz 1 <: usize)
         <:
@@ -38,63 +38,79 @@ let deserialize (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let serialized:u8 =
+  let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8)
   in
-  let serialized:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized in
-  let coefficients:u8 =
+  let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y)
           (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y
           0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   change_interval coefficients
 
-let serialize (simd_unit: u8) =
+let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let simd_unit:u8 = change_interval simd_unit in
-  let adjacent_2_combined:u8 =
+  let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 19l adjacent_2_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 6l adjacent_4_combined
   in
-  let second_4_combined:u8 =
+  let second_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_4_combined
   in
-  let least_12_bits_shifted_up:u8 =
+  let least_12_bits_shifted_up:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 52l second_4_combined
   in
-  let bits_sequential:u8 =
+  let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_4_combined least_12_bits_shifted_up
   in
-  let bits_sequential:u8 =
+  let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 bits_sequential
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential
   in
-  let bits_sequential:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential in
   let serialized:t_Array u8 (sz 16) =
     Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential
   in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
index a8bc01c8f..6ecaf9832 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
@@ -3,10 +3,13 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0
 open Core
 open FStar.Mul
 
-val change_interval (simd_unit: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 let deserialize__COEFFICIENT_MASK: i32 = (1l <<! 13l <: i32) -! 1l
 
-val deserialize (serialized: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize (serialized: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst
index c2206218a..5c03793af 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst
@@ -3,27 +3,35 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1
 open Core
 open FStar.Mul
 
-let serialize (simd_unit: u8) =
+let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined
   in
-  let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in
+  let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined
+  in
   let serialized:t_Array u8 (sz 24) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -41,7 +49,7 @@ let serialize (simd_unit: u8) =
         <:
         t_Slice u8)
   in
-  let upper_4_:u8 =
+  let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined
   in
   let serialized:t_Array u8 (sz 24) =
@@ -100,21 +108,27 @@ let deserialize (bytes: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let bytes_loaded:u8 =
+  let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes_extended <: t_Slice u8)
   in
-  let bytes_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded in
-  let coefficients:u8 =
+  let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y)
           (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y)
           (-1y) 1y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8)
+    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
index 7999a014d..53c46df38 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
@@ -5,6 +5,8 @@ open FStar.Mul
 
 let deserialize__COEFFICIENT_MASK: i32 = (1l <<! 10l <: i32) -! 1l
 
-val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
 
-val deserialize (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
index 53d285487..dc0b422fd 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
@@ -4,16 +4,28 @@ open Core
 open FStar.Mul
 
 let simd_unit_invert_ntt_at_layer_0_
-      (simd_unit0 simd_unit1: u8)
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32)
      =
-  let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l simd_unit0 in
-  let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l simd_unit1 in
-  let lo_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled in
-  let hi_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled in
-  let sums:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values in
-  let differences:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values in
-  let zetas:u8 =
+  let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l simd_unit0
+  in
+  let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l simd_unit1
+  in
+  let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled
+  in
+  let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled
+  in
+  let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
+  in
+  let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values
+  in
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta13
       zeta12
       zeta03
@@ -23,104 +35,127 @@ let simd_unit_invert_ntt_at_layer_0_
       zeta01
       zeta00
   in
-  let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in
-  let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products in
-  let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products in
-  let a:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_shuffled in
-  let b:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_shuffled in
-  a, b <: (u8 & u8)
+  let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
+  in
+  let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products
+  in
+  let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products
+  in
+  let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_shuffled
+  in
+  let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_shuffled
+  in
+  a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let invert_ntt_at_layer_0___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32)
      =
-  let lhs, lhs_1_:(u8 & u8) =
-    simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8)
-      zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13
+  let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 &
+    Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) zeta00 zeta01
+      zeta02 zeta03 zeta10 zeta11 zeta12 zeta13
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_
   in
   let _:Prims.unit = () in
   re
 
-let invert_ntt_at_layer_0_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) =
+let invert_ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l (-1362209l)
       (-48306l) 3919660l (-554416l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l (-2286327l)
       (-420899l) (-2235985l) (-2939036l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) 1910376l
       (-1803090l) 1723600l (-426683l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l 269760l 3866901l
       3523897l (-3038916l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l 3014001l
       1616392l 162844l (-3183426l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l (-164721l)
       2454455l 2432395l (-2013608l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) (-1846953l)
       (-1671176l) (-2831860l) (-542412l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l (-1374803l)
       (-2546312l) 1917081l (-1279661l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) (-1430225l)
       (-3318210l) 1237275l (-1333058l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) (-3548272l)
       2635921l 1250494l (-3767016l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l 1265009l
       (-2590150l) 2691481l 2842341l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l 4108315l
       (-2437823l) 286988l 342297l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) 3207046l
       2031748l (-3122442l) (-655327l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l 819034l
       909542l 1859098l 900702l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l)
       3513181l (-1235728l) 2434439l 266997l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) 3817976l
       2316500l 3407706l 2091667l
   in
   re
 
-let simd_unit_invert_ntt_at_layer_1_ (simd_unit0 simd_unit1: u8) (zeta00 zeta01 zeta10 zeta11: i32) =
-  let lo_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1 in
-  let hi_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1 in
-  let sums:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values in
-  let differences:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values in
-  let zetas:u8 =
+let simd_unit_invert_ntt_at_layer_1_
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta00 zeta01 zeta10 zeta11: i32)
+     =
+  let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1
+  in
+  let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1
+  in
+  let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
+  in
+  let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values
+  in
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11
       zeta11
       zeta01
@@ -130,246 +165,378 @@ let simd_unit_invert_ntt_at_layer_1_ (simd_unit0 simd_unit1: u8) (zeta00 zeta01
       zeta00
       zeta00
   in
-  let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in
-  let a:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products in
-  let b:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products in
-  a, b <: (u8 & u8)
+  let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
+  in
+  let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products
+  in
+  let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products
+  in
+  a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let invert_ntt_at_layer_1___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_00_ zeta_01_ zeta_10_ zeta_11_: i32)
      =
-  let lhs, lhs_1_:(u8 & u8) =
-    simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: u8)
-      (re.[ index +! sz 1 <: usize ] <: u8)
+  let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 &
+    Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       zeta_00_
       zeta_01_
       zeta_10_
       zeta_11_
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_
   in
   let _:Prims.unit = () in
   re
 
-let invert_ntt_at_layer_1_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) =
+let invert_ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) (-3881060l) (-3019102l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) (-1584928l) 1285669l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l (-177440l) (-2409325l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l (-3553272l) 189548l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l (-210977l) 2389356l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l (-8578l) (-3724342l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l (-1100098l) 44288l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l 264944l (-3343383l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l 1349076l (-381987l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) (-1228525l) (-671102l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) (-3693493l) (-2967645l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l (-983419l) 3412210l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) (-3157330l) (-3190144l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) 1939314l (-1257611l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l 3475950l (-1452451l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) (-1528703l) (-3930395l)
   in
   re
 
-let simd_unit_invert_ntt_at_layer_2_ (simd_unit0 simd_unit1: u8) (zeta0 zeta1: i32) =
-  let lo_values:u8 =
+let simd_unit_invert_ntt_at_layer_2_
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1: i32)
+     =
+  let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l simd_unit0 simd_unit1
   in
-  let hi_values:u8 =
+  let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1
   in
-  let sums:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values in
-  let differences:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values in
-  let zetas:u8 =
+  let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
+  in
+  let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values
+  in
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0
   in
-  let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in
-  let a:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums products in
-  let b:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums products in
-  a, b <: (u8 & u8)
+  let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
+  in
+  let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums products
+  in
+  let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums products
+  in
+  a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let invert_ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta1 zeta2: i32) =
-  let lhs, lhs_1_:(u8 & u8) =
-    simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: u8)
-      (re.[ index +! sz 1 <: usize ] <: u8)
+let invert_ntt_at_layer_2___round
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      (index: usize)
+      (zeta1 zeta2: i32)
+     =
+  let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 &
+    Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       zeta1
       zeta2
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_
   in
   let _:Prims.unit = () in
   re
 
-let invert_ntt_at_layer_2_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 0) (-2797779l) 2071892l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 2) (-2556880l) 3900724l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 4) 3881043l 954230l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 6) 531354l 811944l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 8) 3699596l (-1600420l) in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 10) (-2140649l) 3507263l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 12) (-3821735l) 3505694l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 14) (-1643818l) (-1699267l) in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 16) (-539299l) 2348700l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 18) (-300467l) 3539968l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 20) (-2867647l) 3574422l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 22) (-3043716l) (-3861115l) in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 24) 3915439l (-2537516l) in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 26) (-3592148l) (-1661693l) in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 28) 3530437l 3077325l in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2___round re (sz 30) 95776l 2706023l in
+let invert_ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 0) (-2797779l) 2071892l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 2) (-2556880l) 3900724l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 4) 3881043l 954230l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 6) 531354l 811944l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 8) 3699596l (-1600420l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 10) (-2140649l) 3507263l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 12) (-3821735l) 3505694l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 14) (-1643818l) (-1699267l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 16) (-539299l) 2348700l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 18) (-300467l) 3539968l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 20) (-2867647l) 3574422l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 22) (-3043716l) (-3861115l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 24) 3915439l (-2537516l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 26) (-3592148l) (-1661693l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 28) 3530437l 3077325l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    invert_ntt_at_layer_2___round re (sz 30) 95776l 2706023l
+  in
   re
 
-let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) =
+let outer_3_plus
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+     =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Folds.fold_range v_OFFSET
       (v_OFFSET +! v_STEP_BY <: usize)
       (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
       re
       (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let j:usize = j in
-          let a_minus_b:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ] <: u8)
-              (re.[ j ] <: u8)
+          let a_minus_b:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ]
+                <:
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
+              (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
           in
-          let re:t_Array u8 (sz 32) =
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
               j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8)
-                  (re.[ j +! v_STEP_BY <: usize ] <: u8)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ]
+                    <:
+                    Libcrux_intrinsics.Avx2_extract.t_Vec256)
+                  (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
                 <:
-                u8)
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
           in
-          let re:t_Array u8 (sz 32) =
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
               (j +! v_STEP_BY <: usize)
               (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant a_minus_b v_ZETA
                 <:
-                u8)
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
           in
           re)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   re
 
-let invert_ntt_at_layer_3_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 0) (sz 1) 280005l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 2) (sz 1) 4010497l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 4) (sz 1) (-19422l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 6) (sz 1) 1757237l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 8) (sz 1) (-3277672l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 10) (sz 1) (-1399561l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 12) (sz 1) (-3859737l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 14) (sz 1) (-2118186l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 16) (sz 1) (-2108549l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 18) (sz 1) 2619752l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 20) (sz 1) (-1119584l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 22) (sz 1) (-549488l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 24) (sz 1) 3585928l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 26) (sz 1) (-1079900l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 28) (sz 1) 1024112l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 30) (sz 1) 2725464l re in
+let invert_ntt_at_layer_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 0) (sz 1) 280005l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 2) (sz 1) 4010497l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 4) (sz 1) (-19422l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 6) (sz 1) 1757237l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 8) (sz 1) (-3277672l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 10) (sz 1) (-1399561l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 12) (sz 1) (-3859737l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 14) (sz 1) (-2118186l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 16) (sz 1) (-2108549l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 18) (sz 1) 2619752l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 20) (sz 1) (-1119584l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 22) (sz 1) (-549488l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 24) (sz 1) 3585928l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 26) (sz 1) (-1079900l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 28) (sz 1) 1024112l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 30) (sz 1) 2725464l re
+  in
   re
 
-let invert_ntt_at_layer_4_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 0) (sz 2) 2680103l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 4) (sz 2) 3111497l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 8) (sz 2) (-2884855l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 12) (sz 2) 3119733l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 16) (sz 2) (-2091905l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 20) (sz 2) (-359251l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 24) (sz 2) 2353451l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 28) (sz 2) 1826347l re in
+let invert_ntt_at_layer_4_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 0) (sz 2) 2680103l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 4) (sz 2) 3111497l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 8) (sz 2) (-2884855l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 12) (sz 2) 3119733l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 16) (sz 2) (-2091905l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 20) (sz 2) (-359251l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 24) (sz 2) 2353451l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 28) (sz 2) 1826347l re
+  in
   re
 
-let invert_ntt_at_layer_5_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 0) (sz 4) 466468l re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 8) (sz 4) (-876248l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 16) (sz 4) (-777960l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 24) (sz 4) 237124l re in
+let invert_ntt_at_layer_5_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 0) (sz 4) 466468l re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 8) (sz 4) (-876248l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 16) (sz 4) (-777960l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 24) (sz 4) 237124l re
+  in
   re
 
-let invert_ntt_at_layer_6_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 0) (sz 8) (-518909l) re in
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 16) (sz 8) (-2608894l) re in
+let invert_ntt_at_layer_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 0) (sz 8) (-518909l) re
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 16) (sz 8) (-2608894l) re
+  in
   re
 
-let invert_ntt_at_layer_7_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in
+let invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    outer_3_plus (sz 0) (sz 16) 25847l re
+  in
   re
 
-let invert_ntt_montgomery (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_0_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_1_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_2_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_3_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_4_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_5_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_6_ re in
-  let re:t_Array u8 (sz 32) = invert_ntt_at_layer_7_ re in
+let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_0_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_1_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_2_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_3_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_4_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_5_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_6_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_7_ re in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize)
+      (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256
+          (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256)
+        <:
+        usize)
       (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
       re
       (fun re i ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let i:usize = i in
           Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
             i
-            (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ i ] <: u8)
+            (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ i ]
+                  <:
+                  Libcrux_intrinsics.Avx2_extract.t_Vec256)
                 41978l
               <:
-              u8)
+              Libcrux_intrinsics.Avx2_extract.t_Vec256)
           <:
-          t_Array u8 (sz 32))
+          t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
   in
   re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
index 9422d42f8..23e4bca7c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
@@ -26,57 +26,102 @@ let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
 let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l
 
 val simd_unit_invert_ntt_at_layer_0_
-      (simd_unit0 simd_unit1: u8)
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 val invert_ntt_at_layer_0___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_0_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val simd_unit_invert_ntt_at_layer_1_ (simd_unit0 simd_unit1: u8) (zeta00 zeta01 zeta10 zeta11: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val simd_unit_invert_ntt_at_layer_1_
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta00 zeta01 zeta10 zeta11: i32)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 val invert_ntt_at_layer_1___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_00_ zeta_01_ zeta_10_ zeta_11_: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_1_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val simd_unit_invert_ntt_at_layer_2_ (simd_unit0 simd_unit1: u8) (zeta0 zeta1: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta1 zeta2: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_2_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_3_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_4_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_5_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_6_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_at_layer_7_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val invert_ntt_montgomery (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val simd_unit_invert_ntt_at_layer_2_
+      (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1: i32)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_2___round
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      (index: usize)
+      (zeta1 zeta2: i32)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val outer_3_plus
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_4_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_5_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
index 02add82bf..d8d17ec4c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
@@ -4,55 +4,91 @@ open Core
 open FStar.Mul
 
 let ntt_at_layer_7_and_6___mul
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
-      (zeta: u8)
+      (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       (step_by: usize)
-      (field_modulus inverse_of_modulus_mod_montgomery_r: u8)
+      (field_modulus inverse_of_modulus_mod_montgomery_r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
      =
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ] <: u8) zeta
+  let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ]
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      zeta
   in
-  let prod13:u8 =
+  let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
           245l
-          (re.[ index +! step_by <: usize ] <: u8)
+          (re.[ index +! step_by <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k02:u8 =
+  let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
   in
-  let k13:u8 =
+  let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
   in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
+  let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus
+  in
+  let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus
+  in
+  let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02
+  in
+  let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13
+  in
+  let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02
+  in
+  let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
       (index +! step_by <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ] <: u8) t <: u8)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ]
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+          t
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
       index
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] <: u8) t <: u8)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ]
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
+          t
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   re
 
-let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) =
-  let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in
-  let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in
-  let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled in
-  let zeta_multiplicands:u8 =
+let butterfly_2_
+      (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32)
+     =
+  let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a
+  in
+  let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b
+  in
+  let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled
+  in
+  let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled
   in
-  let zetas:u8 =
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3
       zeta_b2
       zeta_a3
@@ -62,25 +98,42 @@ let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta
       zeta_a1
       zeta_a0
   in
-  let zeta_products:u8 =
+  let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas
   in
-  let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in
-  let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in
-  let a_terms_shuffled:u8 =
+  let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products
+  in
+  let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products
+  in
+  let a_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms
   in
-  let b_terms_shuffled:u8 =
+  let b_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms
   in
-  let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled in
-  let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled in
-  a_out, b_out <: (u8 & u8)
+  let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled
+  in
+  let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled
+  in
+  a_out, b_out
+  <:
+  (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) =
-  let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b in
-  let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b in
-  let zetas:u8 =
+let butterfly_4_
+      (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32)
+     =
+  let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b
+  in
+  let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b
+  in
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1
       zeta_b1
       zeta_a1
@@ -90,244 +143,314 @@ let butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) =
       zeta_a0
       zeta_a0
   in
-  let zeta_products:u8 =
+  let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas
   in
-  let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in
-  let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in
-  let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms in
-  let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in
-  a_out, b_out <: (u8 & u8)
+  let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products
+  in
+  let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products
+  in
+  let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms
+  in
+  let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms
+  in
+  a_out, b_out
+  <:
+  (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let butterfly_8_ (a b: u8) (zeta0 zeta1: i32) =
-  let summands:u8 =
+let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) =
+  let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128
           b
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+      (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a
   in
-  let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a in
-  let zetas:u8 =
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0
   in
-  let zeta_products:u8 =
+  let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas
   in
-  let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in
-  let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in
-  let a_out:u8 =
+  let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products
+  in
+  let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products
+  in
+  let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128
           sub_terms
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+      (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
   in
-  let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms in
-  a_out, b_out <: (u8 & u8)
+  let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms
+  in
+  a_out, b_out
+  <:
+  (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let ntt_at_layer_0___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32)
      =
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ zeta_2_
-      zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_
+  let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    butterfly_2_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) zeta_0_ zeta_1_
+      zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
   re
 
-let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) =
+let ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l
       (-2446433l) (-3562462l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l)
       (-1197226l) (-3193378l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l)
       (-522500l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l)
       (-768622l) (-3595838l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l)
       1735879l 203044l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l
       2486353l 1595974l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l
       1903435l (-1050970l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l)
       1312455l 3306115l (-1962642l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l
       2235880l 3406031l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l)
       (-3724270l) 594136l (-3776993l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l
       185531l (-1207385l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l
       (-3694233l) (-1799107l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l)
       1717735l 472078l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l)
       (-1104333l) (-260646l) (-3833893l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l
       (-976891l) 1612842l (-3545687l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l
       (-846154l) 1976782l
   in
   re
 
 let ntt_at_layer_1___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
      =
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ index ] <: u8)
-      (re.[ index +! sz 1 <: usize ] <: u8)
+  let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    butterfly_4_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       zeta_0_
       zeta_1_
       zeta_2_
       zeta_3_
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
   re
 
-let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) =
+let ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) 2147896l 2715295l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l 1852771l (-1430430l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l 508951l 3097992l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) 904516l 3958618l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) 759969l (-1316856l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) 3159746l (-1851402l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l)
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l
   in
   re
 
-let ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) =
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_
+let ntt_at_layer_2___round
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
+     =
+  let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+    butterfly_8_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      zeta_0_
+      zeta_1_
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
   re
 
-let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l 95776l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l 3530437l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l (-300467l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l (-539299l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l 531354l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l 3881043l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l) in
+let ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 0) 2706023l 95776l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 2) 3077325l 3530437l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 12) 3539968l (-300467l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 14) 2348700l (-539299l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 24) 811944l 531354l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 26) 954230l 3881043l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l)
+  in
   re
 
-let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
-  let field_modulus:u8 =
+let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
   in
-  let inverse_of_modulus_mod_montgomery_r:u8 =
+  let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
             <:
             u64)
         <:
         i32)
   in
-  let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in
-  let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in
-  let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in
-  let re:t_Array u8 (sz 32) =
+  let zeta7:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l
+  in
+  let zeta60:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l)
+  in
+  let zeta61:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0)
       zeta7
@@ -335,7 +458,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 1 <: usize)
       zeta7
@@ -343,7 +466,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 2 <: usize)
       zeta7
@@ -351,7 +474,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 3 <: usize)
       zeta7
@@ -360,7 +483,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 8)
       zeta7
@@ -368,7 +491,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 8 +! sz 1 <: usize)
       zeta7
@@ -376,7 +499,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 8 +! sz 2 <: usize)
       zeta7
@@ -384,7 +507,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 8 +! sz 3 <: usize)
       zeta7
@@ -393,7 +516,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0)
       zeta60
@@ -401,7 +524,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 1 <: usize)
       zeta60
@@ -409,7 +532,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 2 <: usize)
       zeta60
@@ -417,7 +540,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 0 +! sz 3 <: usize)
       zeta60
@@ -426,7 +549,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 16)
       zeta61
@@ -434,7 +557,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 16 +! sz 1 <: usize)
       zeta61
@@ -442,7 +565,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 16 +! sz 2 <: usize)
       zeta61
@@ -450,7 +573,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 16 +! sz 3 <: usize)
       zeta61
@@ -459,7 +582,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4)
       zeta7
@@ -467,7 +590,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 1 <: usize)
       zeta7
@@ -475,7 +598,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 2 <: usize)
       zeta7
@@ -483,7 +606,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 3 <: usize)
       zeta7
@@ -492,7 +615,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 12)
       zeta7
@@ -500,7 +623,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 12 +! sz 1 <: usize)
       zeta7
@@ -508,7 +631,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 12 +! sz 2 <: usize)
       zeta7
@@ -516,7 +639,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 12 +! sz 3 <: usize)
       zeta7
@@ -525,7 +648,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4)
       zeta60
@@ -533,7 +656,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 1 <: usize)
       zeta60
@@ -541,7 +664,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 2 <: usize)
       zeta60
@@ -549,7 +672,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 4 +! sz 3 <: usize)
       zeta60
@@ -558,7 +681,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       inverse_of_modulus_mod_montgomery_r
   in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 20)
       zeta61
@@ -566,7 +689,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 20 +! sz 1 <: usize)
       zeta61
@@ -574,7 +697,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 20 +! sz 2 <: usize)
       zeta61
@@ -582,7 +705,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
       field_modulus
       inverse_of_modulus_mod_montgomery_r
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     ntt_at_layer_7_and_6___mul re
       (sz 20 +! sz 3 <: usize)
       zeta61
@@ -595,87 +718,155 @@ let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
 
 let ntt_at_layer_5_to_3___round
       (v_STEP v_STEP_BY: usize)
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta: i32)
      =
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 zeta in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 zeta
+  in
   let offset:usize =
     ((index *! v_STEP <: usize) *! sz 2 <: usize) /!
     Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
   in
-  let re:t_Array u8 (sz 32) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
     Rust_primitives.Hax.Folds.fold_range offset
       (offset +! v_STEP_BY <: usize)
       (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
       re
       (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
           let j:usize = j in
-          let t:u8 =
+          let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
             Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize ]
                 <:
-                u8)
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
               rhs
           in
-          let re:t_Array u8 (sz 32) =
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
               (j +! v_STEP_BY <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ]
+                    <:
+                    Libcrux_intrinsics.Avx2_extract.t_Vec256)
+                  t
+                <:
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
           in
-          let re:t_Array u8 (sz 32) =
+          let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
               j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ]
+                    <:
+                    Libcrux_intrinsics.Avx2_extract.t_Vec256)
+                  t
+                <:
+                Libcrux_intrinsics.Avx2_extract.t_Vec256)
           in
           re)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   re
 
-let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l in
+let ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l
+  in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l
+  in
   let _:Prims.unit = () in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l) in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l)
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l
+  in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+    ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l
+  in
   let _:Prims.unit = () in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   re
 
-let ntt (re: t_Array u8 (sz 32)) =
-  let re:t_Array u8 (sz 32) = ntt_at_layer_7_and_6_ re in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3_ re in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_2_ re in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_1_ re in
-  let re:t_Array u8 (sz 32) = ntt_at_layer_0_ re in
+let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) =
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_7_and_6_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_5_to_3_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_2_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_1_ re in
+  let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_0_ re in
   let _:Prims.unit = () in
   re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
index bb33358bf..40c8f1b32 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
@@ -12,12 +12,14 @@ let ntt_at_layer_5_to_3___STEP_1: usize = sz 1 <<! 4l
 let ntt_at_layer_5_to_3___STEP_2: usize = sz 1 <<! 3l
 
 val ntt_at_layer_7_and_6___mul
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
-      (zeta: u8)
+      (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256)
       (step_by: usize)
-      (field_modulus inverse_of_modulus_mod_montgomery_r: u8)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+      (field_modulus inverse_of_modulus_mod_montgomery_r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 let ntt_at_layer_5_to_3___STEP_BY: usize =
   ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
@@ -34,57 +36,93 @@ let ntt_at_layer_7_and_6___STEP_BY_6_: usize =
 let ntt_at_layer_7_and_6___STEP_BY_7_: usize =
   sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
 
-val butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val butterfly_8_ (a b: u8) (zeta0 zeta1: i32)
-    : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+val butterfly_2_
+      (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val butterfly_4_
+      (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 val ntt_at_layer_0___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val ntt_at_layer_0_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 val ntt_at_layer_1___round
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val ntt_at_layer_1_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_2___round
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-val ntt_at_layer_2_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 /// This is equivalent to the pqclean 0 and 1
 /// This does 32 Montgomery multiplications (192 multiplications).
 /// This is the same as in pqclean. The only difference is locality of registers.
-val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 val ntt_at_layer_5_to_3___round
       (v_STEP v_STEP_BY: usize)
-      (re: t_Array u8 (sz 32))
+      (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
       (index: usize)
       (zeta: i32)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
 /// Layer 5, 4, 3
 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
 /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
-val ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val ntt (re: t_Array u8 (sz 32))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+    : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst
index 51c69e1a1..67e806244 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst
@@ -3,31 +3,37 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta
 open Core
 open FStar.Mul
 
-let shift_interval (v_ETA: usize) (coefficients: u8) =
+let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   match cast (v_ETA <: usize) <: u8 with
   | 2uy ->
-    let quotient:u8 =
+    let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
       Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients
-        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l <: u8)
+        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l
+          <:
+          Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    in
+    let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+      Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient
     in
-    let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient in
-    let quotient:u8 =
+    let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
       Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient
-        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l <: u8)
+        (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l
+          <:
+          Libcrux_intrinsics.Avx2_extract.t_Vec256)
     in
-    let coefficients_mod_5_:u8 =
+    let coefficients_mod_5_:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
       Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 coefficients quotient
     in
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           (cast (v_ETA <: usize) <: i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       coefficients_mod_5_
   | 4uy ->
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           (cast (v_ETA <: usize) <: i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       coefficients
   | _ ->
     Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
@@ -36,7 +42,7 @@ let shift_interval (v_ETA: usize) (coefficients: u8) =
         Rust_primitives.Hax.t_Never)
 
 let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) =
-  let potential_coefficients:u8 =
+  let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input
   in
   let (interval_boundary: i32):i32 =
@@ -49,11 +55,11 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) =
           <:
           Rust_primitives.Hax.t_Never)
   in
-  let compare_with_interval_boundary:u8 =
+  let compare_with_interval_boundary:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
           interval_boundary
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
       potential_coefficients
   in
   let good:i32 =
@@ -64,7 +70,9 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) =
   in
   let good_lower_half:i32 = good &. 15l in
   let good_upper_half:i32 = good >>! 4l in
-  let shifted:u8 = shift_interval v_ETA potential_coefficients in
+  let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    shift_interval v_ETA potential_coefficients
+  in
   let lower_shuffles:t_Array u8 (sz 16) =
     Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half
           <:
@@ -72,11 +80,13 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) =
       <:
       usize ]
   in
-  let lower_shuffles:u8 =
+  let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8)
   in
-  let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted in
-  let lower_coefficients:u8 =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted
+  in
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles
   in
   let output:t_Slice i32 =
@@ -104,11 +114,13 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) =
       <:
       usize ]
   in
-  let upper_shuffles:u8 =
+  let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8)
   in
-  let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted in
-  let upper_coefficients:u8 =
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles
   in
   let output:t_Slice i32 =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti
index 43361f3bb..b18b2e3aa 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti
@@ -3,8 +3,8 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta
 open Core
 open FStar.Mul
 
-val shift_interval (v_ETA: usize) (coefficients: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32)
     : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst
index 1ff5ab537..f3d66cf87 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst
@@ -26,32 +26,36 @@ let bytestream_to_potential_coefficients (serialized: t_Slice u8) =
         <:
         t_Slice u8)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_u8 (serialized_extended <: t_Slice u8)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y
           (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
     (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 bytestream_to_potential_coefficients__COEFFICIENT_MASK
 
       <:
-      u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let sample (input: t_Slice u8) (output: t_Slice i32) =
-  let field_modulus:u8 =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
   in
-  let potential_coefficients:u8 = bytestream_to_potential_coefficients input in
-  let compare_with_field_modulus:u8 =
+  let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    bytestream_to_potential_coefficients input
+  in
+  let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 field_modulus potential_coefficients
   in
   let good:i32 =
@@ -69,13 +73,13 @@ let sample (input: t_Slice u8) (output: t_Slice i32) =
       <:
       usize ]
   in
-  let lower_shuffles:u8 =
+  let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8)
   in
-  let lower_coefficients:u8 =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients
   in
-  let lower_coefficients:u8 =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles
   in
   let output:t_Slice i32 =
@@ -103,13 +107,13 @@ let sample (input: t_Slice u8) (output: t_Slice i32) =
       <:
       usize ]
   in
-  let upper_shuffles:u8 =
+  let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8)
   in
-  let upper_coefficients:u8 =
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients
   in
-  let upper_coefficients:u8 =
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles
   in
   let output:t_Slice i32 =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti
index 185397a4b..8d297cab8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti
@@ -6,7 +6,7 @@ open FStar.Mul
 let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = (1l <<! 23l <: i32) -! 1l
 
 val bytestream_to_potential_coefficients (serialized: t_Slice u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
 val sample (input: t_Slice u8) (output: t_Slice i32)
     : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
index 8dc299c31..1956943ed 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
@@ -4,24 +4,45 @@ open Core
 open FStar.Mul
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Core.Convert.t_From t_AVX2SIMDUnit u8 =
+let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 =
   {
-    f_from_pre = (fun (coefficients: u8) -> true);
-    f_from_post = (fun (coefficients: u8) (out: t_AVX2SIMDUnit) -> true);
-    f_from = fun (coefficients: u8) -> { f_coefficients = coefficients } <: t_AVX2SIMDUnit
+    f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true);
+    f_from_post
+    =
+    (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true);
+    f_from
+    =
+    fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) ->
+      { f_coefficients = coefficients } <: t_AVX2SIMDUnit
   }
 
 let v_ZERO (_: Prims.unit) =
-  Core.Convert.f_into #u8
+  Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
     #t_AVX2SIMDUnit
     #FStar.Tactics.Typeclasses.solve
-    (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8)
+    (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 ()
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
 let from_coefficient_array (coefficient_array: t_Slice i32) =
-  Core.Convert.f_into #u8
+  Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
     #t_AVX2SIMDUnit
     #FStar.Tactics.Typeclasses.solve
-    (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array <: u8)
+    (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Clone.t_Clone t_AVX2SIMDUnit
+
+let impl_1 = impl_1'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Core.Marker.t_Copy t_AVX2SIMDUnit
+
+let impl_2 = impl_2'
 
 let to_coefficient_array (x: t_AVX2SIMDUnit) =
   let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
index e14bacddd..22d84936b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
@@ -3,15 +3,21 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type
 open Core
 open FStar.Mul
 
-type t_AVX2SIMDUnit = { f_coefficients:u8 }
+type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Convert.t_From t_AVX2SIMDUnit u8
+val impl:Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256
 
 val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True)
 
 val from_coefficient_array (coefficient_array: t_Slice i32)
     : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True)
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Clone.t_Clone t_AVX2SIMDUnit
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Marker.t_Copy t_AVX2SIMDUnit
+
 val to_coefficient_array (x: t_AVX2SIMDUnit)
     : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst
index 3c5867826..92aee3dbe 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst
@@ -64,14 +64,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs
                 .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
               rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             <:
-            u8));
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_subtract_pre
     =
     (fun
@@ -93,14 +93,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs
                 .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
               rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             <:
-            u8));
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_montgomery_multiply_pre
     =
     (fun
@@ -122,14 +122,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs
                 .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
               rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             <:
-            u8));
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_shift_left_then_reduce_pre
     =
     (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true);
@@ -144,13 +144,13 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_shift_left_then_reduce
     =
     (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY
               simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             <:
-            u8));
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_power2round_pre
     =
     (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true);
@@ -166,15 +166,16 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_power2round
     =
     (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        let lower, upper:(u8 & u8) =
+        let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 &
+          Libcrux_intrinsics.Avx2_extract.t_Vec256) =
           Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit
               .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
         in
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           lower,
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           upper
@@ -214,15 +215,16 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_decompose
     =
     (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        let lower, upper:(u8 & u8) =
+        let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 &
+          Libcrux_intrinsics.Avx2_extract.t_Vec256) =
           Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2
             simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
         in
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           lower,
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           upper
@@ -253,13 +255,13 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         ->
-        let count, hint:(usize & u8) =
+        let count, hint:(usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) =
           Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2
             low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
         in
         count,
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           hint
@@ -289,14 +291,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
         ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
           (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2
               simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
               hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
             <:
-            u8));
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_rejection_sample_less_than_field_modulus_pre
     =
     (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true);
@@ -344,21 +346,37 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
         out, hax_temp_output <: (t_Slice i32 & usize));
     f_gamma1_serialize_pre
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
+    (fun
+        (v_GAMMA1_EXPONENT: usize)
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
         true);
     f_gamma1_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_GAMMA1_EXPONENT: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_gamma1_serialize
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE
-          simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients);
+    (fun
+        (v_GAMMA1_EXPONENT: usize)
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (),
+          Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT
+            simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
+            serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true);
     f_gamma1_deserialize_post
     =
@@ -371,44 +389,75 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_gamma1_deserialize
     =
     (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
-          (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: u8));
+          (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_commitment_serialize_pre
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
+    (fun
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
         true);
     f_commitment_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_commitment_serialize
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE
-          simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients);
+    (fun
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (),
+          Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit
+              .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
+            serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_error_serialize_pre
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
+    (fun
+        (v_ETA: usize)
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
         true);
     f_error_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_ETA: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_error_serialize
     =
-    (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) ->
-        Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE
-          simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients);
+    (fun
+        (v_ETA: usize)
+        (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
+        (serialized: t_Slice u8)
+        ->
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (),
+          Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_ETA
+            simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
+            serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true);
     f_error_deserialize_post
     =
@@ -421,10 +470,12 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_error_deserialize
     =
     (fun (v_ETA: usize) (serialized: t_Slice u8) ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
-          (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized <: u8));
+          (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_t0_serialize_pre
     =
     (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true);
@@ -448,10 +499,12 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_t0_deserialize
     =
     (fun (serialized: t_Slice u8) ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
-          (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized <: u8));
+          (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_t1_serialize_pre
     =
     (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true);
@@ -475,10 +528,12 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_t1_deserialize
     =
     (fun (serialized: t_Slice u8) ->
-        Core.Convert.f_into #u8
+        Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256
           #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           #FStar.Tactics.Typeclasses.solve
-          (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized <: u8));
+          (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256));
     f_ntt_pre
     =
     (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true);
@@ -492,34 +547,42 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_ntt
     =
     (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) ->
-        let re:t_Array u8 (sz 32) =
-          Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8)
+        let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+          Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 ()
+              <:
+              Libcrux_intrinsics.Avx2_extract.t_Vec256)
             (sz 32)
         in
-        let re:t_Array u8 (sz 32) =
+        let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
           Rust_primitives.Hax.Folds.fold_range (sz 0)
             Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT
             (fun re temp_1_ ->
-                let re:t_Array u8 (sz 32) = re in
+                let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
                 let _:usize = temp_1_ in
                 true)
             re
             (fun re i ->
-                let re:t_Array u8 (sz 32) = re in
+                let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
                 let i:usize = i in
                 Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                   i
                   (simd_units.[ i ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
                     .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
                 <:
-                t_Array u8 (sz 32))
+                t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+        in
+        let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+          Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt re
         in
-        let result:t_Array u8 (sz 32) = Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt re in
         Core.Array.from_fn #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
           (sz 32)
           (fun i ->
               let i:usize = i in
-              { Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients = result.[ i ] <: u8 }
+              {
+                Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
+                =
+                result.[ i ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256
+              }
               <:
               Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit));
     f_invert_ntt_montgomery_pre
@@ -535,34 +598,42 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit =
     f_invert_ntt_montgomery
     =
     fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) ->
-      let re:t_Array u8 (sz 32) =
-        Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8)
+      let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+        Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 ()
+            <:
+            Libcrux_intrinsics.Avx2_extract.t_Vec256)
           (sz 32)
       in
-      let re:t_Array u8 (sz 32) =
+      let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
         Rust_primitives.Hax.Folds.fold_range (sz 0)
           Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT
           (fun re temp_1_ ->
-              let re:t_Array u8 (sz 32) = re in
+              let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
               let _:usize = temp_1_ in
               true)
           re
           (fun re i ->
-              let re:t_Array u8 (sz 32) = re in
+              let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in
               let i:usize = i in
               Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                 i
                 (simd_units.[ i ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
                   .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
               <:
-              t_Array u8 (sz 32))
+              t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32))
+      in
+      let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) =
+        Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery re
       in
-      let result:t_Array u8 (sz 32) = Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery re in
       Core.Array.from_fn #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
         (sz 32)
         (fun i ->
             let i:usize = i in
-            { Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients = result.[ i ] <: u8 }
+            {
+              Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients
+              =
+              result.[ i ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256
+            }
             <:
             Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)
   }
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst
index ff1788cd5..3fb3f1467 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst
@@ -4,69 +4,74 @@ open Core
 open FStar.Mul
 
 let serialize
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 4uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
-        (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, coefficients:(usize & t_Slice i32) = temp_1_ in
-            let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in
-            let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in
-            let serialized:t_Array u8 v_OUTPUT_SIZE =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-                i
-                ((coefficient1 <<! 4l <: u8) |. coefficient0 <: u8)
-            in
-            serialized)
-    in
-    serialized
-  | 6uy ->
-    let serialized:t_Array u8 v_OUTPUT_SIZE =
-      Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
-        (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let _:usize = temp_1_ in
-            true)
-        serialized
-        (fun serialized temp_1_ ->
-            let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
-            let i, coefficients:(usize & t_Slice i32) = temp_1_ in
-            let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in
-            let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in
-            let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in
-            let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in
-            let serialized:t_Array u8 v_OUTPUT_SIZE =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-                (sz 3 *! i <: usize)
-                ((coefficient1 <<! 6l <: u8) |. coefficient0 <: u8)
-            in
-            let serialized:t_Array u8 v_OUTPUT_SIZE =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-                ((sz 3 *! i <: usize) +! sz 1 <: usize)
-                ((coefficient2 <<! 4l <: u8) |. (coefficient1 >>! 2l <: u8) <: u8)
-            in
-            let serialized:t_Array u8 v_OUTPUT_SIZE =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-                ((sz 3 *! i <: usize) +! sz 2 <: usize)
-                ((coefficient3 <<! 2l <: u8) |. (coefficient2 >>! 4l <: u8) <: u8)
-            in
-            serialized)
-    in
-    serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) =
+    match cast (Core.Slice.impl__len #u8 serialized <: usize) <: u8 with
+    | 4uy ->
+      let serialized:t_Slice u8 =
+        Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
+          (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
+          (fun serialized temp_1_ ->
+              let serialized:t_Slice u8 = serialized in
+              let _:usize = temp_1_ in
+              true)
+          serialized
+          (fun serialized temp_1_ ->
+              let serialized:t_Slice u8 = serialized in
+              let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+              let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in
+              let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in
+              let serialized:t_Slice u8 =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+                  i
+                  ((coefficient1 <<! 4l <: u8) |. coefficient0 <: u8)
+              in
+              serialized)
+      in
+      serialized, (() <: Prims.unit) <: (t_Slice u8 & Prims.unit)
+    | 6uy ->
+      let serialized:t_Slice u8 =
+        Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
+          (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
+          (fun serialized temp_1_ ->
+              let serialized:t_Slice u8 = serialized in
+              let _:usize = temp_1_ in
+              true)
+          serialized
+          (fun serialized temp_1_ ->
+              let serialized:t_Slice u8 = serialized in
+              let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+              let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in
+              let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in
+              let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in
+              let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in
+              let serialized:t_Slice u8 =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+                  (sz 3 *! i <: usize)
+                  ((coefficient1 <<! 6l <: u8) |. coefficient0 <: u8)
+              in
+              let serialized:t_Slice u8 =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+                  ((sz 3 *! i <: usize) +! sz 1 <: usize)
+                  ((coefficient2 <<! 4l <: u8) |. (coefficient1 >>! 2l <: u8) <: u8)
+              in
+              let serialized:t_Slice u8 =
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+                  ((sz 3 *! i <: usize) +! sz 2 <: usize)
+                  ((coefficient3 <<! 2l <: u8) |. (coefficient2 >>! 4l <: u8) <: u8)
+              in
+              serialized)
+      in
+      serialized, (() <: Prims.unit) <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      serialized,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
+  in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti
index cc50ef52c..a06e23904 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti
@@ -4,6 +4,6 @@ open Core
 open FStar.Mul
 
 val serialize
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
index a91008218..2b13f6a43 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
@@ -4,10 +4,9 @@ open Core
 open FStar.Mul
 
 let serialize_when_eta_is_2_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
   let coefficient0:u8 =
     cast (serialize_when_eta_is_2___ETA -!
         (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32)
@@ -72,12 +71,12 @@ let serialize_when_eta_is_2_
     <:
     u8
   in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
       (sz 0)
       (((coefficient2 <<! 6l <: u8) |. (coefficient1 <<! 3l <: u8) <: u8) |. coefficient0 <: u8)
   in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
       (sz 1)
       ((((coefficient5 <<! 7l <: u8) |. (coefficient4 <<! 4l <: u8) <: u8) |.
@@ -88,7 +87,7 @@ let serialize_when_eta_is_2_
         <:
         u8)
   in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
       (sz 2)
       (((coefficient7 <<! 5l <: u8) |. (coefficient6 <<! 2l <: u8) <: u8) |.
@@ -288,20 +287,19 @@ let deserialize (v_ETA: usize) (serialized: t_Slice u8) =
         Rust_primitives.Hax.t_Never)
 
 let serialize_when_eta_is_4_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
       (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let _:usize = temp_1_ in
           true)
       serialized
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient0:u8 =
             cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8
@@ -309,24 +307,32 @@ let serialize_when_eta_is_4_
           let coefficient1:u8 =
             cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               i
               ((coefficient1 <<! 4l <: u8) |. coefficient0 <: u8)
           in
           serialized)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   serialized
 
 let serialize
-      (v_OUTPUT_SIZE: usize)
+      (v_ETA: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 3uy -> serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit
-  | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) =
+    match cast (v_ETA <: usize) <: u8 with
+    | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      serialized,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
+  in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
index e973dc734..3d5414485 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
@@ -12,9 +12,9 @@ let serialize_when_eta_is_2___ETA: i32 = 2l
 let serialize_when_eta_is_4___ETA: i32 = 4l
 
 val serialize_when_eta_is_2_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize_when_eta_is_2_ (serialized: t_Slice u8)
     : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
@@ -32,11 +32,12 @@ val deserialize (v_ETA: usize) (serialized: t_Slice u8)
       (fun _ -> Prims.l_True)
 
 val serialize_when_eta_is_4_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
 val serialize
-      (v_OUTPUT_SIZE: usize)
+      (v_ETA: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
index ca1f48e87..2f3e006e4 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
@@ -203,20 +203,19 @@ let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) =
         Rust_primitives.Hax.t_Never)
 
 let serialize_when_gamma1_is_2_pow_17_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
       (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let _:usize = temp_1_ in
           true)
       serialized
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient0:i32 =
             serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
@@ -230,22 +229,22 @@ let serialize_when_gamma1_is_2_pow_17_
           let coefficient3:i32 =
             serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 9 *! i <: usize)
               (cast (coefficient0 <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 1 <: usize)
               (cast (coefficient0 >>! 8l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 2 <: usize)
               (cast (coefficient0 >>! 16l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 2 <: usize)
               ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
@@ -253,17 +252,17 @@ let serialize_when_gamma1_is_2_pow_17_
                 <:
                 u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 3 <: usize)
               (cast (coefficient1 >>! 6l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 4 <: usize)
               (cast (coefficient1 >>! 14l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 4 <: usize)
               ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |.
@@ -271,17 +270,17 @@ let serialize_when_gamma1_is_2_pow_17_
                 <:
                 u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 5 <: usize)
               (cast (coefficient2 >>! 4l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 6 <: usize)
               (cast (coefficient2 >>! 12l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 6 <: usize)
               ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |.
@@ -289,35 +288,35 @@ let serialize_when_gamma1_is_2_pow_17_
                 <:
                 u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 7 <: usize)
               (cast (coefficient3 >>! 2l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 9 *! i <: usize) +! sz 8 <: usize)
               (cast (coefficient3 >>! 10l <: i32) <: u8)
           in
           serialized)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   serialized
 
 let serialize_when_gamma1_is_2_pow_19_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in
-  let serialized:t_Array u8 v_OUTPUT_SIZE =
+  let serialized:t_Slice u8 =
     Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
       (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32)
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let _:usize = temp_1_ in
           true)
       serialized
       (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in
+          let serialized:t_Slice u8 = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient0:i32 =
             serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
@@ -325,22 +324,22 @@ let serialize_when_gamma1_is_2_pow_19_
           let coefficient1:i32 =
             serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 5 *! i <: usize)
               (cast (coefficient0 <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 1 <: usize)
               (cast (coefficient0 >>! 8l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 2 <: usize)
               (cast (coefficient0 >>! 16l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 2 <: usize)
               ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
@@ -348,29 +347,39 @@ let serialize_when_gamma1_is_2_pow_19_
                 <:
                 u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 3 <: usize)
               (cast (coefficient1 >>! 4l <: i32) <: u8)
           in
-          let serialized:t_Array u8 v_OUTPUT_SIZE =
+          let serialized:t_Slice u8 =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 4 <: usize)
               (cast (coefficient1 >>! 12l <: i32) <: u8)
           in
           serialized)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
   serialized
 
 let serialize
-      (v_OUTPUT_SIZE: usize)
+      (v_GAMMA1_EXPONENT: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+      (serialized: t_Slice u8)
      =
-  match cast (v_OUTPUT_SIZE <: usize) <: u8 with
-  | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit
-  | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) =
+    match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with
+    | 17uy ->
+      serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | 19uy ->
+      serialize_when_gamma1_is_2_pow_19_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      serialized,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
+          <:
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
+  in
+  serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
index a22f485c1..635329f6a 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
@@ -33,16 +33,17 @@ val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8)
       (fun _ -> Prims.l_True)
 
 val serialize_when_gamma1_is_2_pow_17_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
 val serialize_when_gamma1_is_2_pow_19_
-      (v_OUTPUT_SIZE: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
 
 val serialize
-      (v_OUTPUT_SIZE: usize)
+      (v_GAMMA1_EXPONENT: usize)
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-    : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
index 25f533de9..b381e5f1b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
@@ -6,9 +6,10 @@ open FStar.Mul
 let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) =
   let sampled:usize = sz 0 in
   let out, sampled:(t_Slice i32 & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8)
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
+            u8)
           #FStar.Tactics.Typeclasses.solve
-          randomness
+          (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8)
         <:
         Core.Slice.Iter.t_Iter u8)
       (out, sampled <: (t_Slice i32 & usize))
@@ -54,9 +55,10 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Sl
 let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) =
   let sampled:usize = sz 0 in
   let out, sampled:(t_Slice i32 & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8)
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
+            u8)
           #FStar.Tactics.Typeclasses.solve
-          randomness
+          (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8)
         <:
         Core.Slice.Iter.t_Iter u8)
       (out, sampled <: (t_Slice i32 & usize))
@@ -94,12 +96,12 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Sl
 let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) =
   let sampled:usize = sz 0 in
   let out, sampled:(t_Slice i32 & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
             u8)
           #FStar.Tactics.Typeclasses.solve
-          (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8)
+          (Core.Slice.impl__chunks_exact #u8 randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8)
         <:
-        Core.Slice.Iter.t_Chunks u8)
+        Core.Slice.Iter.t_ChunksExact u8)
       (out, sampled <: (t_Slice i32 & usize))
       (fun temp_0_ bytes ->
           let out, sampled:(t_Slice i32 & usize) = temp_0_ in
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst
index 338234407..cf5cb8df2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst
@@ -25,5 +25,17 @@ let from_coefficient_array (array: t_Slice i32) =
 
 let to_coefficient_array (x: t_PortableSIMDUnit) = x.f_coefficients
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_PortableSIMDUnit
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_PortableSIMDUnit
+
+let impl_1 = impl_1'
+
 let v_ZERO (_: Prims.unit) =
   { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti
index 0b3010e59..f30200b21 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti
@@ -11,4 +11,10 @@ val from_coefficient_array (array: t_Slice i32)
 val to_coefficient_array (x: t_PortableSIMDUnit)
     : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_PortableSIMDUnit
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_PortableSIMDUnit
+
 val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst
index b5c72724c..a997fecc8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst
@@ -282,25 +282,36 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit =
     f_gamma1_serialize_pre
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_GAMMA1_EXPONENT: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
         true);
     f_gamma1_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_GAMMA1_EXPONENT: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_gamma1_serialize
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_GAMMA1_EXPONENT: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
-        Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit);
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (),
+          Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT
+            simd_unit
+            serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true);
     f_gamma1_deserialize_post
     =
@@ -317,47 +328,60 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit =
     f_commitment_serialize_pre
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
         true);
     f_commitment_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_commitment_serialize
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
-        Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit);
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_error_serialize_pre
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_ETA: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
         true);
     f_error_serialize_post
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_ETA: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        (out: t_Array u8 v_OUTPUT_SIZE)
+        (serialized: t_Slice u8)
+        (out: t_Slice u8)
         ->
         true);
     f_error_serialize
     =
     (fun
-        (v_OUTPUT_SIZE: usize)
+        (v_ETA: usize)
         (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+        (serialized: t_Slice u8)
         ->
-        Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit);
+        let hax_temp_output, serialized:(Prims.unit & t_Slice u8) =
+          (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_ETA simd_unit serialized
+          <:
+          (Prims.unit & t_Slice u8)
+        in
+        serialized);
     f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true);
     f_error_deserialize_post
     =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
index 280e421e6..9b879cee0 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
@@ -92,30 +92,30 @@ class t_Operations (v_Self: Type0) = {
     -> Prims.Pure (t_Slice i32 & usize)
         (f_rejection_sample_less_than_eta_equals_4_pre x0 x1)
         (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result);
-  f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0;
-  f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0;
-  f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self
-    -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE)
-        (f_gamma1_serialize_pre v_OUTPUT_SIZE x0)
-        (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result);
+  f_gamma1_serialize_pre:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> Type0;
+  f_gamma1_serialize_post:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0;
+  f_gamma1_serialize:v_GAMMA1_EXPONENT: usize -> x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure (t_Slice u8)
+        (f_gamma1_serialize_pre v_GAMMA1_EXPONENT x0 x1)
+        (fun result -> f_gamma1_serialize_post v_GAMMA1_EXPONENT x0 x1 result);
   f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0;
   f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0;
   f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8
     -> Prims.Pure v_Self
         (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0)
         (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result);
-  f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0;
-  f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0;
-  f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self
-    -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE)
-        (f_commitment_serialize_pre v_OUTPUT_SIZE x0)
-        (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result);
-  f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0;
-  f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0;
-  f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self
-    -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE)
-        (f_error_serialize_pre v_OUTPUT_SIZE x0)
-        (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result);
+  f_commitment_serialize_pre:v_Self -> t_Slice u8 -> Type0;
+  f_commitment_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0;
+  f_commitment_serialize:x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure (t_Slice u8)
+        (f_commitment_serialize_pre x0 x1)
+        (fun result -> f_commitment_serialize_post x0 x1 result);
+  f_error_serialize_pre:v_ETA: usize -> v_Self -> t_Slice u8 -> Type0;
+  f_error_serialize_post:v_ETA: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0;
+  f_error_serialize:v_ETA: usize -> x0: v_Self -> x1: t_Slice u8
+    -> Prims.Pure (t_Slice u8)
+        (f_error_serialize_pre v_ETA x0 x1)
+        (fun result -> f_error_serialize_post v_ETA x0 x1 result);
   f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0;
   f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0;
   f_error_deserialize:v_ETA: usize -> x0: t_Slice u8
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
index 1707b9546..eee5c0b42 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
@@ -9,17 +9,17 @@ let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
 
 let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
 
-let impl_4__as_raw (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value
+let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value
 
 let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
   { f_value = value } <: t_MLDSASignature v_SIZE
 
-let impl__as_raw (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value
+let impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value
 
 let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
   { f_value = value } <: t_MLDSASigningKey v_SIZE
 
-let impl_2__as_raw (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value
+let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value
 
 let impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
   { f_value = value } <: t_MLDSAVerificationKey v_SIZE
@@ -34,7 +34,37 @@ let t_VerificationError_cast_to_repr (x: t_VerificationError) =
   | VerificationError_MalformedHintError  -> isz 0
   | VerificationError_SignerResponseExceedsBoundError  -> isz 1
   | VerificationError_CommitmentHashesDontMatchError  -> isz 3
-  | VerificationError_ContextTooLongError  -> isz 6
+  | VerificationError_VerificationContextTooLongError  -> isz 6
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
+
+let impl_1 (v_SIZE: usize) = impl_1' v_SIZE
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_3': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+
+let impl_3 (v_SIZE: usize) = impl_3' v_SIZE
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_5': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
+
+let impl_5 (v_SIZE: usize) = impl_5' v_SIZE
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_6': Core.Fmt.t_Debug t_VerificationError
+
+let impl_6 = impl_6'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_7': Core.Fmt.t_Debug t_SigningError
+
+let impl_7 = impl_7'
 
 let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
index e01708ed2..ee4a22f89 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
@@ -18,7 +18,7 @@ val impl_4__len: v_SIZE: usize -> Prims.unit
 type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 /// A reference to the raw byte array.
-val impl_4__as_raw (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
+val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
     : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
 
 /// Build
@@ -29,7 +29,7 @@ val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
 type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 /// A reference to the raw byte array.
-val impl__as_raw (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
+val impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
     : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
 
 /// Build
@@ -40,7 +40,7 @@ val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
 type t_MLDSAVerificationKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
 /// A reference to the raw byte array.
-val impl_2__as_raw (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE)
+val impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE)
     : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
 
 /// Build
@@ -64,11 +64,26 @@ type t_VerificationError =
   | VerificationError_MalformedHintError : t_VerificationError
   | VerificationError_SignerResponseExceedsBoundError : t_VerificationError
   | VerificationError_CommitmentHashesDontMatchError : t_VerificationError
-  | VerificationError_ContextTooLongError : t_VerificationError
+  | VerificationError_VerificationContextTooLongError : t_VerificationError
 
 val t_VerificationError_cast_to_repr (x: t_VerificationError)
     : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_5 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_6:Core.Fmt.t_Debug t_VerificationError
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_7:Core.Fmt.t_Debug t_SigningError
+
 /// A reference to the raw byte slice.
 val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
     : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Makefile b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile
index 4f7a001a8..f88297130 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Makefile
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile
@@ -1,3 +1,7 @@
 SLOW_MODULES += 
 ADMIT_MODULES =
+FSTAR_INCLUDE_DIRS_EXTRA += $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec \
+	      $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec \
+	      $(shell git rev-parse --show-toplevel)/libcrux-intrinsics/proofs/fstar/extraction
+
 include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base
diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs
index ff91f65a7..f0fde7f73 100644
--- a/libcrux-ml-dsa/src/arithmetic.rs
+++ b/libcrux-ml-dsa/src/arithmetic.rs
@@ -1,5 +1,5 @@
 use crate::{
-    constants::COEFFICIENTS_IN_RING_ELEMENT, polynomial::PolynomialRingElement,
+    constants::COEFFICIENTS_IN_RING_ELEMENT, helper::cloop, polynomial::PolynomialRingElement,
     simd::traits::Operations,
 };
 
@@ -13,8 +13,10 @@ pub(crate) fn vector_infinity_norm_exceeds<SIMDUnit: Operations, const DIMENSION
     // TODO: We can break out of this loop early if need be, but the most
     // straightforward way to do so (returning false) will not go through hax;
     // revisit if performance is impacted.
-    for ring_element in vector.iter() {
-        exceeds = exceeds || ring_element.infinity_norm_exceeds(bound);
+    cloop! {
+        for ring_element in vector.iter() {
+            exceeds = exceeds || ring_element.infinity_norm_exceeds(bound);
+        }
     }
 
     exceeds
@@ -26,8 +28,10 @@ pub(crate) fn shift_left_then_reduce<SIMDUnit: Operations, const SHIFT_BY: i32>(
 ) -> PolynomialRingElement<SIMDUnit> {
     let mut out = PolynomialRingElement::ZERO();
 
-    for (i, simd_unit) in re.simd_units.iter().enumerate() {
-        out.simd_units[i] = SIMDUnit::shift_left_then_reduce::<SHIFT_BY>(*simd_unit);
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            out.simd_units[i] = SIMDUnit::shift_left_then_reduce::<SHIFT_BY>(*simd_unit);
+        }
     }
 
     out
@@ -43,12 +47,16 @@ pub(crate) fn power2round_vector<SIMDUnit: Operations, const DIMENSION: usize>(
     let mut t0 = [PolynomialRingElement::<SIMDUnit>::ZERO(); DIMENSION];
     let mut t1 = [PolynomialRingElement::<SIMDUnit>::ZERO(); DIMENSION];
 
-    for (i, ring_element) in t.iter().enumerate() {
-        for (j, simd_unit) in ring_element.simd_units.iter().enumerate() {
-            let (t0_unit, t1_unit) = SIMDUnit::power2round(*simd_unit);
+    cloop! {
+        for (i, ring_element) in t.iter().enumerate() {
+            cloop!{
+                for (j, simd_unit) in ring_element.simd_units.iter().enumerate() {
+                    let (t0_unit, t1_unit) = SIMDUnit::power2round(*simd_unit);
 
-            t0[i].simd_units[j] = t0_unit;
-            t1[i].simd_units[j] = t1_unit;
+                    t0[i].simd_units[j] = t0_unit;
+                    t1[i].simd_units[j] = t1_unit;
+                }
+            }
         }
     }
 
diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs
index f5a12e789..c5c5580ea 100644
--- a/libcrux-ml-dsa/src/encoding/commitment.rs
+++ b/libcrux-ml-dsa/src/encoding/commitment.rs
@@ -1,46 +1,18 @@
-use crate::{polynomial::PolynomialRingElement, simd::traits::Operations};
+use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations};
 
 #[inline(always)]
-fn serialize<SIMDUnit: Operations, const OUTPUT_SIZE: usize>(
-    re: PolynomialRingElement<SIMDUnit>,
-) -> [u8; OUTPUT_SIZE] {
-    let mut serialized = [0u8; OUTPUT_SIZE];
-
-    match OUTPUT_SIZE as u8 {
-        128 => {
-            // The commitment has coefficients in [0,15] => each coefficient occupies
-            // 4 bits. Each SIMD unit contains 8 elements, which means each
-            // SIMD unit will serialize to (8 * 4) / 8 = 4 bytes.
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 4;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(
-                        &SIMDUnit::commitment_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(*simd_unit),
-                    );
-            }
-
-            serialized
+fn serialize<SIMDUnit: Operations>(re: PolynomialRingElement<SIMDUnit>, serialized: &mut [u8]) {
+    let output_bytes_per_simd_unit = serialized.len() / (8 * 4);
+
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            SIMDUnit::commitment_serialize(
+                *simd_unit,
+                &mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit],
+            );
         }
-
-        192 => {
-            // The commitment has coefficients in [0,15] => each coefficient occupies
-            // 6 bits. Each SIMD unit contains 8 elements, which means each
-            // SIMD unit will serialize to (8 * 6) / 8 = 6 bytes.
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 6;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(
-                        &SIMDUnit::commitment_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(*simd_unit),
-                    );
-            }
-
-            serialized
-        }
-
-        _ => unreachable!(),
     }
+    ()
 }
 
 #[inline(always)]
@@ -55,10 +27,11 @@ pub(crate) fn serialize_vector<
     let mut serialized = [0u8; OUTPUT_SIZE];
     let mut offset: usize = 0;
 
-    for ring_element in vector.iter() {
-        serialized[offset..offset + RING_ELEMENT_SIZE]
-            .copy_from_slice(&serialize::<SIMDUnit, RING_ELEMENT_SIZE>(*ring_element));
-        offset += RING_ELEMENT_SIZE;
+    cloop! {
+        for ring_element in vector.iter() {
+            serialize::<SIMDUnit>(*ring_element, &mut serialized[offset..offset + RING_ELEMENT_SIZE]);
+            offset += RING_ELEMENT_SIZE;
+        }
     }
 
     serialized
@@ -105,7 +78,9 @@ mod tests {
             149,
         ];
 
-        assert_eq!(serialize::<SIMDUnit, 192>(re), serialized);
+        let mut result = [0u8; 192];
+        serialize::<SIMDUnit>(re, &mut result);
+        assert_eq!(result, serialized);
 
         // Test serialization when LOW_ORDER_ROUNDING_RANGE = 261,888
         let coefficients = [
@@ -132,7 +107,9 @@ mod tests {
             64, 117, 190, 98, 179, 38, 80, 88, 89, 9, 34, 243, 128, 219, 98, 11,
         ];
 
-        assert_eq!(serialize::<SIMDUnit, 128>(re), serialized);
+        let mut result = [0u8; 128];
+        serialize::<SIMDUnit>(re, &mut result);
+        assert_eq!(result, serialized);
     }
 
     #[cfg(not(feature = "simd256"))]
diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs
index 80080945c..93a6cd665 100644
--- a/libcrux-ml-dsa/src/encoding/error.rs
+++ b/libcrux-ml-dsa/src/encoding/error.rs
@@ -1,60 +1,35 @@
 // Functions for serializing and deserializing an error ring element.
 
-use crate::{ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations};
+use crate::{helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations};
 
 #[inline(always)]
 pub(crate) fn serialize<SIMDUnit: Operations, const ETA: usize, const OUTPUT_SIZE: usize>(
     re: PolynomialRingElement<SIMDUnit>,
-) -> [u8; OUTPUT_SIZE] {
-    let mut serialized = [0u8; OUTPUT_SIZE];
-
-    match ETA as u8 {
-        2 => {
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 3;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(&SIMDUnit::error_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(
-                        *simd_unit,
-                    ));
-            }
-
-            serialized
+    serialized: &mut [u8], //OUTPUT_SIZE
+) {
+    let output_bytes_per_simd_unit = if ETA == 2 { 3 } else { 4 };
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            SIMDUnit::error_serialize::<ETA>(
+                    *simd_unit,&mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit]
+                );
         }
-        4 => {
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 4;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(&SIMDUnit::error_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(
-                        *simd_unit,
-                    ));
-            }
-
-            serialized
-        }
-        _ => unreachable!(),
     }
+    ()
 }
 
 #[inline(always)]
 fn deserialize<SIMDUnit: Operations, const ETA: usize>(
     serialized: &[u8],
-) -> PolynomialRingElement<SIMDUnit> {
-    let mut serialized_chunks = match ETA as u8 {
-        2 => serialized.chunks(3),
-        4 => serialized.chunks(4),
-        _ => unreachable!(),
-    };
-
-    let mut result = PolynomialRingElement::ZERO();
+    result: &mut PolynomialRingElement<SIMDUnit>,
+) {
+    let chunk_size = if ETA == 2 { 3 } else { 4 };
 
     for i in 0..result.simd_units.len() {
         result.simd_units[i] =
-            SIMDUnit::error_deserialize::<ETA>(&serialized_chunks.next().unwrap());
+            SIMDUnit::error_deserialize::<ETA>(&serialized[i * chunk_size..(i + 1) * chunk_size]);
     }
-
-    result
+    ()
 }
 
 #[inline(always)]
@@ -68,8 +43,11 @@ pub(crate) fn deserialize_to_vector_then_ntt<
 ) -> [PolynomialRingElement<SIMDUnit>; DIMENSION] {
     let mut ring_elements = [PolynomialRingElement::<SIMDUnit>::ZERO(); DIMENSION];
 
-    for (i, bytes) in serialized.chunks(RING_ELEMENT_SIZE).enumerate() {
-        ring_elements[i] = ntt(deserialize::<SIMDUnit, ETA>(bytes));
+    cloop! {
+        for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() {
+            deserialize::<SIMDUnit, ETA>(bytes, &mut ring_elements[i]);
+            ring_elements[i] = ntt(ring_elements[i]);
+        }
     }
 
     ring_elements
@@ -104,10 +82,9 @@ mod tests {
             0, 2, -1,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit, 2>(&serialized).to_i32_array(),
-            expected_coefficients
-        );
+        let mut deserialized = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit, 2>(&serialized, &mut deserialized);
+        assert_eq!(deserialized.to_i32_array(), expected_coefficients);
 
         let serialized = [
             22, 103, 55, 49, 34, 65, 50, 129, 52, 65, 21, 85, 82, 69, 3, 55, 52, 101, 80, 64, 114,
@@ -133,10 +110,9 @@ mod tests {
             1, 3,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit, 4>(&serialized).to_i32_array(),
-            expected_coefficients
-        );
+        let mut deserialized = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit, 4>(&serialized, &mut deserialized);
+        assert_eq!(deserialized.to_i32_array(), expected_coefficients);
     }
 
     #[cfg(not(feature = "simd256"))]
diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs
index 09e93f725..1849b9ff7 100644
--- a/libcrux-ml-dsa/src/encoding/gamma1.rs
+++ b/libcrux-ml-dsa/src/encoding/gamma1.rs
@@ -1,62 +1,32 @@
-use crate::{polynomial::PolynomialRingElement, simd::traits::Operations};
+use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations};
 
 #[inline(always)]
-pub(crate) fn serialize<
-    SIMDUnit: Operations,
-    const GAMMA1_EXPONENT: usize,
-    const OUTPUT_BYTES: usize,
->(
+pub(crate) fn serialize<SIMDUnit: Operations, const GAMMA1_EXPONENT: usize>(
     re: PolynomialRingElement<SIMDUnit>,
-) -> [u8; OUTPUT_BYTES] {
-    let mut serialized = [0u8; OUTPUT_BYTES];
-
-    match GAMMA1_EXPONENT as u8 {
-        17 => {
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 18;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(&SIMDUnit::gamma1_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(
-                        *simd_unit,
-                    ));
-            }
-
-            serialized
-        }
-        19 => {
-            const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 20;
-
-            for (i, simd_unit) in re.simd_units.iter().enumerate() {
-                serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-                    .copy_from_slice(&SIMDUnit::gamma1_serialize::<OUTPUT_BYTES_PER_SIMD_UNIT>(
-                        *simd_unit,
-                    ));
-            }
-
-            serialized
+    serialized: &mut [u8], // OUTPUT_BYTES
+) {
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            SIMDUnit::gamma1_serialize::<GAMMA1_EXPONENT>(
+                *simd_unit,
+                &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)],
+            );
         }
-        _ => unreachable!(),
     }
+    ()
 }
 
 #[inline(always)]
 pub(crate) fn deserialize<SIMDUnit: Operations, const GAMMA1_EXPONENT: usize>(
     serialized: &[u8],
-) -> PolynomialRingElement<SIMDUnit> {
-    let mut serialized_chunks = match GAMMA1_EXPONENT as u8 {
-        17 => serialized.chunks(18),
-        19 => serialized.chunks(20),
-        _ => unreachable!(),
-    };
-
-    let mut result = PolynomialRingElement::<SIMDUnit>::ZERO();
-
+    result: &mut PolynomialRingElement<SIMDUnit>,
+) {
     for i in 0..result.simd_units.len() {
-        result.simd_units[i] =
-            SIMDUnit::gamma1_deserialize::<GAMMA1_EXPONENT>(&serialized_chunks.next().unwrap());
+        result.simd_units[i] = SIMDUnit::gamma1_deserialize::<GAMMA1_EXPONENT>(
+            &serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)],
+        );
     }
-
-    result
+    ()
 }
 
 #[cfg(test)]
@@ -134,7 +104,9 @@ mod tests {
             117, 5, 185, 26, 141, 188, 106, 44, 164, 240, 119,
         ];
 
-        assert_eq!(serialize::<SIMDUnit, 19, 640>(re), expected_bytes);
+        let mut result = [0u8; 640];
+        serialize::<SIMDUnit, 19>(re, &mut result);
+        assert_eq!(result, expected_bytes);
     }
 
     fn test_deserialize_generic<SIMDUnit: Operations>() {
@@ -199,10 +171,9 @@ mod tests {
             -69944, -100373, 94602,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit, 17>(&bytes).to_i32_array(),
-            expected_coefficients
-        );
+        let mut result = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit, 17>(&bytes, &mut result);
+        assert_eq!(result.to_i32_array(), expected_coefficients);
 
         let bytes: [u8; 640] = [
             253, 11, 216, 60, 251, 71, 79, 187, 242, 250, 209, 44, 72, 206, 98, 3, 22, 91, 184, 22,
@@ -270,10 +241,9 @@ mod tests {
             -138892, -414002, 42982,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit, 19>(&bytes).to_i32_array(),
-            expected_coefficients
-        );
+        let mut result = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit, 19>(&bytes, &mut result);
+        assert_eq!(result.to_i32_array(), expected_coefficients);
     }
 
     #[cfg(not(feature = "simd256"))]
diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs
index 763b9abca..6fc115d02 100644
--- a/libcrux-ml-dsa/src/encoding/signature.rs
+++ b/libcrux-ml-dsa/src/encoding/signature.rs
@@ -41,10 +41,9 @@ impl<
         offset += COMMITMENT_HASH_SIZE;
 
         for i in 0..COLUMNS_IN_A {
-            signature[offset..offset + GAMMA1_RING_ELEMENT_SIZE].copy_from_slice(
-                &encoding::gamma1::serialize::<SIMDUnit, GAMMA1_EXPONENT, GAMMA1_RING_ELEMENT_SIZE>(
-                    self.signer_response[i],
-                ),
+            encoding::gamma1::serialize::<SIMDUnit, GAMMA1_EXPONENT>(
+                self.signer_response[i],
+                &mut signature[offset..offset + GAMMA1_RING_ELEMENT_SIZE],
             );
             offset += GAMMA1_RING_ELEMENT_SIZE;
         }
@@ -87,9 +86,10 @@ impl<
         let mut signer_response = [PolynomialRingElement::<SIMDUnit>::ZERO(); COLUMNS_IN_A];
 
         for i in 0..COLUMNS_IN_A {
-            signer_response[i] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(
                 &signer_response_serialized
                     [i * GAMMA1_RING_ELEMENT_SIZE..(i + 1) * GAMMA1_RING_ELEMENT_SIZE],
+                &mut signer_response[i],
             );
         }
 
@@ -141,13 +141,13 @@ impl<
         }
 
         if malformed_hint {
-            Err(VerificationError::MalformedHintError)
-        } else {
-            Ok(Signature {
-                commitment_hash: commitment_hash.try_into().unwrap(),
-                signer_response,
-                hint,
-            })
+            return Err(VerificationError::MalformedHintError);
         }
+
+        Ok(Signature {
+            commitment_hash: commitment_hash.try_into().unwrap(),
+            signer_response,
+            hint,
+        })
     }
 }
diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs
index 0d6537325..fe7209e01 100644
--- a/libcrux-ml-dsa/src/encoding/signing_key.rs
+++ b/libcrux-ml-dsa/src/encoding/signing_key.rs
@@ -5,6 +5,7 @@ use crate::{
     },
     encoding,
     hash_functions::shake256,
+    helper::cloop,
     polynomial::PolynomialRingElement,
     simd::traits::Operations,
 };
@@ -13,7 +14,7 @@ use crate::{
 #[inline(always)]
 pub(crate) fn generate_serialized<
     SIMDUnit: Operations,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
     const ETA: usize,
@@ -46,24 +47,34 @@ pub(crate) fn generate_serialized<
         .copy_from_slice(&verification_key_hash);
     offset += BYTES_FOR_VERIFICATION_KEY_HASH;
 
-    for ring_element in s1.iter() {
-        signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice(
-            &encoding::error::serialize::<SIMDUnit, ETA, ERROR_RING_ELEMENT_SIZE>(*ring_element),
-        );
-        offset += ERROR_RING_ELEMENT_SIZE;
+    cloop! {
+        for ring_element in s1.iter() {
+            encoding::error::serialize::<SIMDUnit, ETA, ERROR_RING_ELEMENT_SIZE>(
+                *ring_element,
+                &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE],
+            );
+            offset += ERROR_RING_ELEMENT_SIZE;
+        }
     }
 
-    for ring_element in s2.iter() {
-        signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice(
-            &encoding::error::serialize::<SIMDUnit, ETA, ERROR_RING_ELEMENT_SIZE>(*ring_element),
-        );
-        offset += ERROR_RING_ELEMENT_SIZE;
+    cloop! {
+        for ring_element in s2.iter() {
+            encoding::error::serialize::<SIMDUnit, ETA, ERROR_RING_ELEMENT_SIZE>(
+                *ring_element,
+                &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE],
+            );
+            offset += ERROR_RING_ELEMENT_SIZE;
+        }
     }
 
-    for ring_element in t0.iter() {
-        signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE]
-            .copy_from_slice(&encoding::t0::serialize::<SIMDUnit>(*ring_element));
-        offset += RING_ELEMENT_OF_T0S_SIZE;
+    cloop! {
+        for ring_element in t0.iter() {
+            encoding::t0::serialize::<SIMDUnit>(
+                *ring_element,
+                &mut signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE],
+            );
+            offset += RING_ELEMENT_OF_T0S_SIZE;
+        }
     }
 
     signing_key_serialized
@@ -112,6 +123,7 @@ pub(crate) fn deserialize_then_ntt<
         ERROR_RING_ELEMENT_SIZE,
     >(s2_serialized);
 
+    // XXX: write *_as_ntt directly into the output above
     let t0_as_ntt =
         encoding::t0::deserialize_to_vector_then_ntt::<SIMDUnit, ROWS_IN_A>(t0_serialized);
 
diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs
index 07943c2b3..a44cffe34 100644
--- a/libcrux-ml-dsa/src/encoding/t0.rs
+++ b/libcrux-ml-dsa/src/encoding/t0.rs
@@ -3,37 +3,38 @@
 // ---------------------------------------------------------------------------
 
 use crate::{
-    constants::RING_ELEMENT_OF_T0S_SIZE, ntt::ntt, polynomial::PolynomialRingElement,
-    simd::traits::Operations,
+    constants::RING_ELEMENT_OF_T0S_SIZE, helper::cloop, ntt::ntt,
+    polynomial::PolynomialRingElement, simd::traits::Operations,
 };
 
+const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 13;
+
 #[inline(always)]
 pub(crate) fn serialize<SIMDUnit: Operations>(
     re: PolynomialRingElement<SIMDUnit>,
-) -> [u8; RING_ELEMENT_OF_T0S_SIZE] {
-    let mut serialized = [0u8; RING_ELEMENT_OF_T0S_SIZE];
-
-    const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 13;
-
-    for (i, simd_unit) in re.simd_units.iter().enumerate() {
-        serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-            .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit));
+    serialized: &mut [u8], // RING_ELEMENT_OF_T0S_SIZE
+) {
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            // XXX: make t0_deserialize take &mut serialized?
+            serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
+                .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit));
+        }
     }
-
-    serialized
+    ()
 }
 
 #[inline(always)]
-fn deserialize<SIMDUnit: Operations>(serialized: &[u8]) -> PolynomialRingElement<SIMDUnit> {
-    let mut serialized_chunks = serialized.chunks(13);
-
-    let mut result = PolynomialRingElement::ZERO();
-
+fn deserialize<SIMDUnit: Operations>(
+    serialized: &[u8],
+    result: &mut PolynomialRingElement<SIMDUnit>,
+) {
     for i in 0..result.simd_units.len() {
-        result.simd_units[i] = SIMDUnit::t0_deserialize(&serialized_chunks.next().unwrap());
+        result.simd_units[i] = SIMDUnit::t0_deserialize(
+            &serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT],
+        );
     }
-
-    result
+    ()
 }
 
 #[inline(always)]
@@ -42,8 +43,11 @@ pub(crate) fn deserialize_to_vector_then_ntt<SIMDUnit: Operations, const DIMENSI
 ) -> [PolynomialRingElement<SIMDUnit>; DIMENSION] {
     let mut ring_elements = [PolynomialRingElement::<SIMDUnit>::ZERO(); DIMENSION];
 
-    for (i, bytes) in serialized.chunks(RING_ELEMENT_OF_T0S_SIZE).enumerate() {
-        ring_elements[i] = ntt(deserialize::<SIMDUnit>(bytes));
+    cloop! {
+        for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_OF_T0S_SIZE).enumerate() {
+            deserialize::<SIMDUnit>(bytes, &mut ring_elements[i]);
+            ring_elements[i] = ntt(ring_elements[i]);
+        }
     }
 
     ring_elements
@@ -104,7 +108,9 @@ mod tests {
             114, 203, 81, 128, 188, 172, 90, 39, 25, 122, 156, 12, 71, 57, 204, 234, 227,
         ];
 
-        assert_eq!(serialize::<SIMDUnit>(re), expected_bytes);
+        let mut result = [0u8; RING_ELEMENT_OF_T0S_SIZE];
+        serialize::<SIMDUnit>(re, &mut result);
+        assert_eq!(result, expected_bytes);
     }
     fn test_deserialize_generic<SIMDUnit: Operations>() {
         let serialized = [
@@ -154,10 +160,9 @@ mod tests {
             2487, -1527, 2834, -3089, 1724, 3858, -2130, 3301, -1565,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit>(&serialized).to_i32_array(),
-            expected_coefficients
-        );
+        let mut deserialized = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit>(&serialized, &mut deserialized);
+        assert_eq!(deserialized.to_i32_array(), expected_coefficients);
     }
 
     #[cfg(not(feature = "simd256"))]
diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs
index 0bbe3ea4f..037e3e794 100644
--- a/libcrux-ml-dsa/src/encoding/t1.rs
+++ b/libcrux-ml-dsa/src/encoding/t1.rs
@@ -1,5 +1,5 @@
 use crate::{
-    constants::RING_ELEMENT_OF_T1S_SIZE, polynomial::PolynomialRingElement,
+    constants::RING_ELEMENT_OF_T1S_SIZE, helper::cloop, polynomial::PolynomialRingElement,
     simd::traits::Operations,
 };
 
@@ -13,9 +13,11 @@ pub(crate) fn serialize<SIMDUnit: Operations>(
 
     const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 10;
 
-    for (i, simd_unit) in re.simd_units.iter().enumerate() {
-        serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
-            .copy_from_slice(&SIMDUnit::t1_serialize(*simd_unit));
+    cloop! {
+        for (i, simd_unit) in re.simd_units.iter().enumerate() {
+            serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]
+                .copy_from_slice(&SIMDUnit::t1_serialize(*simd_unit));
+        }
     }
 
     serialized
@@ -23,16 +25,13 @@ pub(crate) fn serialize<SIMDUnit: Operations>(
 
 pub(crate) fn deserialize<SIMDUnit: Operations>(
     serialized: &[u8],
-) -> PolynomialRingElement<SIMDUnit> {
-    let mut serialized_chunks = serialized.chunks(10);
-
-    let mut result = PolynomialRingElement::ZERO();
-
+    result: &mut PolynomialRingElement<SIMDUnit>,
+) {
+    const WINDOW: usize = 10;
     for i in 0..result.simd_units.len() {
-        result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized_chunks.next().unwrap());
+        result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized[i * WINDOW..(i + 1) * WINDOW]);
     }
-
-    result
+    ()
 }
 
 #[cfg(test)]
@@ -124,10 +123,9 @@ mod tests {
             226, 479, 381, 932, 464, 451, 915, 206, 410, 402, 900,
         ];
 
-        assert_eq!(
-            deserialize::<SIMDUnit>(&serialized).to_i32_array(),
-            expected_coefficients
-        );
+        let mut deserialized = PolynomialRingElement::<SIMDUnit>::ZERO();
+        deserialize::<SIMDUnit>(&serialized, &mut deserialized);
+        assert_eq!(deserialized.to_i32_array(), expected_coefficients);
     }
 
     #[cfg(not(feature = "simd256"))]
diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs
index c278c518b..82fe68a53 100644
--- a/libcrux-ml-dsa/src/encoding/verification_key.rs
+++ b/libcrux-ml-dsa/src/encoding/verification_key.rs
@@ -1,6 +1,7 @@
 use crate::{
     constants::{RING_ELEMENT_OF_T1S_SIZE, SEED_FOR_A_SIZE},
     encoding::t1,
+    helper::cloop,
     polynomial::PolynomialRingElement,
     simd::traits::Operations,
 };
@@ -18,10 +19,12 @@ pub(crate) fn generate_serialized<
     let mut verification_key_serialized = [0u8; VERIFICATION_KEY_SIZE];
     verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed_for_A);
 
-    for (i, ring_element) in t1.iter().enumerate() {
-        let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE);
-        verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE]
-            .copy_from_slice(&t1::serialize::<SIMDUnit>(*ring_element));
+    cloop! {
+        for (i, ring_element) in t1.iter().enumerate() {
+            let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE);
+            verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE]
+                .copy_from_slice(&t1::serialize::<SIMDUnit>(*ring_element));
+        }
     }
 
     verification_key_serialized
@@ -43,8 +46,9 @@ pub(crate) fn deserialize<
     let (seed_for_A, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE);
 
     for i in 0..ROWS_IN_A {
-        t1[i] = t1::deserialize::<SIMDUnit>(
+        t1::deserialize::<SIMDUnit>(
             &serialized_remaining[i * RING_ELEMENT_OF_T1S_SIZE..(i + 1) * RING_ELEMENT_OF_T1S_SIZE],
+            &mut t1[i],
         );
     }
 
diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs
index eff5d6aeb..1100fb11b 100644
--- a/libcrux-ml-dsa/src/hash_functions.rs
+++ b/libcrux-ml-dsa/src/hash_functions.rs
@@ -4,9 +4,12 @@
 pub(crate) mod shake256 {
     pub(crate) const BLOCK_SIZE: usize = 136;
 
-    pub(crate) trait Xof {
+    /// An ML-DSA specific Xof trait
+    /// This trait is not actually a full Xof implementation but opererates only
+    /// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`].
+    pub(crate) trait DsaXof {
         fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]);
-        fn init_absorb(input: &[u8]) -> Self;
+        fn init_absorb_final(input: &[u8]) -> Self;
         // TODO: There should only be a `squeeze_block`
         fn squeeze_first_block(&mut self) -> [u8; BLOCK_SIZE];
         fn squeeze_next_block(&mut self) -> [u8; BLOCK_SIZE];
@@ -41,6 +44,21 @@ pub(crate) mod shake256 {
             out3: &mut [u8; OUT_LEN],
         );
     }
+
+    /// A generic Xof trait
+    pub(crate) trait Xof {
+        /// Initialize the state
+        fn init() -> Self;
+
+        /// Absorb
+        fn absorb(&mut self, input: &[u8]);
+
+        /// Absorb final input
+        fn absorb_final(&mut self, input: &[u8]);
+
+        /// Squeeze output bytes
+        fn squeeze(&mut self, out: &mut [u8]);
+    }
 }
 
 /// Abstraction and platform multiplexing for SHAKE 128
@@ -77,13 +95,15 @@ pub(crate) mod shake128 {
 /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`].
 pub(crate) mod portable {
     use super::{shake128, shake256};
-    use libcrux_sha3::portable::incremental;
-    use libcrux_sha3::portable::KeccakState;
+    use libcrux_sha3::portable::{
+        incremental::{self, Xof},
+        KeccakState,
+    };
 
     /// Portable SHAKE 128 x4 state.
     ///
     /// We're using a portable implementation so this is actually sequential.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake128X4 {
         state0: KeccakState,
         state1: KeccakState,
@@ -179,7 +199,7 @@ pub(crate) mod portable {
     }
 
     /// Portable SHAKE 128 state
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake128 {}
 
     #[inline(always)]
@@ -195,7 +215,7 @@ pub(crate) mod portable {
     }
 
     /// Portable SHAKE 256 state
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake256 {
         state: KeccakState,
     }
@@ -206,7 +226,7 @@ pub(crate) mod portable {
     }
 
     #[inline(always)]
-    fn init_absorb_shake256(input: &[u8]) -> Shake256 {
+    fn init_absorb_final_shake256(input: &[u8]) -> Shake256 {
         let mut state = incremental::shake256_init();
         incremental::shake256_absorb_final(&mut state, input);
         Shake256 { state }
@@ -226,15 +246,15 @@ pub(crate) mod portable {
         out
     }
 
-    impl shake256::Xof for Shake256 {
+    impl shake256::DsaXof for Shake256 {
         #[inline(always)]
         fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
             shake256(input, out);
         }
 
         #[inline(always)]
-        fn init_absorb(input: &[u8]) -> Self {
-            init_absorb_shake256(input)
+        fn init_absorb_final(input: &[u8]) -> Self {
+            init_absorb_final_shake256(input)
         }
 
         #[inline(always)]
@@ -251,7 +271,7 @@ pub(crate) mod portable {
     /// Portable SHAKE 256 x4 state.
     ///
     /// We're using a portable implementation so this is actually sequential.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake256X4 {
         state0: libcrux_sha3::portable::KeccakState,
         state1: libcrux_sha3::portable::KeccakState,
@@ -371,40 +391,29 @@ pub(crate) mod portable {
         }
     }
 
-    #[cfg_attr(hax, hax_lib::opaque_type)]
-    pub(crate) struct Shake256Absorb {
-        state: libcrux_sha3::portable::incremental::Shake256Absorb,
+    #[cfg_attr(hax, hax_lib::opaque)]
+    pub(crate) struct Shake256Xof {
+        state: incremental::Shake256Xof,
     }
 
-    #[cfg_attr(hax, hax_lib::opaque_type)]
-    pub(crate) struct Shake256Squeeze {
-        state: libcrux_sha3::portable::incremental::Shake256Squeeze,
-    }
-
-    use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze};
-
-    #[inline(always)]
-    pub(crate) fn shake256_init() -> Shake256Absorb {
-        Shake256Absorb {
-            state: libcrux_sha3::portable::incremental::Shake256Absorb::new(),
+    impl shake256::Xof for Shake256Xof {
+        fn init() -> Self {
+            Shake256Xof {
+                state: incremental::Shake256Xof::new(),
+            }
         }
-    }
 
-    #[inline(always)]
-    pub(crate) fn shake256_absorb(st: &mut Shake256Absorb, input: &[u8]) {
-        st.state.absorb(input)
-    }
+        fn absorb(&mut self, input: &[u8]) {
+            self.state.absorb(input);
+        }
 
-    #[inline(always)]
-    pub(crate) fn shake256_absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze {
-        Shake256Squeeze {
-            state: st.state.absorb_final(input),
+        fn absorb_final(&mut self, input: &[u8]) {
+            self.state.absorb_final(input);
         }
-    }
 
-    #[inline(always)]
-    pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) {
-        st.state.squeeze(out)
+        fn squeeze(&mut self, out: &mut [u8]) {
+            self.state.squeeze(out)
+        }
     }
 }
 
@@ -419,7 +428,7 @@ pub(crate) mod simd256 {
     ///
     /// This only implements the XofX4 API. For the single Xof, the portable
     /// version is used.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake128x4 {
         state: libcrux_sha3::avx2::x4::incremental::KeccakState,
     }
@@ -505,7 +514,7 @@ pub(crate) mod simd256 {
     }
 
     /// AVX2 SHAKE 256 state
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake256 {
         state: libcrux_sha3::portable::KeccakState,
     }
@@ -516,7 +525,7 @@ pub(crate) mod simd256 {
     }
 
     #[inline(always)]
-    fn init_absorb_shake256(input: &[u8]) -> Shake256 {
+    fn init_absorb_final_shake256(input: &[u8]) -> Shake256 {
         let mut state = libcrux_sha3::portable::incremental::shake256_init();
         libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input);
 
@@ -543,15 +552,15 @@ pub(crate) mod simd256 {
         out
     }
 
-    impl shake256::Xof for Shake256 {
+    impl shake256::DsaXof for Shake256 {
         #[inline(always)]
         fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
             shake256(input, out)
         }
 
         #[inline(always)]
-        fn init_absorb(input: &[u8]) -> Self {
-            init_absorb_shake256(input)
+        fn init_absorb_final(input: &[u8]) -> Self {
+            init_absorb_final_shake256(input)
         }
 
         #[inline(always)]
@@ -566,7 +575,7 @@ pub(crate) mod simd256 {
     }
 
     /// AVX2 SHAKE 256 x4 state.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake256x4 {
         state: libcrux_sha3::avx2::x4::incremental::KeccakState,
     }
@@ -692,10 +701,10 @@ pub(crate) mod neon {
 
     use super::{shake128, shake256};
     use libcrux_sha3::neon::x2;
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) type KeccakState = x2::incremental::KeccakState;
 
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake128x4 {
         state: [KeccakState; 2],
     }
@@ -766,7 +775,7 @@ pub(crate) mod neon {
     }
 
     /// Neon SHAKE 256 x4 state
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Shake256x4 {
         state: [KeccakState; 2],
     }
diff --git a/libcrux-ml-dsa/src/helper.rs b/libcrux-ml-dsa/src/helper.rs
index 1dbb5dd22..3ac46df57 100644
--- a/libcrux-ml-dsa/src/helper.rs
+++ b/libcrux-ml-dsa/src/helper.rs
@@ -15,12 +15,24 @@ macro_rules! cloop {
             $body
         }
     };
+    (for $chunk:ident in $values:ident.chunks_exact($($chunk_size:expr),*) $body:block) => {
+        for _cloop_i in 0..$values.len() / ($($chunk_size)*) {
+            let $chunk = &$values[_cloop_i*($($chunk_size)*) .. _cloop_i*($($chunk_size)*)+($($chunk_size)*)];
+            $body
+        }
+    };
     (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => {
         for $i in 0..$val.len() {
             let $item = &$val[$i];
             $body
         }
     };
+    (for $item:ident in $val:ident.iter() $body:block) => {
+        for _cloop_j in 0..$val.len() {
+            let $item = &$val[_cloop_j];
+            $body
+        }
+    };
     (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => {
         for $i in 0..$self.$val.len() {
             let $item = &$self.$val[$i];
@@ -33,6 +45,18 @@ macro_rules! cloop {
             $body
         }
     };
+    (for ($i:ident, $item:ident) in $val:ident.$values:ident.into_iter().enumerate() $body:block) => {
+        for $i in 0..$val.$values.len() {
+            let $item = $val.$values[$i];
+            $body
+        }
+    };
+    (for $item:ident in $val:ident.$values:ident.into_iter() $body:block) => {
+        for _cloop_k in 0..$val.$values.len() {
+            let $item = $val.$values[_cloop_k];
+            $body
+        }
+    };
     (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => {
         for $i in $start..$end / $step {
             let $i = $i * $step;
@@ -49,15 +73,27 @@ macro_rules! cloop {
     (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => {
         for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body
     };
+    (for $chunk:ident in $values:ident.chunks_exact($($chunk_size:expr),*) $body:block) => {
+        for $chunk in $values.chunks_exact($($chunk_size),*) $body
+    };
     (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => {
         for ($i, $item) in $val.iter().enumerate() $body
     };
+    (for $item:ident in $val:ident.iter() $body:block) => {
+        for $item in $val.iter() $body
+    };
     (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => {
         for ($i, $item) in $self.$val.iter().enumerate() $body
     };
     (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => {
         for ($i, $item) in $val.into_iter().enumerate() $body
     };
+    (for ($i:ident, $item:ident) in $val:ident.$values:ident.into_iter().enumerate() $body:block) => {
+        for ($i, $item) in $val.$values.into_iter().enumerate() $body
+    };
+    (for $item:ident in $val:ident.$values:ident.into_iter() $body:block) => {
+        for $item in $val.$values.into_iter() $body
+    };
     (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => {
         for $i in ($start..$end).step_by($step) $body
     };
diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs
index 47b9a5b26..fdab00401 100644
--- a/libcrux-ml-dsa/src/matrix.rs
+++ b/libcrux-ml-dsa/src/matrix.rs
@@ -1,6 +1,7 @@
 use crate::{
     arithmetic::shift_left_then_reduce,
     constants::BITS_IN_LOWER_PART_OF_T,
+    helper::cloop,
     ntt::{invert_ntt_montgomery, ntt, ntt_multiply_montgomery},
     polynomial::PolynomialRingElement,
     simd::traits::Operations,
@@ -21,14 +22,18 @@ pub(crate) fn compute_As1_plus_s2<
     let mut result = [PolynomialRingElement::<SIMDUnit>::ZERO(); ROWS_IN_A];
     let s1_ntt = s1.map(|s| ntt::<SIMDUnit>(s));
 
-    for (i, row) in A_as_ntt.iter().enumerate() {
-        for (j, ring_element) in row.iter().enumerate() {
-            let product = ntt_multiply_montgomery::<SIMDUnit>(ring_element, &s1_ntt[j]);
-            result[i] = PolynomialRingElement::add(&result[i], &product);
+    cloop! {
+        for (i, row) in A_as_ntt.iter().enumerate() {
+            cloop!{
+                for (j, ring_element) in row.iter().enumerate() {
+                    let product = ntt_multiply_montgomery::<SIMDUnit>(ring_element, &s1_ntt[j]);
+                    result[i] = PolynomialRingElement::add(&result[i], &product);
+                }
+            }
+
+            result[i] = invert_ntt_montgomery::<SIMDUnit>(result[i]);
+            result[i] = PolynomialRingElement::add(&result[i], &s2[i]);
         }
-
-        result[i] = invert_ntt_montgomery::<SIMDUnit>(result[i]);
-        result[i] = PolynomialRingElement::add(&result[i], &s2[i]);
     }
 
     result
@@ -46,14 +51,19 @@ pub(crate) fn compute_A_times_mask<
     mask: &[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A],
 ) -> [PolynomialRingElement<SIMDUnit>; ROWS_IN_A] {
     let mut result = [PolynomialRingElement::<SIMDUnit>::ZERO(); ROWS_IN_A];
-
-    for (i, row) in A_as_ntt.iter().enumerate() {
-        for (j, ring_element) in row.iter().enumerate() {
-            let product = ntt_multiply_montgomery(&ring_element, &ntt(mask[j]));
-            result[i] = PolynomialRingElement::<SIMDUnit>::add(&result[i], &product);
+    let mask_ntt = mask.map(|s| ntt::<SIMDUnit>(s));
+
+    cloop! {
+        for (i, row) in A_as_ntt.iter().enumerate() {
+            cloop! {
+                for (j, ring_element) in row.iter().enumerate() {
+                    let product = ntt_multiply_montgomery(&ring_element, &mask_ntt[j]);
+                    result[i] = PolynomialRingElement::<SIMDUnit>::add(&result[i], &product);
+                }
+            }
+
+            result[i] = invert_ntt_montgomery(result[i]);
         }
-
-        result[i] = invert_ntt_montgomery(result[i]);
     }
 
     result
@@ -67,9 +77,11 @@ pub(crate) fn vector_times_ring_element<SIMDUnit: Operations, const DIMENSION: u
 ) -> [PolynomialRingElement<SIMDUnit>; DIMENSION] {
     let mut result = [PolynomialRingElement::<SIMDUnit>::ZERO(); DIMENSION];
 
-    for (i, vector_ring_element) in vector.iter().enumerate() {
-        result[i] =
-            invert_ntt_montgomery(ntt_multiply_montgomery(vector_ring_element, ring_element));
+    cloop! {
+        for (i, vector_ring_element) in vector.iter().enumerate() {
+            result[i] =
+                invert_ntt_montgomery(ntt_multiply_montgomery(vector_ring_element, ring_element));
+        }
     }
 
     result
@@ -114,27 +126,37 @@ pub(crate) fn compute_w_approx<
     const COLUMNS_IN_A: usize,
 >(
     A_as_ntt: &[[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A],
-    signer_response: [PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A],
+    mut signer_response: [PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A],
     verifier_challenge_as_ntt: PolynomialRingElement<SIMDUnit>,
     t1: [PolynomialRingElement<SIMDUnit>; ROWS_IN_A],
 ) -> [PolynomialRingElement<SIMDUnit>; ROWS_IN_A] {
     let mut result = [PolynomialRingElement::<SIMDUnit>::ZERO(); ROWS_IN_A];
 
-    for (i, row) in A_as_ntt.iter().enumerate() {
-        for (j, ring_element) in row.iter().enumerate() {
-            let product = ntt_multiply_montgomery(&ring_element, &ntt(signer_response[j]));
+    // Move signer response into NTT
+    for i in 0..signer_response.len() {
+        signer_response[i] = ntt(signer_response[i]);
+    }
 
-            result[i] = PolynomialRingElement::<SIMDUnit>::add(&result[i], &product);
+    cloop! {
+        for (i, row) in A_as_ntt.iter().enumerate() {
+            cloop! {
+                for (j, ring_element) in row.iter().enumerate() {
+                    let product = ntt_multiply_montgomery(&ring_element, &signer_response[j]);
+
+                    result[i] = PolynomialRingElement::<SIMDUnit>::add(&result[i], &product);
+                }
+            }
+
+            let t1_shifted =
+                shift_left_then_reduce::<SIMDUnit, { BITS_IN_LOWER_PART_OF_T as i32 }>(t1[i]);
+            let t1_shifted = ntt(t1_shifted);
+            let challenge_times_t1_shifted =
+                ntt_multiply_montgomery(&verifier_challenge_as_ntt, &t1_shifted);
+            result[i] = invert_ntt_montgomery(PolynomialRingElement::<SIMDUnit>::subtract(
+                &result[i],
+                &challenge_times_t1_shifted,
+            ));
         }
-
-        let t1_shifted =
-            shift_left_then_reduce::<SIMDUnit, { BITS_IN_LOWER_PART_OF_T as i32 }>(t1[i]);
-        let challenge_times_t1_shifted =
-            ntt_multiply_montgomery(&verifier_challenge_as_ntt, &ntt(t1_shifted));
-        result[i] = invert_ntt_montgomery(PolynomialRingElement::<SIMDUnit>::subtract(
-            &result[i],
-            &challenge_times_t1_shifted,
-        ));
     }
 
     result
diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs
index c39df87a9..a5bde6d4a 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs
@@ -4,10 +4,7 @@ use crate::{
     },
     constants::*,
     encoding::{self, signature::Signature},
-    hash_functions::{
-        portable::{shake256_absorb, shake256_absorb_final, shake256_init, shake256_squeeze},
-        shake128, shake256,
-    },
+    hash_functions::{shake128, shake256},
     matrix::{
         add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors,
         vector_times_ring_element,
@@ -15,7 +12,7 @@ use crate::{
     ntt::ntt,
     pre_hash::{DomainSeparationContext, PreHash},
     sample::{sample_challenge_ring_element, sample_mask_vector},
-    samplex4,
+    samplex4::{self, X4Sampler},
     simd::traits::Operations,
     types::{SigningError, VerificationError},
     utils::into_padded_array,
@@ -31,8 +28,10 @@ pub(crate) mod multiplexing;
 #[inline(always)]
 pub(crate) fn generate_key_pair<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     Shake256X4: shake256::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
@@ -45,17 +44,19 @@ pub(crate) fn generate_key_pair<
 ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) {
     // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE
     let mut seed_expanded = [0; 128];
-    let mut shake = shake256_init();
-    shake256_absorb(&mut shake, &randomness);
-    let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]);
-    shake256_squeeze(&mut shake, &mut seed_expanded);
+    {
+        let mut shake = Shake256Xof::init();
+        shake.absorb(&randomness);
+        shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]);
+        shake.squeeze(&mut seed_expanded);
+    }
 
     let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE);
     let (seed_for_error_vectors, seed_for_signing) =
         seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE);
 
     let a_as_ntt =
-        samplex4::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(seed_for_a));
+        Sampler::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(seed_for_a));
 
     let (s1, s2) = samplex4::sample_s1_and_s2::<SIMDUnit, Shake256X4, ETA, COLUMNS_IN_A, ROWS_IN_A>(
         into_padded_array(seed_for_error_vectors),
@@ -95,8 +96,11 @@ pub(crate) fn generate_key_pair<
 #[inline(always)]
 pub(crate) fn sign_pre_hashed<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
+    Shake128: shake128::Xof,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     Shake256X4: shake256::XofX4,
     PH: PreHash<PH_DIGEST_LEN>,
     const PH_DIGEST_LEN: usize,
@@ -123,11 +127,17 @@ pub(crate) fn sign_pre_hashed<
     if context.len() > CONTEXT_MAX_LEN {
         return Err(SigningError::ContextTooLongError);
     }
-    let pre_hashed_message = PH::hash(message);
+    let pre_hashed_message = PH::hash::<Shake128>(message);
+    let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) {
+        Ok(dsc) => dsc,
+        Err(_) => return Err(SigningError::ContextTooLongError),
+    };
     sign_internal::<
         SIMDUnit,
+        Sampler,
         Shake128X4,
         Shake256,
+        Shake256Xof,
         Shake256X4,
         ROWS_IN_A,
         COLUMNS_IN_A,
@@ -146,7 +156,7 @@ pub(crate) fn sign_pre_hashed<
     >(
         &signing_key,
         &pre_hashed_message,
-        Some(DomainSeparationContext::new(context, Some(&PH::oid()))?),
+        Some(domain_separation_context),
         randomness,
     )
 }
@@ -155,8 +165,10 @@ pub(crate) fn sign_pre_hashed<
 #[inline(always)]
 pub(crate) fn sign<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     Shake256X4: shake256::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
@@ -178,11 +190,16 @@ pub(crate) fn sign<
     context: &[u8],
     randomness: [u8; SIGNING_RANDOMNESS_SIZE],
 ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
-    // TODO: Support implicit into() in ? so that this match becomes unnecessary
+    let domain_separation_context = match DomainSeparationContext::new(context, None) {
+        Ok(dsc) => dsc,
+        Err(_) => return Err(SigningError::ContextTooLongError),
+    };
     sign_internal::<
         SIMDUnit,
+        Sampler,
         Shake128X4,
         Shake256,
+        Shake256Xof,
         Shake256X4,
         ROWS_IN_A,
         COLUMNS_IN_A,
@@ -201,7 +218,7 @@ pub(crate) fn sign<
     >(
         &signing_key,
         message,
-        Some(DomainSeparationContext::new(context, None)?),
+        Some(domain_separation_context),
         randomness,
     )
 }
@@ -214,8 +231,10 @@ pub(crate) fn sign<
 #[inline(always)]
 pub(crate) fn sign_internal<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     Shake256X4: shake256::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
@@ -248,10 +267,10 @@ pub(crate) fn sign_internal<
         >(signing_key);
 
     let A_as_ntt =
-        samplex4::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(&seed_for_A));
+        Sampler::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(&seed_for_A));
 
     let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE];
-    derive_message_representative(
+    derive_message_representative::<Shake256Xof>(
         verification_key_hash,
         domain_separation_context,
         message,
@@ -260,12 +279,12 @@ pub(crate) fn sign_internal<
 
     let mut mask_seed = [0; MASK_SEED_SIZE];
     {
-        let mut shake = shake256_init();
-        shake256_absorb(&mut shake, &seed_for_signing);
-        shake256_absorb(&mut shake, &randomness);
-        let mut shake = shake256_absorb_final(shake, &message_representative);
+        let mut shake = Shake256Xof::init();
+        shake.absorb(&seed_for_signing);
+        shake.absorb(&randomness);
+        shake.absorb_final(&message_representative);
 
-        shake256_squeeze(&mut shake, &mut mask_seed);
+        shake.squeeze(&mut mask_seed);
     }
 
     let mut domain_separator_for_mask: u16 = 0;
@@ -306,11 +325,11 @@ pub(crate) fn sign_internal<
                 COMMITMENT_VECTOR_SIZE,
             >(commitment);
 
-            let mut shake = shake256_init();
-            shake256_absorb(&mut shake, &message_representative);
-            let mut shake = shake256_absorb_final(shake, &commitment_serialized);
+            let mut shake = Shake256Xof::init();
+            shake.absorb(&message_representative);
+            shake.absorb_final(&commitment_serialized);
 
-            shake256_squeeze(&mut shake, &mut commitment_hash_candidate);
+            shake.squeeze(&mut commitment_hash_candidate);
         }
 
         let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::<
@@ -339,17 +358,23 @@ pub(crate) fn sign_internal<
             signer_response_candidate,
             (1 << GAMMA1_EXPONENT) - BETA,
         ) {
+            // XXX: https://github.com/hacspec/hax/issues/1171
+            // continue;
         } else {
             if vector_infinity_norm_exceeds::<SIMDUnit, ROWS_IN_A>(
                 w0_minus_challenge_times_s2,
                 GAMMA2 - BETA,
             ) {
+                // XXX: https://github.com/hacspec/hax/issues/1171
+                // continue;
             } else {
                 let challenge_times_t0 = vector_times_ring_element::<SIMDUnit, ROWS_IN_A>(
                     &t0_as_ntt,
                     &verifier_challenge_as_ntt,
                 );
                 if vector_infinity_norm_exceeds::<SIMDUnit, ROWS_IN_A>(challenge_times_t0, GAMMA2) {
+                    // XXX: https://github.com/hacspec/hax/issues/1171
+                    // continue;
                 } else {
                     let w0_minus_c_times_s2_plus_c_times_t0 = add_vectors::<SIMDUnit, ROWS_IN_A>(
                         &w0_minus_challenge_times_s2,
@@ -361,6 +386,8 @@ pub(crate) fn sign_internal<
                     );
 
                     if ones_in_hint > MAX_ONES_IN_HINT {
+                        // XXX: https://github.com/hacspec/hax/issues/1171
+                        // continue;
                     } else {
                         attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now
                         commitment_hash = Some(commitment_hash_candidate);
@@ -373,19 +400,19 @@ pub(crate) fn sign_internal<
     }
 
     let commitment_hash = match commitment_hash {
-        Some(commitment_hash) => Ok(commitment_hash),
-        None => Err(SigningError::RejectionSamplingError),
-    }?;
+        Some(commitment_hash) => commitment_hash,
+        None => return Err(SigningError::RejectionSamplingError),
+    };
 
     let signer_response = match signer_response {
-        Some(signer_response) => Ok(signer_response),
-        None => Err(SigningError::RejectionSamplingError),
-    }?;
+        Some(signer_response) => signer_response,
+        None => return Err(SigningError::RejectionSamplingError),
+    };
 
     let hint = match hint {
-        Some(hint) => Ok(hint),
-        None => Err(SigningError::RejectionSamplingError),
-    }?;
+        Some(hint) => hint,
+        None => return Err(SigningError::RejectionSamplingError),
+    };
 
     let signature = Signature::<SIMDUnit, COMMITMENT_HASH_SIZE, COLUMNS_IN_A, ROWS_IN_A> {
         commitment_hash,
@@ -418,31 +445,25 @@ pub(crate) fn sign_internal<
 /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA
 /// variant.
 #[inline(always)]
-fn derive_message_representative(
+fn derive_message_representative<Shake256Xof: shake256::Xof>(
     verification_key_hash: [u8; 64],
     domain_separation_context: Option<DomainSeparationContext>,
     message: &[u8],
     message_representative: &mut [u8; 64],
 ) {
-    let mut shake = shake256_init();
-    shake256_absorb(&mut shake, &verification_key_hash);
+    let mut shake = Shake256Xof::init();
+    shake.absorb(&verification_key_hash);
     if let Some(domain_separation_context) = domain_separation_context {
-        shake256_absorb(
-            &mut shake,
-            &[domain_separation_context.pre_hash_oid().is_some() as u8],
-        );
-        shake256_absorb(
-            &mut shake,
-            &[domain_separation_context.context().len() as u8],
-        );
-        shake256_absorb(&mut shake, domain_separation_context.context());
+        shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]);
+        shake.absorb(&[domain_separation_context.context().len() as u8]);
+        shake.absorb(domain_separation_context.context());
         if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() {
-            shake256_absorb(&mut shake, pre_hash_oid)
+            shake.absorb(pre_hash_oid)
         }
     }
 
-    let mut shake = shake256_absorb_final(shake, message);
-    shake256_squeeze(&mut shake, message_representative);
+    shake.absorb_final(message);
+    shake.squeeze(message_representative);
 }
 
 /// The internal verification API.
@@ -453,8 +474,10 @@ fn derive_message_representative(
 #[inline(always)]
 pub(crate) fn verify_internal<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
     const SIGNATURE_SIZE: usize,
@@ -480,81 +503,86 @@ pub(crate) fn verify_internal<
         );
 
     let signature =
-        Signature::<SIMDUnit, COMMITMENT_HASH_SIZE, COLUMNS_IN_A, ROWS_IN_A>::deserialize::<
+        match Signature::<SIMDUnit, COMMITMENT_HASH_SIZE, COLUMNS_IN_A, ROWS_IN_A>::deserialize::<
             GAMMA1_EXPONENT,
             GAMMA1_RING_ELEMENT_SIZE,
             MAX_ONES_IN_HINT,
             SIGNATURE_SIZE,
-        >(signature_serialized)?;
+        >(signature_serialized)
+        {
+            Ok(s) => s,
+            Err(e) => return Err(e),
+        };
 
     // We use if-else branches because early returns will not go through hax.
-    if !vector_infinity_norm_exceeds::<SIMDUnit, COLUMNS_IN_A>(
+    if vector_infinity_norm_exceeds::<SIMDUnit, COLUMNS_IN_A>(
         signature.signer_response,
         (2 << GAMMA1_EXPONENT) - BETA,
     ) {
-        let A_as_ntt =
-            samplex4::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(&seed_for_A));
+        return Err(VerificationError::SignerResponseExceedsBoundError);
+    }
+    let A_as_ntt =
+        Sampler::matrix_A::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(into_padded_array(&seed_for_A));
 
-        let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH];
-        Shake256::shake256::<BYTES_FOR_VERIFICATION_KEY_HASH>(
-            verification_key_serialized,
-            &mut verification_key_hash,
-        );
-        let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE];
-        derive_message_representative(
-            verification_key_hash,
-            domain_separation_context,
-            message,
-            &mut message_representative,
-        );
+    let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH];
+    Shake256::shake256::<BYTES_FOR_VERIFICATION_KEY_HASH>(
+        verification_key_serialized,
+        &mut verification_key_hash,
+    );
+    let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE];
+    derive_message_representative::<Shake256Xof>(
+        verification_key_hash,
+        domain_separation_context,
+        message,
+        &mut message_representative,
+    );
 
-        let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::<
-            SIMDUnit,
-            Shake256,
-            ONES_IN_VERIFIER_CHALLENGE,
-            COMMITMENT_HASH_SIZE,
-        >(signature.commitment_hash));
+    let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::<
+        SIMDUnit,
+        Shake256,
+        ONES_IN_VERIFIER_CHALLENGE,
+        COMMITMENT_HASH_SIZE,
+    >(signature.commitment_hash));
 
-        let w_approx = compute_w_approx::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(
-            &A_as_ntt,
-            signature.signer_response,
-            verifier_challenge_as_ntt,
-            t1,
-        );
+    let w_approx = compute_w_approx::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(
+        &A_as_ntt,
+        signature.signer_response,
+        verifier_challenge_as_ntt,
+        t1,
+    );
 
-        let mut commitment_hash = [0; COMMITMENT_HASH_SIZE];
-        {
-            let commitment = use_hint::<SIMDUnit, ROWS_IN_A, GAMMA2>(signature.hint, w_approx);
-            let commitment_serialized = encoding::commitment::serialize_vector::<
-                SIMDUnit,
-                ROWS_IN_A,
-                COMMITMENT_RING_ELEMENT_SIZE,
-                COMMITMENT_VECTOR_SIZE,
-            >(commitment);
+    let mut commitment_hash = [0; COMMITMENT_HASH_SIZE];
+    {
+        let commitment = use_hint::<SIMDUnit, ROWS_IN_A, GAMMA2>(signature.hint, w_approx);
+        let commitment_serialized = encoding::commitment::serialize_vector::<
+            SIMDUnit,
+            ROWS_IN_A,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+        >(commitment);
 
-            let mut shake = shake256_init();
-            shake256_absorb(&mut shake, &message_representative);
-            let mut shake = shake256_absorb_final(shake, &commitment_serialized);
+        let mut shake = Shake256Xof::init();
+        shake.absorb(&message_representative);
+        shake.absorb_final(&commitment_serialized);
 
-            shake256_squeeze(&mut shake, &mut commitment_hash);
-        }
+        shake.squeeze(&mut commitment_hash);
+    }
 
-        if signature.commitment_hash != commitment_hash {
-            Err(VerificationError::CommitmentHashesDontMatchError)
-        } else {
-            Ok(())
-        }
-    } else {
-        Err(VerificationError::SignerResponseExceedsBoundError)
+    if signature.commitment_hash == commitment_hash {
+        return Ok(());
     }
+
+    return Err(VerificationError::CommitmentHashesDontMatchError);
 }
 
 #[allow(non_snake_case)]
 #[inline(always)]
 pub(crate) fn verify<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
     const SIGNATURE_SIZE: usize,
@@ -574,11 +602,17 @@ pub(crate) fn verify<
     context: &[u8],
     signature_serialized: &[u8; SIGNATURE_SIZE],
 ) -> Result<(), VerificationError> {
-    // TODO: Support implicit into() in ? so that this match becomes unnecessary
+    // We manually do the matching here to make Eurydice happy.
+    let domain_separation_context = match DomainSeparationContext::new(context, None) {
+        Ok(dsc) => dsc,
+        Err(_) => return Err(VerificationError::VerificationContextTooLongError),
+    };
     verify_internal::<
         SIMDUnit,
+        Sampler,
         Shake128X4,
         Shake256,
+        Shake256Xof,
         ROWS_IN_A,
         COLUMNS_IN_A,
         SIGNATURE_SIZE,
@@ -595,7 +629,7 @@ pub(crate) fn verify<
     >(
         &verification_key_serialized,
         message,
-        Some(DomainSeparationContext::new(context, None)?),
+        Some(domain_separation_context),
         &signature_serialized,
     )
 }
@@ -604,8 +638,11 @@ pub(crate) fn verify<
 #[inline(always)]
 pub(crate) fn verify_pre_hashed<
     SIMDUnit: Operations,
+    Sampler: X4Sampler,
+    Shake128: shake128::Xof,
     Shake128X4: shake128::XofX4,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
+    Shake256Xof: shake256::Xof,
     PH: PreHash<PH_DIGEST_LEN>,
     const PH_DIGEST_LEN: usize,
     const ROWS_IN_A: usize,
@@ -627,12 +664,18 @@ pub(crate) fn verify_pre_hashed<
     context: &[u8],
     signature_serialized: &[u8; SIGNATURE_SIZE],
 ) -> Result<(), VerificationError> {
-    let pre_hashed_message = PH::hash(message);
+    let pre_hashed_message = PH::hash::<Shake128>(message);
+    let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) {
+        Ok(dsc) => dsc,
+        Err(_) => return Err(VerificationError::VerificationContextTooLongError),
+    };
 
     verify_internal::<
         SIMDUnit,
+        Sampler,
         Shake128X4,
         Shake256,
+        Shake256Xof,
         ROWS_IN_A,
         COLUMNS_IN_A,
         SIGNATURE_SIZE,
@@ -649,7 +692,7 @@ pub(crate) fn verify_pre_hashed<
     >(
         &verification_key_serialized,
         &pre_hashed_message,
-        Some(DomainSeparationContext::new(context, Some(&PH::oid()))?),
+        Some(domain_separation_context),
         &signature_serialized,
     )
 }
diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
index 15936617b..a3f240793 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
@@ -1,5 +1,5 @@
 macro_rules! instantiate {
-    ($modp:ident, $simdunit:path, $shake128x4:path, $shake256:path, $shake256x4:path) => {
+    ($modp:ident, $simdunit:path, $shake128:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path, $sampler:path) => {
         pub mod $modp {
             use crate::{
                 constants::*,
@@ -21,8 +21,10 @@ macro_rules! instantiate {
             ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) {
                 crate::ml_dsa_generic::generate_key_pair::<
                     $simdunit,
+                    $sampler,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     $shake256x4,
                     ROWS_IN_A,
                     COLUMNS_IN_A,
@@ -57,8 +59,10 @@ macro_rules! instantiate {
             ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
                 crate::ml_dsa_generic::sign::<
                     $simdunit,
+                    $sampler,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     $shake256x4,
                     ROWS_IN_A,
                     COLUMNS_IN_A,
@@ -101,8 +105,10 @@ macro_rules! instantiate {
             ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
                 crate::ml_dsa_generic::sign_internal::<
                     $simdunit,
+                    $sampler,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     $shake256x4,
                     ROWS_IN_A,
                     COLUMNS_IN_A,
@@ -145,8 +151,11 @@ macro_rules! instantiate {
             ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
                 crate::ml_dsa_generic::sign_pre_hashed::<
                     $simdunit,
+                    $sampler,
+                    $shake128,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     $shake256x4,
                     SHAKE128_PH,
                     256,
@@ -190,8 +199,10 @@ macro_rules! instantiate {
             ) -> Result<(), VerificationError> {
                 crate::ml_dsa_generic::verify::<
                     $simdunit,
+                    $sampler,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     ROWS_IN_A,
                     COLUMNS_IN_A,
                     SIGNATURE_SIZE,
@@ -231,8 +242,10 @@ macro_rules! instantiate {
             ) -> Result<(), VerificationError> {
                 crate::ml_dsa_generic::verify_internal::<
                     $simdunit,
+                    $sampler,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     ROWS_IN_A,
                     COLUMNS_IN_A,
                     SIGNATURE_SIZE,
@@ -272,8 +285,11 @@ macro_rules! instantiate {
             ) -> Result<(), VerificationError> {
                 crate::ml_dsa_generic::verify_pre_hashed::<
                     $simdunit,
+                    $sampler,
+                    $shake128,
                     $shake128x4,
                     $shake256,
+                    $shake256xof,
                     SHAKE128_PH,
                     256,
                     ROWS_IN_A,
@@ -298,9 +314,12 @@ macro_rules! instantiate {
 // Portable generic implementations.
 instantiate! {portable,
     crate::simd::portable::PortableSIMDUnit,
+    crate::hash_functions::portable::Shake128,
     crate::hash_functions::portable::Shake128X4,
     crate::hash_functions::portable::Shake256,
-    crate::hash_functions::portable::Shake256X4
+    crate::hash_functions::portable::Shake256Xof,
+    crate::hash_functions::portable::Shake256X4,
+    crate::samplex4::portable::PortableSampler
 }
 
 // AVX2 generic implementation.
@@ -311,7 +330,10 @@ pub mod avx2;
 #[cfg(feature = "simd128")]
 instantiate! {neon,
     crate::simd::portable::PortableSIMDUnit,
+    crate::hash_functions::portable::Shake128,
     crate::hash_functions::neon::Shake128x4,
     crate::hash_functions::portable::Shake256,
-    crate::hash_functions::neon::Shake256x4
+    crate::hash_functions::portable::Shake256Xof,
+    crate::hash_functions::neon::Shake256x4,
+    crate::samplex4::neon::NeonSampler
 }
diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
index 6f3a754a2..2c8c599ba 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
@@ -23,8 +23,12 @@ mod avx2_feature {
     ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) {
         crate::ml_dsa_generic::generate_key_pair::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             crate::hash_functions::simd256::Shake256x4,
             ROWS_IN_A,
             COLUMNS_IN_A,
@@ -61,8 +65,12 @@ mod avx2_feature {
     ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
         crate::ml_dsa_generic::sign::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             crate::hash_functions::simd256::Shake256x4,
             ROWS_IN_A,
             COLUMNS_IN_A,
@@ -107,8 +115,12 @@ mod avx2_feature {
     ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
         crate::ml_dsa_generic::sign_internal::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             crate::hash_functions::simd256::Shake256x4,
             ROWS_IN_A,
             COLUMNS_IN_A,
@@ -153,8 +165,15 @@ mod avx2_feature {
     ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
         crate::ml_dsa_generic::sign_pre_hashed::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake128,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             crate::hash_functions::simd256::Shake256x4,
             SHAKE128_PH,
             256,
@@ -200,8 +219,12 @@ mod avx2_feature {
     ) -> Result<(), VerificationError> {
         crate::ml_dsa_generic::verify::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             ROWS_IN_A,
             COLUMNS_IN_A,
             SIGNATURE_SIZE,
@@ -243,8 +266,12 @@ mod avx2_feature {
     ) -> Result<(), VerificationError> {
         crate::ml_dsa_generic::verify_internal::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             ROWS_IN_A,
             COLUMNS_IN_A,
             SIGNATURE_SIZE,
@@ -286,8 +313,15 @@ mod avx2_feature {
     ) -> Result<(), VerificationError> {
         crate::ml_dsa_generic::verify_pre_hashed::<
             crate::simd::avx2::AVX2SIMDUnit,
+            crate::samplex4::avx2::AVX2Sampler,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake128,
             crate::hash_functions::simd256::Shake128x4,
             crate::hash_functions::simd256::Shake256,
+            // We use the portable version here.
+            // It doesn' make sense to do these in parallel.
+            crate::hash_functions::portable::Shake256Xof,
             SHAKE128_PH,
             256,
             ROWS_IN_A,
diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs
index 205e2f7f6..872e24a4b 100644
--- a/libcrux-ml-dsa/src/polynomial.rs
+++ b/libcrux-ml-dsa/src/polynomial.rs
@@ -7,6 +7,7 @@ use crate::{
 pub(crate) struct PolynomialRingElement<SIMDUnit: Operations> {
     pub(crate) simd_units: [SIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
 }
+
 impl<SIMDUnit: Operations> PolynomialRingElement<SIMDUnit> {
     #[allow(non_snake_case)]
     pub(crate) fn ZERO() -> Self {
@@ -35,12 +36,11 @@ impl<SIMDUnit: Operations> PolynomialRingElement<SIMDUnit> {
     pub(crate) fn from_i32_array(array: &[i32]) -> Self {
         debug_assert!(array.len() >= 256);
 
-        let mut array_chunks = array.chunks(COEFFICIENTS_IN_SIMD_UNIT);
-
         let mut result = Self::ZERO();
-
         for i in 0..SIMD_UNITS_IN_RING_ELEMENT {
-            result.simd_units[i] = SIMDUnit::from_coefficient_array(&array_chunks.next().unwrap());
+            result.simd_units[i] = SIMDUnit::from_coefficient_array(
+                &array[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT],
+            );
         }
         result
     }
diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs
index 06855c0f9..1e678a770 100644
--- a/libcrux-ml-dsa/src/pre_hash.rs
+++ b/libcrux-ml-dsa/src/pre_hash.rs
@@ -4,11 +4,7 @@
 //! of FIPS 204, any NIST-approved hash function or XOF can be used to
 //!/perform the pre-hash of the message. This module implements the
 //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes.
-use crate::{
-    constants::CONTEXT_MAX_LEN,
-    hash_functions::shake128::Xof,
-    types::{SigningError, VerificationError},
-};
+use crate::{constants::CONTEXT_MAX_LEN, hash_functions, SigningError, VerificationError};
 
 pub(crate) const PRE_HASH_OID_LEN: usize = 11;
 pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN];
@@ -19,7 +15,7 @@ pub(crate) trait PreHash<const DIGEST_LEN: usize> {
     fn oid() -> PreHashOID;
 
     /// Used to derive the pre-hash PH of the message before signing.
-    fn hash(message: &[u8]) -> [u8; DIGEST_LEN];
+    fn hash<Shake128: hash_functions::shake128::Xof>(message: &[u8]) -> [u8; DIGEST_LEN];
 }
 
 #[allow(non_camel_case_types)]
@@ -27,16 +23,19 @@ pub(crate) trait PreHash<const DIGEST_LEN: usize> {
 /// digest length 256 bytes.
 pub(crate) struct SHAKE128_PH();
 
+const SHAKE128_OID: PreHashOID = [
+    0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b,
+];
+
 impl PreHash<256> for SHAKE128_PH {
     fn oid() -> PreHashOID {
-        [
-            0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b,
-        ]
+        SHAKE128_OID
     }
 
-    fn hash(message: &[u8]) -> [u8; 256] {
+    #[inline(always)]
+    fn hash<Shake128: hash_functions::shake128::Xof>(message: &[u8]) -> [u8; 256] {
         let mut output = [0u8; 256];
-        crate::hash_functions::portable::Shake128::shake128(message, &mut output);
+        Shake128::shake128(message, &mut output);
 
         output
     }
@@ -46,27 +45,26 @@ impl PreHash<256> for SHAKE128_PH {
 /// the hash function or XOF used for pre-hashing.
 pub(crate) struct DomainSeparationContext<'a> {
     context: &'a [u8],
-    pre_hash_oid: Option<&'a PreHashOID>,
+    pre_hash_oid: Option<PreHashOID>,
 }
 
 pub(crate) enum DomainSeparationError {
     ContextTooLongError,
 }
 
+pub(crate) type PreHashResult<'a> = Result<DomainSeparationContext<'a>, DomainSeparationError>;
+
 impl<'a> DomainSeparationContext<'a> {
     /// `context` must be at most 255 bytes long.
-    pub(crate) fn new(
-        context: &'a [u8],
-        pre_hash_oid: Option<&'a PreHashOID>,
-    ) -> Result<Self, DomainSeparationError> {
+    pub(crate) fn new(context: &'a [u8], pre_hash_oid: Option<PreHashOID>) -> PreHashResult<'a> {
         if context.len() > CONTEXT_MAX_LEN {
-            Err(DomainSeparationError::ContextTooLongError)
-        } else {
-            Ok(Self {
-                context,
-                pre_hash_oid,
-            })
+            return Err(DomainSeparationError::ContextTooLongError);
         }
+
+        Ok(Self {
+            context,
+            pre_hash_oid,
+        })
     }
 
     /// Returns the context, guaranteed to be at most 255 bytes long.
@@ -75,8 +73,8 @@ impl<'a> DomainSeparationContext<'a> {
     }
 
     /// Returns the pre-hash OID, if any.
-    pub fn pre_hash_oid(&self) -> Option<&PreHashOID> {
-        self.pre_hash_oid
+    pub fn pre_hash_oid(&self) -> &Option<PreHashOID> {
+        &self.pre_hash_oid
     }
 }
 
@@ -91,7 +89,9 @@ impl From<DomainSeparationError> for SigningError {
 impl From<DomainSeparationError> for VerificationError {
     fn from(e: DomainSeparationError) -> VerificationError {
         match e {
-            DomainSeparationError::ContextTooLongError => VerificationError::ContextTooLongError,
+            DomainSeparationError::ContextTooLongError => {
+                VerificationError::VerificationContextTooLongError
+            }
         }
     }
 }
diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs
index 16f2b1f65..ea7f49291 100644
--- a/libcrux-ml-dsa/src/sample.rs
+++ b/libcrux-ml-dsa/src/sample.rs
@@ -2,6 +2,7 @@ use crate::{
     constants::COEFFICIENTS_IN_RING_ELEMENT,
     encoding,
     hash_functions::{shake128, shake256},
+    helper::cloop,
     polynomial::PolynomialRingElement,
     simd::traits::Operations,
 };
@@ -14,16 +15,18 @@ fn rejection_sample_less_than_field_modulus<SIMDUnit: Operations>(
 ) -> bool {
     let mut done = false;
 
-    for random_bytes in randomness.chunks(24) {
-        if !done {
-            let sampled = SIMDUnit::rejection_sample_less_than_field_modulus(
-                random_bytes,
-                &mut out[*sampled_coefficients..],
-            );
-            *sampled_coefficients += sampled;
-
-            if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
-                done = true;
+    cloop! {
+        for random_bytes in randomness.chunks_exact(24) {
+            if !done {
+                let sampled = SIMDUnit::rejection_sample_less_than_field_modulus(
+                    random_bytes,
+                    &mut out[*sampled_coefficients..],
+                );
+                *sampled_coefficients += sampled;
+
+                if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
+                    done = true;
+                }
             }
         }
     }
@@ -31,19 +34,57 @@ fn rejection_sample_less_than_field_modulus<SIMDUnit: Operations>(
     done
 }
 
-pub(crate) fn sample_four_ring_elements<SIMDUnit: Operations>(
+#[inline(always)]
+fn generate_domain_separator((row, column): (u8, u8)) -> u16 {
+    (column as u16) | ((row as u16) << 8)
+}
+
+pub(crate) type Matrix<SIMDUnit, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize> =
+    [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A];
+
+// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F*
+// https://github.com/hacspec/hax/issues/1098
+// So we are instead using a matrix abstraction with a custom update function here.
+fn update_matrix<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+    m: &mut Matrix<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>,
+    i: usize,
+    j: usize,
+    v: PolynomialRingElement<SIMDUnit>,
+) {
+    m[i][j] = v;
+}
+
+/// Sample and write out up to four ring elements.
+///
+/// If i <= `elements_requested`, a field element with domain separated
+/// seed according to the provided index is generated in
+/// `tmp_stack[i]`. After successful rejection sampling in
+/// `tmp_stack[i]`, the ring element is written to `matrix` at the
+/// provided index in `indices[i]`.
+/// `rand_stack` is a working buffer that holds initial Shake output.
+#[inline(always)]
+pub(crate) fn sample_up_to_four_ring_elements<
+    SIMDUnit: Operations,
+    Shake128: shake128::XofX4,
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+>(
     mut seed0: [u8; 34],
-    domain_separator0: u16,
-    domain_separator1: u16,
-    domain_seperator2: u16,
-    domain_separator3: u16,
-) -> (
-    PolynomialRingElement<SIMDUnit>,
-    PolynomialRingElement<SIMDUnit>,
-    PolynomialRingElement<SIMDUnit>,
-    PolynomialRingElement<SIMDUnit>,
+    matrix: &mut Matrix<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>,
+    rand_stack0: &mut [u8; shake128::FIVE_BLOCKS_SIZE],
+    rand_stack1: &mut [u8; shake128::FIVE_BLOCKS_SIZE],
+    rand_stack2: &mut [u8; shake128::FIVE_BLOCKS_SIZE],
+    rand_stack3: &mut [u8; shake128::FIVE_BLOCKS_SIZE],
+    tmp_stack: &mut [[i32; 263]],
+    indices: &[(u8, u8); 4],
+    elements_requested: usize,
 ) {
-    use crate::hash_functions::shake128::XofX4;
+    debug_assert!(elements_requested <= 4);
+
+    let domain_separator0 = generate_domain_separator(indices[0]);
+    let domain_separator1 = generate_domain_separator(indices[1]);
+    let domain_separator2 = generate_domain_separator(indices[2]);
+    let domain_separator3 = generate_domain_separator(indices[3]);
 
     // Prepare the seeds
     seed0[32] = domain_separator0 as u8;
@@ -54,30 +95,16 @@ pub(crate) fn sample_four_ring_elements<SIMDUnit: Operations>(
     seed1[33] = (domain_separator1 >> 8) as u8;
 
     let mut seed2 = seed0;
-    seed2[32] = domain_seperator2 as u8;
-    seed2[33] = (domain_seperator2 >> 8) as u8;
+    seed2[32] = domain_separator2 as u8;
+    seed2[33] = (domain_separator2 >> 8) as u8;
 
     let mut seed3 = seed0;
     seed3[32] = domain_separator3 as u8;
     seed3[33] = (domain_separator3 >> 8) as u8;
 
-    // FIXME: We use the portable implementation here, since the
-    // compiler has an easier time optimizing it, compared to the AVX2
-    // version, which actually results in faster code (except for key
-    // generation), even in the AVX2 instantiation of ML-DSA.
-    let mut state =
-        crate::hash_functions::portable::Shake128X4::init_absorb(&seed0, &seed1, &seed2, &seed3);
-
-    let mut randomness0 = [0u8; shake128::FIVE_BLOCKS_SIZE];
-    let mut randomness1 = [0u8; shake128::FIVE_BLOCKS_SIZE];
-    let mut randomness2 = [0u8; shake128::FIVE_BLOCKS_SIZE];
-    let mut randomness3 = [0u8; shake128::FIVE_BLOCKS_SIZE];
-    state.squeeze_first_five_blocks(
-        &mut randomness0,
-        &mut randomness1,
-        &mut randomness2,
-        &mut randomness3,
-    );
+    let mut state = Shake128::init_absorb(&seed0, &seed1, &seed2, &seed3);
+
+    state.squeeze_first_five_blocks(rand_stack0, rand_stack1, rand_stack2, rand_stack3);
 
     // Every call to |rejection_sample_less_than_field_modulus|
     // will result in a call to |PortableSIMDUnit::rejection_sample_less_than_field_modulus|;
@@ -87,35 +114,30 @@ pub(crate) fn sample_four_ring_elements<SIMDUnit: Operations>(
     //
     // To ensure we don't overflow the buffer in this case, we allocate 255 + 8
     // = 263 elements.
-    let mut coefficients0 = [0i32; 263];
-    let mut coefficients1 = [0i32; 263];
-    let mut coefficients2 = [0i32; 263];
-    let mut coefficients3 = [0i32; 263];
-
     let mut sampled0 = 0;
     let mut sampled1 = 0;
     let mut sampled2 = 0;
     let mut sampled3 = 0;
 
     let mut done0 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
-        &randomness0,
+        rand_stack0,
         &mut sampled0,
-        &mut coefficients0,
+        &mut tmp_stack[0],
     );
     let mut done1 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
-        &randomness1,
+        rand_stack1,
         &mut sampled1,
-        &mut coefficients1,
+        &mut tmp_stack[1],
     );
     let mut done2 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
-        &randomness2,
+        rand_stack2,
         &mut sampled2,
-        &mut coefficients2,
+        &mut tmp_stack[2],
     );
     let mut done3 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
-        &randomness3,
+        rand_stack3,
         &mut sampled3,
-        &mut coefficients3,
+        &mut tmp_stack[3],
     );
 
     while !done0 || !done1 || !done2 || !done3 {
@@ -124,38 +146,43 @@ pub(crate) fn sample_four_ring_elements<SIMDUnit: Operations>(
             done0 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
                 &randomnesses.0,
                 &mut sampled0,
-                &mut coefficients0,
+                &mut tmp_stack[0],
             );
         }
         if !done1 {
             done1 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
                 &randomnesses.1,
                 &mut sampled1,
-                &mut coefficients1,
+                &mut tmp_stack[1],
             );
         }
         if !done2 {
             done2 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
                 &randomnesses.2,
                 &mut sampled2,
-                &mut coefficients2,
+                &mut tmp_stack[2],
             );
         }
         if !done3 {
             done3 = rejection_sample_less_than_field_modulus::<SIMDUnit>(
                 &randomnesses.3,
                 &mut sampled3,
-                &mut coefficients3,
+                &mut tmp_stack[3],
             );
         }
     }
 
-    (
-        PolynomialRingElement::<SIMDUnit>::from_i32_array(&coefficients0),
-        PolynomialRingElement::<SIMDUnit>::from_i32_array(&coefficients1),
-        PolynomialRingElement::<SIMDUnit>::from_i32_array(&coefficients2),
-        PolynomialRingElement::<SIMDUnit>::from_i32_array(&coefficients3),
-    )
+    for k in 0..elements_requested {
+        let (i, j) = indices[k];
+        update_matrix(
+            matrix,
+            i as usize,
+            j as usize,
+            PolynomialRingElement::<SIMDUnit>::from_i32_array(&tmp_stack[k]),
+        );
+    }
+
+    ()
 }
 
 #[inline(always)]
@@ -168,16 +195,18 @@ fn rejection_sample_less_than_eta_equals_2<SIMDUnit: Operations>(
 
     // Since each byte can be used to sample up to 2 coefficients, and since
     // a single SIMDUnit can hold 8 coefficients, we pass in 4 bytes of randomness.
-    for random_bytes in randomness.chunks(4) {
-        if !done {
-            let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_2(
-                random_bytes,
-                &mut out[*sampled_coefficients..],
-            );
-            *sampled_coefficients += sampled;
-
-            if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
-                done = true;
+    cloop! {
+        for random_bytes in randomness.chunks_exact(4) {
+            if !done {
+                let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_2(
+                    random_bytes,
+                    &mut out[*sampled_coefficients..],
+                );
+                *sampled_coefficients += sampled;
+
+                if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
+                    done = true;
+                }
             }
         }
     }
@@ -194,16 +223,18 @@ fn rejection_sample_less_than_eta_equals_4<SIMDUnit: Operations>(
 
     // Since each byte can be used to sample up to 2 coefficients, and since
     // a single SIMDUnit can hold 8 coefficients, we pass in 4 bytes of randomness.
-    for random_bytes in randomness.chunks(4) {
-        if !done {
-            let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_4(
-                random_bytes,
-                &mut out[*sampled_coefficients..],
-            );
-            *sampled_coefficients += sampled;
-
-            if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
-                done = true;
+    cloop! {
+        for random_bytes in randomness.chunks_exact(4) {
+            if !done {
+                let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_4(
+                    random_bytes,
+                    &mut out[*sampled_coefficients..],
+                );
+                *sampled_coefficients += sampled;
+
+                if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT {
+                    done = true;
+                }
             }
         }
     }
@@ -339,21 +370,22 @@ fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] {
 #[inline(always)]
 fn sample_mask_ring_element<
     SIMDUnit: Operations,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
     const GAMMA1_EXPONENT: usize,
 >(
     seed: [u8; 66],
-) -> PolynomialRingElement<SIMDUnit> {
+    result: &mut PolynomialRingElement<SIMDUnit>,
+) {
     match GAMMA1_EXPONENT as u8 {
         17 => {
             let mut out = [0u8; 576];
             Shake256::shake256::<576>(&seed, &mut out);
-            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out)
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out, result);
         }
         19 => {
             let mut out = [0u8; 640];
             Shake256::shake256::<640>(&seed, &mut out);
-            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out)
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out, result);
         }
         _ => unreachable!(),
     }
@@ -362,7 +394,7 @@ fn sample_mask_ring_element<
 #[inline(always)]
 pub(crate) fn sample_mask_vector<
     SIMDUnit: Operations,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
     Shake256X4: shake256::XofX4,
     const DIMENSION: usize,
     const GAMMA1_EXPONENT: usize,
@@ -390,10 +422,10 @@ pub(crate) fn sample_mask_vector<
             Shake256X4::shake256_x4(
                 &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3,
             );
-            mask[0] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out0);
-            mask[1] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out1);
-            mask[2] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out2);
-            mask[3] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out3);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out0, &mut mask[0]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out1, &mut mask[1]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out2, &mut mask[2]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out3, &mut mask[3]);
         }
         19 => {
             let mut out0 = [0; 640];
@@ -403,10 +435,10 @@ pub(crate) fn sample_mask_vector<
             Shake256X4::shake256_x4(
                 &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3,
             );
-            mask[0] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out0);
-            mask[1] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out1);
-            mask[2] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out2);
-            mask[3] = encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out3);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out0, &mut mask[0]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out1, &mut mask[1]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out2, &mut mask[2]);
+            encoding::gamma1::deserialize::<SIMDUnit, GAMMA1_EXPONENT>(&out3, &mut mask[3]);
         }
         _ => unreachable!(),
     }
@@ -418,7 +450,7 @@ pub(crate) fn sample_mask_vector<
         *domain_separator += 1;
 
         // TODO: For 87 we may want to do another 4 and discard 1.
-        mask[i] = sample_mask_ring_element::<SIMDUnit, Shake256, GAMMA1_EXPONENT>(seed);
+        sample_mask_ring_element::<SIMDUnit, Shake256, GAMMA1_EXPONENT>(seed, &mut mask[i]);
     }
 
     mask
@@ -433,18 +465,20 @@ fn inside_out_shuffle(
 ) -> bool {
     let mut done = false;
 
-    for byte in randomness {
-        if !done {
-            let sample_at = *byte as usize;
-            if sample_at <= *out_index {
-                result[*out_index] = result[sample_at];
-                *out_index += 1;
+    cloop! {
+        for byte in randomness.iter() {
+            if !done {
+                let sample_at = *byte as usize;
+                if sample_at <= *out_index {
+                    result[*out_index] = result[sample_at];
+                    *out_index += 1;
 
-                result[sample_at] = 1 - 2 * ((*signs & 1) as i32);
-                *signs >>= 1;
-            }
+                    result[sample_at] = 1 - 2 * ((*signs & 1) as i32);
+                    *signs >>= 1;
+                }
 
-            done = *out_index == result.len();
+                done = *out_index == result.len();
+            }
         }
     }
 
@@ -453,13 +487,13 @@ fn inside_out_shuffle(
 #[inline(always)]
 pub(crate) fn sample_challenge_ring_element<
     SIMDUnit: Operations,
-    Shake256: shake256::Xof,
+    Shake256: shake256::DsaXof,
     const NUMBER_OF_ONES: usize,
     const SEED_SIZE: usize,
 >(
     seed: [u8; SEED_SIZE],
 ) -> PolynomialRingElement<SIMDUnit> {
-    let mut state = Shake256::init_absorb(&seed);
+    let mut state = Shake256::init_absorb_final(&seed);
     let randomness = state.squeeze_first_block();
 
     let mut signs = u64::from_le_bytes(randomness[0..8].try_into().unwrap());
@@ -487,20 +521,45 @@ mod tests {
         simd::{self, traits::Operations},
     };
 
-    // This is just a wrapper around sample_four_ring_elements, for testing
-    // purposes.
-    fn sample_ring_element_uniform<SIMDUnit: Operations>(
+    fn sample_ring_element_uniform<SIMDUnit: Operations, Shake128: shake128::XofX4>(
         seed: [u8; 34],
     ) -> PolynomialRingElement<SIMDUnit> {
-        let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
-            seed,
-            ((seed[33] as u16) << 8) | (seed[32] as u16),
-            0,
-            0,
-            0,
+        let mut rand_stack = (
+            [0u8; shake128::FIVE_BLOCKS_SIZE],
+            [0u8; shake128::FIVE_BLOCKS_SIZE],
+            [0u8; shake128::FIVE_BLOCKS_SIZE],
+            [0u8; shake128::FIVE_BLOCKS_SIZE],
         );
 
-        four_ring_elements.0
+        let dummy_input = [0u8; 34];
+        let mut state = Shake128::init_absorb(&seed, &dummy_input, &dummy_input, &dummy_input);
+        state.squeeze_first_five_blocks(
+            &mut rand_stack.0,
+            &mut rand_stack.1,
+            &mut rand_stack.2,
+            &mut rand_stack.3,
+        );
+        let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]];
+        let mut sampled = 0;
+
+        let mut done = rejection_sample_less_than_field_modulus::<SIMDUnit>(
+            &mut rand_stack.0,
+            &mut sampled,
+            &mut tmp_stack[0],
+        );
+
+        while !done {
+            let randomnesses = state.squeeze_next_block();
+            if !done {
+                done = rejection_sample_less_than_field_modulus::<SIMDUnit>(
+                    &randomnesses.0,
+                    &mut sampled,
+                    &mut tmp_stack[0],
+                );
+            }
+        }
+
+        PolynomialRingElement::<SIMDUnit>::from_i32_array(&tmp_stack[0])
     }
 
     // This is just a wrapper around sample_four_ring_elements, for testing
@@ -560,7 +619,7 @@ mod tests {
         ];
 
         assert_eq!(
-            sample_ring_element_uniform::<SIMDUnit>(seed).to_i32_array(),
+            sample_ring_element_uniform::<SIMDUnit, Shake128>(seed).to_i32_array(),
             expected_coefficients
         );
 
@@ -574,7 +633,8 @@ mod tests {
             0xB1, 0x83, 0x9B, 0x86, 0x06, 0xF5, 0x94, 0x8B, 0x9D, 0x72, 0xA9, 0x56, 0xDC, 0xF1,
             0x01, 0x16, 0xDA, 0x9E, 0x01, 0x00,
         ];
-        let actual_coefficients = sample_ring_element_uniform::<SIMDUnit>(seed).to_i32_array();
+        let actual_coefficients =
+            sample_ring_element_uniform::<SIMDUnit, Shake128>(seed).to_i32_array();
 
         assert_eq!(actual_coefficients[0], 1_165_602);
         assert_eq!(
@@ -669,7 +729,10 @@ mod tests {
         );
     }
 
-    fn test_sample_challenge_ring_element_generic<SIMDUnit: Operations, Shake256: shake256::Xof>() {
+    fn test_sample_challenge_ring_element_generic<
+        SIMDUnit: Operations,
+        Shake256: shake256::DsaXof,
+    >() {
         // When TAU = 39
         let seed: [u8; 32] = [
             3, 9, 159, 119, 236, 6, 207, 7, 103, 108, 187, 137, 222, 35, 37, 30, 79, 224, 204, 186,
diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs
index 1ac7e7530..ddcf0ac40 100644
--- a/libcrux-ml-dsa/src/samplex4.rs
+++ b/libcrux-ml-dsa/src/samplex4.rs
@@ -1,35 +1,25 @@
 use crate::{
-    hash_functions::shake256,
+    hash_functions::{shake128, shake256},
     polynomial::PolynomialRingElement,
-    sample::{sample_four_error_ring_elements, sample_four_ring_elements},
+    sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements, Matrix},
     simd::traits::Operations,
 };
 
-#[inline(always)]
-fn generate_domain_separator(row: u8, column: u8) -> u16 {
-    (column as u16) | ((row as u16) << 8)
-}
-
-// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F*
-// https://github.com/hacspec/hax/issues/1098
-// So we are instead using a matrix abstraction with a custom update function here.
-
-type Matrix<SIMDUnit, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize> =
-    [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A];
-
-fn update_matrix<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
-    m: &mut Matrix<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>,
-    i: usize,
-    j: usize,
-    v: PolynomialRingElement<SIMDUnit>,
-) {
-    m[i][j] = v;
+/// The x4 sampling implementation that is selected during multiplexing.
+pub(crate) trait X4Sampler {
+    /// Sample the matrix A using platform specific implementation.
+    #[allow(non_snake_case)]
+    fn matrix_A<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+        seed: [u8; 34],
+    ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A];
 }
 
 #[allow(non_snake_case)]
 #[inline(always)]
+#[cfg(feature = "mldsa44")]
 pub(crate) fn matrix_A_4_by_4<
     SIMDUnit: Operations,
+    Shake128: shake128::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
 >(
@@ -38,61 +28,66 @@ pub(crate) fn matrix_A_4_by_4<
     let mut A: Matrix<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A> =
         [[PolynomialRingElement::<SIMDUnit>::ZERO(); COLUMNS_IN_A]; ROWS_IN_A];
 
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]];
+
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(0, 0),
-        generate_domain_separator(0, 1),
-        generate_domain_separator(0, 2),
-        generate_domain_separator(0, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(0, 0), (0, 1), (0, 2), (0, 3)],
+        4,
     );
-    update_matrix(&mut A, 0, 0, four_ring_elements.0);
-    update_matrix(&mut A, 0, 1, four_ring_elements.1);
-    update_matrix(&mut A, 0, 2, four_ring_elements.2);
-    update_matrix(&mut A, 0, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(1, 0),
-        generate_domain_separator(1, 1),
-        generate_domain_separator(1, 2),
-        generate_domain_separator(1, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(1, 0), (1, 1), (1, 2), (1, 3)],
+        4,
     );
-    update_matrix(&mut A, 1, 0, four_ring_elements.0);
-    update_matrix(&mut A, 1, 1, four_ring_elements.1);
-    update_matrix(&mut A, 1, 2, four_ring_elements.2);
-    update_matrix(&mut A, 1, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(2, 0),
-        generate_domain_separator(2, 1),
-        generate_domain_separator(2, 2),
-        generate_domain_separator(2, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(2, 0), (2, 1), (2, 2), (2, 3)],
+        4,
     );
-    update_matrix(&mut A, 2, 0, four_ring_elements.0);
-    update_matrix(&mut A, 2, 1, four_ring_elements.1);
-    update_matrix(&mut A, 2, 2, four_ring_elements.2);
-    update_matrix(&mut A, 2, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(3, 0),
-        generate_domain_separator(3, 1),
-        generate_domain_separator(3, 2),
-        generate_domain_separator(3, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(3, 0), (3, 1), (3, 2), (3, 3)],
+        4,
     );
-    update_matrix(&mut A, 3, 0, four_ring_elements.0);
-    update_matrix(&mut A, 3, 1, four_ring_elements.1);
-    update_matrix(&mut A, 3, 2, four_ring_elements.2);
-    update_matrix(&mut A, 3, 3, four_ring_elements.3);
 
     A
 }
 
 #[allow(non_snake_case)]
 #[inline(always)]
+#[cfg(feature = "mldsa65")]
 pub(crate) fn matrix_A_6_by_5<
     SIMDUnit: Operations,
+    Shake128: shake128::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
 >(
@@ -100,107 +95,112 @@ pub(crate) fn matrix_A_6_by_5<
 ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
     let mut A = [[PolynomialRingElement::<SIMDUnit>::ZERO(); COLUMNS_IN_A]; ROWS_IN_A];
 
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]];
+
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(0, 0),
-        generate_domain_separator(0, 1),
-        generate_domain_separator(0, 2),
-        generate_domain_separator(0, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(0, 0), (0, 1), (0, 2), (0, 3)],
+        4,
     );
-    update_matrix(&mut A, 0, 0, four_ring_elements.0);
-    update_matrix(&mut A, 0, 1, four_ring_elements.1);
-    update_matrix(&mut A, 0, 2, four_ring_elements.2);
-    update_matrix(&mut A, 0, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(0, 4),
-        generate_domain_separator(1, 0),
-        generate_domain_separator(1, 1),
-        generate_domain_separator(1, 2),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(0, 4), (1, 0), (1, 1), (1, 2)],
+        4,
     );
-    update_matrix(&mut A, 0, 4, four_ring_elements.0);
-    update_matrix(&mut A, 1, 0, four_ring_elements.1);
-    update_matrix(&mut A, 1, 1, four_ring_elements.2);
-    update_matrix(&mut A, 1, 2, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(1, 3),
-        generate_domain_separator(1, 4),
-        generate_domain_separator(2, 0),
-        generate_domain_separator(2, 1),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(1, 3), (1, 4), (2, 0), (2, 1)],
+        4,
     );
-    update_matrix(&mut A, 1, 3, four_ring_elements.0);
-    update_matrix(&mut A, 1, 4, four_ring_elements.1);
-    update_matrix(&mut A, 2, 0, four_ring_elements.2);
-    update_matrix(&mut A, 2, 1, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(2, 2),
-        generate_domain_separator(2, 3),
-        generate_domain_separator(2, 4),
-        generate_domain_separator(3, 0),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(2, 2), (2, 3), (2, 4), (3, 0)],
+        4,
     );
-    update_matrix(&mut A, 2, 2, four_ring_elements.0);
-    update_matrix(&mut A, 2, 3, four_ring_elements.1);
-    update_matrix(&mut A, 2, 4, four_ring_elements.2);
-    update_matrix(&mut A, 3, 0, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(3, 1),
-        generate_domain_separator(3, 2),
-        generate_domain_separator(3, 3),
-        generate_domain_separator(3, 4),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(3, 1), (3, 2), (3, 3), (3, 4)],
+        4,
     );
-    update_matrix(&mut A, 3, 1, four_ring_elements.0);
-    update_matrix(&mut A, 3, 2, four_ring_elements.1);
-    update_matrix(&mut A, 3, 3, four_ring_elements.2);
-    update_matrix(&mut A, 3, 4, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(4, 0),
-        generate_domain_separator(4, 1),
-        generate_domain_separator(4, 2),
-        generate_domain_separator(4, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(4, 0), (4, 1), (4, 2), (4, 3)],
+        4,
     );
-    update_matrix(&mut A, 4, 0, four_ring_elements.0);
-    update_matrix(&mut A, 4, 1, four_ring_elements.1);
-    update_matrix(&mut A, 4, 2, four_ring_elements.2);
-    update_matrix(&mut A, 4, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(4, 4),
-        generate_domain_separator(5, 0),
-        generate_domain_separator(5, 1),
-        generate_domain_separator(5, 2),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(4, 4), (5, 0), (5, 1), (5, 2)],
+        4,
     );
-    update_matrix(&mut A, 4, 4, four_ring_elements.0);
-    update_matrix(&mut A, 5, 0, four_ring_elements.1);
-    update_matrix(&mut A, 5, 1, four_ring_elements.2);
-    update_matrix(&mut A, 5, 2, four_ring_elements.3);
 
-    // The the last 2 sampled ring elements are discarded here.
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    // The last 2 sampled ring elements are discarded here.
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(5, 3),
-        generate_domain_separator(5, 4),
-        generate_domain_separator(5, 5),
-        generate_domain_separator(5, 6),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(5, 3), (5, 4), (5, 5), (5, 6)],
+        2,
     );
-    update_matrix(&mut A, 5, 3, four_ring_elements.0);
-    update_matrix(&mut A, 5, 4, four_ring_elements.1);
 
     A
 }
+
 #[allow(non_snake_case)]
 #[inline(always)]
+#[cfg(feature = "mldsa87")]
 pub(crate) fn matrix_A_8_by_7<
     SIMDUnit: Operations,
+    Shake128: shake128::XofX4,
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
 >(
@@ -208,189 +208,282 @@ pub(crate) fn matrix_A_8_by_7<
 ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
     let mut A = [[PolynomialRingElement::<SIMDUnit>::ZERO(); COLUMNS_IN_A]; ROWS_IN_A];
 
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE];
+    let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]];
+
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(0, 0),
-        generate_domain_separator(0, 1),
-        generate_domain_separator(0, 2),
-        generate_domain_separator(0, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(0, 0), (0, 1), (0, 2), (0, 3)],
+        4,
     );
-    update_matrix(&mut A, 0, 0, four_ring_elements.0);
-    update_matrix(&mut A, 0, 1, four_ring_elements.1);
-    update_matrix(&mut A, 0, 2, four_ring_elements.2);
-    update_matrix(&mut A, 0, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(0, 4),
-        generate_domain_separator(0, 5),
-        generate_domain_separator(0, 6),
-        generate_domain_separator(1, 0),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(0, 4), (0, 5), (0, 6), (1, 0)],
+        4,
     );
-    update_matrix(&mut A, 0, 4, four_ring_elements.0);
-    update_matrix(&mut A, 0, 5, four_ring_elements.1);
-    update_matrix(&mut A, 0, 6, four_ring_elements.2);
-    update_matrix(&mut A, 1, 0, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(1, 1),
-        generate_domain_separator(1, 2),
-        generate_domain_separator(1, 3),
-        generate_domain_separator(1, 4),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(1, 1), (1, 2), (1, 3), (1, 4)],
+        4,
     );
-    update_matrix(&mut A, 1, 1, four_ring_elements.0);
-    update_matrix(&mut A, 1, 2, four_ring_elements.1);
-    update_matrix(&mut A, 1, 3, four_ring_elements.2);
-    update_matrix(&mut A, 1, 4, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(1, 5),
-        generate_domain_separator(1, 6),
-        generate_domain_separator(2, 0),
-        generate_domain_separator(2, 1),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(1, 5), (1, 6), (2, 0), (2, 1)],
+        4,
     );
-    update_matrix(&mut A, 1, 5, four_ring_elements.0);
-    update_matrix(&mut A, 1, 6, four_ring_elements.1);
-    update_matrix(&mut A, 2, 0, four_ring_elements.2);
-    update_matrix(&mut A, 2, 1, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(2, 2),
-        generate_domain_separator(2, 3),
-        generate_domain_separator(2, 4),
-        generate_domain_separator(2, 5),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(2, 2), (2, 3), (2, 4), (2, 5)],
+        4,
     );
-    update_matrix(&mut A, 2, 2, four_ring_elements.0);
-    update_matrix(&mut A, 2, 3, four_ring_elements.1);
-    update_matrix(&mut A, 2, 4, four_ring_elements.2);
-    update_matrix(&mut A, 2, 5, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(2, 6),
-        generate_domain_separator(3, 0),
-        generate_domain_separator(3, 1),
-        generate_domain_separator(3, 2),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(2, 6), (3, 0), (3, 1), (3, 2)],
+        4,
     );
-    update_matrix(&mut A, 2, 6, four_ring_elements.0);
-    update_matrix(&mut A, 3, 0, four_ring_elements.1);
-    update_matrix(&mut A, 3, 1, four_ring_elements.2);
-    update_matrix(&mut A, 3, 2, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(3, 3),
-        generate_domain_separator(3, 4),
-        generate_domain_separator(3, 5),
-        generate_domain_separator(3, 6),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(3, 3), (3, 4), (3, 5), (3, 6)],
+        4,
     );
-    update_matrix(&mut A, 3, 3, four_ring_elements.0);
-    update_matrix(&mut A, 3, 4, four_ring_elements.1);
-    update_matrix(&mut A, 3, 5, four_ring_elements.2);
-    update_matrix(&mut A, 3, 6, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(4, 0),
-        generate_domain_separator(4, 1),
-        generate_domain_separator(4, 2),
-        generate_domain_separator(4, 3),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(4, 0), (4, 1), (4, 2), (4, 3)],
+        4,
     );
-    update_matrix(&mut A, 4, 0, four_ring_elements.0);
-    update_matrix(&mut A, 4, 1, four_ring_elements.1);
-    update_matrix(&mut A, 4, 2, four_ring_elements.2);
-    update_matrix(&mut A, 4, 3, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(4, 4),
-        generate_domain_separator(4, 5),
-        generate_domain_separator(4, 6),
-        generate_domain_separator(5, 0),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(4, 4), (4, 5), (4, 6), (5, 0)],
+        4,
     );
-    update_matrix(&mut A, 4, 4, four_ring_elements.0);
-    update_matrix(&mut A, 4, 5, four_ring_elements.1);
-    update_matrix(&mut A, 4, 6, four_ring_elements.2);
-    update_matrix(&mut A, 5, 0, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(5, 1),
-        generate_domain_separator(5, 2),
-        generate_domain_separator(5, 3),
-        generate_domain_separator(5, 4),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(5, 1), (5, 2), (5, 3), (5, 4)],
+        4,
     );
-    update_matrix(&mut A, 5, 1, four_ring_elements.0);
-    update_matrix(&mut A, 5, 2, four_ring_elements.1);
-    update_matrix(&mut A, 5, 3, four_ring_elements.2);
-    update_matrix(&mut A, 5, 4, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(5, 5),
-        generate_domain_separator(5, 6),
-        generate_domain_separator(6, 0),
-        generate_domain_separator(6, 1),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(5, 5), (5, 6), (6, 0), (6, 1)],
+        4,
     );
-    update_matrix(&mut A, 5, 5, four_ring_elements.0);
-    update_matrix(&mut A, 5, 6, four_ring_elements.1);
-    update_matrix(&mut A, 6, 0, four_ring_elements.2);
-    update_matrix(&mut A, 6, 1, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(6, 2),
-        generate_domain_separator(6, 3),
-        generate_domain_separator(6, 4),
-        generate_domain_separator(6, 5),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(6, 2), (6, 3), (6, 4), (6, 5)],
+        4,
     );
-    update_matrix(&mut A, 6, 2, four_ring_elements.0);
-    update_matrix(&mut A, 6, 3, four_ring_elements.1);
-    update_matrix(&mut A, 6, 4, four_ring_elements.2);
-    update_matrix(&mut A, 6, 5, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(6, 6),
-        generate_domain_separator(7, 0),
-        generate_domain_separator(7, 1),
-        generate_domain_separator(7, 2),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(6, 6), (7, 0), (7, 1), (7, 2)],
+        4,
     );
-    update_matrix(&mut A, 6, 6, four_ring_elements.0);
-    update_matrix(&mut A, 7, 0, four_ring_elements.1);
-    update_matrix(&mut A, 7, 1, four_ring_elements.2);
-    update_matrix(&mut A, 7, 2, four_ring_elements.3);
-
-    let four_ring_elements = sample_four_ring_elements::<SIMDUnit>(
+    sample_up_to_four_ring_elements::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(
         seed,
-        generate_domain_separator(7, 3),
-        generate_domain_separator(7, 4),
-        generate_domain_separator(7, 5),
-        generate_domain_separator(7, 6),
+        &mut A,
+        &mut rand_stack0,
+        &mut rand_stack1,
+        &mut rand_stack2,
+        &mut rand_stack3,
+        &mut tmp_stack,
+        &[(7, 3), (7, 4), (7, 5), (7, 6)],
+        4,
     );
-    update_matrix(&mut A, 7, 3, four_ring_elements.0);
-    update_matrix(&mut A, 7, 4, four_ring_elements.1);
-    update_matrix(&mut A, 7, 5, four_ring_elements.2);
-    update_matrix(&mut A, 7, 6, four_ring_elements.3);
 
     A
 }
+
+pub(crate) mod portable {
+    use super::*;
+
+    pub(crate) struct PortableSampler {}
+    impl X4Sampler for PortableSampler {
+        #[inline(always)]
+        fn matrix_A<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+            seed: [u8; 34],
+        ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
+            matrix_A_generic::<
+                SIMDUnit,
+                crate::hash_functions::portable::Shake128X4,
+                ROWS_IN_A,
+                COLUMNS_IN_A,
+            >(seed)
+        }
+    }
+}
+
+#[cfg(feature = "simd128")]
+pub(crate) mod neon {
+    use super::*;
+
+    pub(crate) struct NeonSampler {}
+    impl X4Sampler for NeonSampler {
+        #[inline(always)]
+        fn matrix_A<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+            seed: [u8; 34],
+        ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
+            matrix_A_generic::<
+                SIMDUnit,
+                crate::hash_functions::neon::Shake128x4,
+                ROWS_IN_A,
+                COLUMNS_IN_A,
+            >(seed)
+        }
+    }
+}
+
+#[cfg(feature = "simd256")]
+pub(crate) mod avx2 {
+    use super::*;
+
+    pub(crate) struct AVX2Sampler {}
+    impl X4Sampler for AVX2Sampler {
+        #[inline(always)]
+        #[allow(unsafe_code)]
+        fn matrix_A<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+            seed: [u8; 34],
+        ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
+            unsafe { matrix_A_avx2(seed) }
+        }
+    }
+
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+    #[allow(unsafe_code)]
+    #[allow(non_snake_case)]
+    pub(crate) unsafe fn matrix_A_avx2<
+        SIMDUnit: Operations,
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+    >(
+        seed: [u8; 34],
+    ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
+        match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) {
+            #[cfg(feature = "mldsa44")]
+            (4, 4) => matrix_A_4_by_4::<
+                SIMDUnit,
+                crate::hash_functions::simd256::Shake128x4,
+                ROWS_IN_A,
+                COLUMNS_IN_A,
+            >(seed),
+            #[cfg(feature = "mldsa65")]
+            (6, 5) => matrix_A_6_by_5::<
+                SIMDUnit,
+                crate::hash_functions::simd256::Shake128x4,
+                ROWS_IN_A,
+                COLUMNS_IN_A,
+            >(seed),
+            #[cfg(feature = "mldsa87")]
+            (8, 7) => matrix_A_8_by_7::<
+                SIMDUnit,
+                crate::hash_functions::simd256::Shake128x4,
+                ROWS_IN_A,
+                COLUMNS_IN_A,
+            >(seed),
+            _ => unreachable!(),
+        }
+    }
+}
+
 #[allow(non_snake_case)]
-#[inline(always)]
-pub(crate) fn matrix_A<SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize>(
+pub(crate) fn matrix_A_generic<
+    SIMDUnit: Operations,
+    Shake128: shake128::XofX4,
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+>(
     seed: [u8; 34],
 ) -> [[PolynomialRingElement<SIMDUnit>; COLUMNS_IN_A]; ROWS_IN_A] {
     match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) {
-        (4, 4) => matrix_A_4_by_4::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(seed),
-        (6, 5) => matrix_A_6_by_5::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(seed),
-        (8, 7) => matrix_A_8_by_7::<SIMDUnit, ROWS_IN_A, COLUMNS_IN_A>(seed),
+        #[cfg(feature = "mldsa44")]
+        (4, 4) => matrix_A_4_by_4::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(seed),
+        #[cfg(feature = "mldsa65")]
+        (6, 5) => matrix_A_6_by_5::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(seed),
+        #[cfg(feature = "mldsa87")]
+        (8, 7) => matrix_A_8_by_7::<SIMDUnit, Shake128, ROWS_IN_A, COLUMNS_IN_A>(seed),
         _ => unreachable!(),
     }
 }
 
+#[cfg(feature = "mldsa44")]
 #[inline(always)]
 fn sample_s1_and_s2_4_by_4<
     SIMDUnit: Operations,
@@ -421,6 +514,8 @@ fn sample_s1_and_s2_4_by_4<
 
     (s1, s2)
 }
+
+#[cfg(feature = "mldsa65")]
 #[inline(always)]
 fn sample_s1_and_s2_5_by_6<
     SIMDUnit: Operations,
@@ -457,6 +552,8 @@ fn sample_s1_and_s2_5_by_6<
 
     (s1, s2)
 }
+
+#[cfg(feature = "mldsa87")]
 #[inline(always)]
 fn sample_s1_and_s2_7_by_8<
     SIMDUnit: Operations,
@@ -500,6 +597,7 @@ fn sample_s1_and_s2_7_by_8<
 
     (s1, s2)
 }
+
 #[inline(always)]
 pub(crate) fn sample_s1_and_s2<
     SIMDUnit: Operations,
@@ -514,12 +612,15 @@ pub(crate) fn sample_s1_and_s2<
     [PolynomialRingElement<SIMDUnit>; S2_DIMENSION],
 ) {
     match (S1_DIMENSION as u8, S2_DIMENSION as u8) {
+        #[cfg(feature = "mldsa44")]
         (4, 4) => {
             sample_s1_and_s2_4_by_4::<SIMDUnit, Shake256X4, ETA, S1_DIMENSION, S2_DIMENSION>(seed)
         }
+        #[cfg(feature = "mldsa65")]
         (5, 6) => {
             sample_s1_and_s2_5_by_6::<SIMDUnit, Shake256X4, ETA, S1_DIMENSION, S2_DIMENSION>(seed)
         }
+        #[cfg(feature = "mldsa87")]
         (7, 8) => {
             sample_s1_and_s2_7_by_8::<SIMDUnit, Shake256X4, ETA, S1_DIMENSION, S2_DIMENSION>(seed)
         }
diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index 32ad6a1a1..8fb2c09cd 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -86,8 +86,8 @@ impl Operations for AVX2SIMDUnit {
     }
 
     #[inline(always)]
-    fn gamma1_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::gamma1::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
+    fn gamma1_serialize<const GAMMA1_EXPONENT: usize>(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::gamma1::serialize::<GAMMA1_EXPONENT>(simd_unit.coefficients, serialized)
     }
     #[inline(always)]
     fn gamma1_deserialize<const GAMMA1_EXPONENT: usize>(serialized: &[u8]) -> Self {
@@ -95,13 +95,13 @@ impl Operations for AVX2SIMDUnit {
     }
 
     #[inline(always)]
-    fn commitment_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::commitment::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
+    fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::commitment::serialize(simd_unit.coefficients, serialized)
     }
 
     #[inline(always)]
-    fn error_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::error::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
+    fn error_serialize<const ETA: usize>(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::error::serialize::<ETA>(simd_unit.coefficients, serialized)
     }
     #[inline(always)]
     fn error_deserialize<const ETA: usize>(serialized: &[u8]) -> Self {
diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs
index c8a3e40a1..de6f45d6e 100644
--- a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs
@@ -1,10 +1,10 @@
 use libcrux_intrinsics::avx2::*;
 
 #[inline(always)]
-pub fn serialize<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] {
+pub(in crate::simd::avx2) fn serialize(simd_unit: Vec256, out: &mut [u8]) {
     let mut serialized = [0u8; 19];
 
-    match OUTPUT_SIZE as u8 {
+    match out.len() as u8 {
         4 => {
             let adjacent_2_combined =
                 mm256_sllv_epi32(simd_unit, mm256_set_epi32(0, 28, 0, 28, 0, 28, 0, 28));
@@ -25,7 +25,7 @@ pub fn serialize<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZ
 
             mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_4_combined);
 
-            serialized[0..4].try_into().unwrap()
+            out.copy_from_slice(&serialized[0..4]);
         }
 
         6 => {
@@ -56,7 +56,7 @@ pub fn serialize<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZ
             let upper_3 = mm256_extracti128_si256::<1>(adjacent_3_combined);
             mm_storeu_bytes_si128(&mut serialized[3..19], upper_3);
 
-            serialized[0..6].try_into().unwrap()
+            out.copy_from_slice(&serialized[0..6]);
         }
 
         _ => unreachable!(),
diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs
index 0d9095166..dcc82f753 100644
--- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs
@@ -1,7 +1,7 @@
 use libcrux_intrinsics::avx2::*;
 
 #[inline(always)]
-fn serialize_when_eta_is_2<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_eta_is_2(simd_unit: Vec256, out: &mut [u8]) {
     let mut serialized = [0u8; 16];
 
     const ETA: i32 = 2;
@@ -34,10 +34,11 @@ fn serialize_when_eta_is_2<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8;
 
     mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_6_combined);
 
-    serialized[0..3].try_into().unwrap()
+    out.copy_from_slice(&serialized[0..3]);
 }
+
 #[inline(always)]
-fn serialize_when_eta_is_4<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_eta_is_4(simd_unit: Vec256, out: &mut [u8]) {
     let mut serialized = [0u8; 16];
 
     const ETA: i32 = 4;
@@ -61,13 +62,14 @@ fn serialize_when_eta_is_4<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8;
 
     mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_4_combined);
 
-    serialized[0..4].try_into().unwrap()
+    out.copy_from_slice(&serialized[0..4])
 }
+
 #[inline(always)]
-pub fn serialize<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] {
-    match OUTPUT_SIZE as u8 {
-        3 => serialize_when_eta_is_2::<OUTPUT_SIZE>(simd_unit),
-        4 => serialize_when_eta_is_4::<OUTPUT_SIZE>(simd_unit),
+pub fn serialize<const ETA: usize>(simd_unit: Vec256, serialized: &mut [u8]) {
+    match ETA as u8 {
+        2 => serialize_when_eta_is_2(simd_unit, serialized),
+        4 => serialize_when_eta_is_4(simd_unit, serialized),
         _ => unreachable!(),
     }
 }
@@ -94,6 +96,7 @@ fn deserialize_to_unsigned_when_eta_is_2(bytes: &[u8]) -> Vec256 {
 
     mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK))
 }
+
 #[inline(always)]
 fn deserialize_to_unsigned_when_eta_is_4(bytes: &[u8]) -> Vec256 {
     debug_assert!(bytes.len() == 4);
diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs
index 80b666707..dae75a905 100644
--- a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs
@@ -1,9 +1,7 @@
 use libcrux_intrinsics::avx2::*;
 
 #[inline(always)]
-fn serialize_when_gamma1_is_2_pow_17<const OUTPUT_SIZE: usize>(
-    simd_unit: Vec256,
-) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_gamma1_is_2_pow_17(simd_unit: Vec256, out: &mut [u8]) {
     let mut serialized = [0u8; 32];
 
     const GAMMA1: i32 = 1 << 17;
@@ -27,13 +25,11 @@ fn serialize_when_gamma1_is_2_pow_17<const OUTPUT_SIZE: usize>(
     let upper_4 = mm256_extracti128_si256::<1>(adjacent_4_combined);
     mm_storeu_bytes_si128(&mut serialized[9..25], upper_4);
 
-    serialized[0..18].try_into().unwrap()
+    out.copy_from_slice(&serialized[0..18]);
 }
 
 #[inline(always)]
-fn serialize_when_gamma1_is_2_pow_19<const OUTPUT_SIZE: usize>(
-    simd_unit: Vec256,
-) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_gamma1_is_2_pow_19(simd_unit: Vec256, out: &mut [u8]) {
     let mut serialized = [0u8; 32];
 
     const GAMMA1: i32 = 1 << 19;
@@ -61,14 +57,14 @@ fn serialize_when_gamma1_is_2_pow_19<const OUTPUT_SIZE: usize>(
     let upper_4 = mm256_extracti128_si256::<1>(adjacent_4_combined);
     mm_storeu_bytes_si128(&mut serialized[10..26], upper_4);
 
-    serialized[0..20].try_into().unwrap()
+    out.copy_from_slice(&serialized[0..20])
 }
 
 #[inline(always)]
-pub(crate) fn serialize<const OUTPUT_SIZE: usize>(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] {
-    match OUTPUT_SIZE as u8 {
-        18 => serialize_when_gamma1_is_2_pow_17::<OUTPUT_SIZE>(simd_unit),
-        20 => serialize_when_gamma1_is_2_pow_19::<OUTPUT_SIZE>(simd_unit),
+pub(crate) fn serialize<const GAMMA1_EXPONENT: usize>(simd_unit: Vec256, serialized: &mut [u8]) {
+    match GAMMA1_EXPONENT as u8 {
+        17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized),
+        19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized),
         _ => unreachable!(),
     }
 }
diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs
index f0c02d10e..fff2c9b98 100644
--- a/libcrux-ml-dsa/src/simd/portable.rs
+++ b/libcrux-ml-dsa/src/simd/portable.rs
@@ -69,19 +69,19 @@ impl Operations for PortableSIMDUnit {
         sample::rejection_sample_less_than_eta_equals_4(randomness, out)
     }
 
-    fn gamma1_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::gamma1::serialize(simd_unit)
+    fn gamma1_serialize<const GAMMA1_EXPONENT: usize>(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::gamma1::serialize::<GAMMA1_EXPONENT>(simd_unit, serialized)
     }
     fn gamma1_deserialize<const GAMMA1_EXPONENT: usize>(serialized: &[u8]) -> Self {
         encoding::gamma1::deserialize::<GAMMA1_EXPONENT>(serialized)
     }
 
-    fn commitment_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::commitment::serialize(simd_unit)
+    fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::commitment::serialize(simd_unit, serialized)
     }
 
-    fn error_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
-        encoding::error::serialize(simd_unit)
+    fn error_serialize<const ETA: usize>(simd_unit: Self, serialized: &mut [u8]) {
+        encoding::error::serialize::<ETA>(simd_unit, serialized)
     }
     fn error_deserialize<const ETA: usize>(serialized: &[u8]) -> Self {
         encoding::error::deserialize::<ETA>(serialized)
diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs
index f4c269470..d803487a8 100644
--- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs
+++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs
@@ -1,6 +1,7 @@
 use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO};
 use crate::{
     constants::BITS_IN_LOWER_PART_OF_T,
+    helper::cloop,
     simd::traits::{
         FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R,
     },
@@ -115,11 +116,13 @@ pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSI
     let mut t0_simd_unit = ZERO();
     let mut t1_simd_unit = ZERO();
 
-    for (i, t) in simd_unit.coefficients.into_iter().enumerate() {
-        let (t0, t1) = power2round_element(t);
+    cloop! {
+        for (i, t) in simd_unit.coefficients.into_iter().enumerate() {
+            let (t0, t1) = power2round_element(t);
 
-        t0_simd_unit.coefficients[i] = t0;
-        t1_simd_unit.coefficients[i] = t1;
+            t0_simd_unit.coefficients[i] = t0;
+            t1_simd_unit.coefficients[i] = t1;
+        }
     }
 
     (t0_simd_unit, t1_simd_unit)
@@ -138,19 +141,21 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool {
     // TODO: We can break out of this loop early if need be, but the most
     // straightforward way to do so (returning false) will not go through hax;
     // revisit if performance is impacted.
-    for coefficient in simd_unit.coefficients.into_iter() {
-        debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS);
-        // This norm is calculated using the absolute value of the
-        // signed representative in the range:
-        //
-        // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2.
-        //
-        // So if the coefficient is negative, get its absolute value, but
-        // don't convert it into a different representation.
-        let sign = coefficient >> 31;
-        let normalized = coefficient - (sign & (2 * coefficient));
-
-        exceeds = exceeds || normalized >= bound;
+    cloop! {
+        for coefficient in simd_unit.coefficients.into_iter() {
+            debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS);
+            // This norm is calculated using the absolute value of the
+            // signed representative in the range:
+            //
+            // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2.
+            //
+            // So if the coefficient is negative, get its absolute value, but
+            // don't convert it into a different representation.
+            let sign = coefficient >> 31;
+            let normalized = coefficient - (sign & (2 * coefficient));
+
+            exceeds = exceeds || normalized >= bound;
+        }
     }
 
     exceeds
diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs
index 6ffafe423..cfc65ef45 100644
--- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs
+++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs
@@ -1,38 +1,40 @@
+use crate::helper::cloop;
+
 use super::super::vector_type::PortableSIMDUnit;
 
 #[inline(always)]
-pub fn serialize<const OUTPUT_SIZE: usize>(simd_unit: PortableSIMDUnit) -> [u8; OUTPUT_SIZE] {
-    let mut serialized = [0u8; OUTPUT_SIZE];
-
-    match OUTPUT_SIZE as u8 {
+pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
+    match serialized.len() as u8 {
         4 => {
             // The commitment has coefficients in [0,15] => each coefficient occupies
             // 4 bits.
-            for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
-                let coefficient0 = coefficients[0] as u8;
-                let coefficient1 = coefficients[1] as u8;
+            cloop! {
+                for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
+                    let coefficient0 = coefficients[0] as u8;
+                    let coefficient1 = coefficients[1] as u8;
 
-                serialized[i] = (coefficient1 << 4) | coefficient0;
+                    serialized[i] = (coefficient1 << 4) | coefficient0;
+                }
             }
-
-            serialized
+            ()
         }
 
         6 => {
             // The commitment has coefficients in [0,43] => each coefficient occupies
             // 6 bits.
-            for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
-                let coefficient0 = coefficients[0] as u8;
-                let coefficient1 = coefficients[1] as u8;
-                let coefficient2 = coefficients[2] as u8;
-                let coefficient3 = coefficients[3] as u8;
-
-                serialized[3 * i] = (coefficient1 << 6) | coefficient0;
-                serialized[3 * i + 1] = (coefficient2 << 4) | coefficient1 >> 2;
-                serialized[3 * i + 2] = (coefficient3 << 2) | coefficient2 >> 4;
+            cloop! {
+                for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
+                    let coefficient0 = coefficients[0] as u8;
+                    let coefficient1 = coefficients[1] as u8;
+                    let coefficient2 = coefficients[2] as u8;
+                    let coefficient3 = coefficients[3] as u8;
+
+                    serialized[3 * i] = (coefficient1 << 6) | coefficient0;
+                    serialized[3 * i + 1] = (coefficient2 << 4) | coefficient1 >> 2;
+                    serialized[3 * i + 2] = (coefficient3 << 2) | coefficient2 >> 4;
+                }
             }
-
-            serialized
+            ()
         }
 
         _ => unreachable!(),
diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs
index 5581cc2a4..5e84a571a 100644
--- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs
+++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs
@@ -1,10 +1,9 @@
+use crate::helper::cloop;
+
 use super::super::vector_type::{PortableSIMDUnit, ZERO};
 
 #[inline(always)]
-fn serialize_when_eta_is_2<const OUTPUT_SIZE: usize>(
-    simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
-    let mut serialized = [0u8; OUTPUT_SIZE];
+fn serialize_when_eta_is_2(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
     const ETA: i32 = 2;
 
     let coefficient0 = (ETA - simd_unit.coefficients[0]) as u8;
@@ -20,32 +19,28 @@ fn serialize_when_eta_is_2<const OUTPUT_SIZE: usize>(
     serialized[1] =
         (coefficient5 << 7) | (coefficient4 << 4) | (coefficient3 << 1) | (coefficient2 >> 2);
     serialized[2] = (coefficient7 << 5) | (coefficient6 << 2) | (coefficient5 >> 1);
-
-    serialized
 }
+
 #[inline(always)]
-fn serialize_when_eta_is_4<const OUTPUT_SIZE: usize>(
-    simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
-    let mut serialized = [0u8; OUTPUT_SIZE];
+fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
     const ETA: i32 = 4;
 
-    for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
-        let coefficient0 = (ETA - coefficients[0]) as u8;
-        let coefficient1 = (ETA - coefficients[1]) as u8;
+    cloop! {
+        for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
+            let coefficient0 = (ETA - coefficients[0]) as u8;
+            let coefficient1 = (ETA - coefficients[1]) as u8;
 
-        serialized[i] = (coefficient1 << 4) | coefficient0;
+            serialized[i] = (coefficient1 << 4) | coefficient0;
+        }
     }
-
-    serialized
+    ()
 }
+
 #[inline(always)]
-pub(crate) fn serialize<const OUTPUT_SIZE: usize>(
-    simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
-    match OUTPUT_SIZE as u8 {
-        3 => serialize_when_eta_is_2::<OUTPUT_SIZE>(simd_unit),
-        4 => serialize_when_eta_is_4::<OUTPUT_SIZE>(simd_unit),
+pub(crate) fn serialize<const ETA: usize>(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
+    match ETA as u8 {
+        2 => serialize_when_eta_is_2(simd_unit, serialized),
+        4 => serialize_when_eta_is_4(simd_unit, serialized),
         _ => unreachable!(),
     }
 }
@@ -72,6 +67,7 @@ fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit {
 
     simd_unit
 }
+
 #[inline(always)]
 fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit {
     debug_assert!(serialized.len() == 4);
@@ -79,9 +75,11 @@ fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit {
     let mut simd_unit = ZERO();
     const ETA: i32 = 4;
 
-    for (i, byte) in serialized.iter().enumerate() {
-        simd_unit.coefficients[2 * i] = ETA - ((byte & 0xF) as i32);
-        simd_unit.coefficients[2 * i + 1] = ETA - ((byte >> 4) as i32);
+    cloop! {
+        for (i, byte) in serialized.iter().enumerate() {
+            simd_unit.coefficients[2 * i] = ETA - ((byte & 0xF) as i32);
+            simd_unit.coefficients[2 * i + 1] = ETA - ((byte >> 4) as i32);
+        }
     }
 
     simd_unit
diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs
index 3dbb5f20a..5cb53f344 100644
--- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs
+++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs
@@ -1,73 +1,71 @@
+use crate::helper::cloop;
+
 use super::super::vector_type::{PortableSIMDUnit, ZERO};
-// This function is marked public since it is called in the corresponding AVX2 code.
+
 #[inline(always)]
-pub fn serialize_when_gamma1_is_2_pow_17<const OUTPUT_SIZE: usize>(
-    simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
     const GAMMA1: i32 = 1 << 17;
 
-    let mut serialized = [0u8; OUTPUT_SIZE];
+    cloop! {
+        for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
+            let coefficient0 = GAMMA1 - coefficients[0];
+            let coefficient1 = GAMMA1 - coefficients[1];
+            let coefficient2 = GAMMA1 - coefficients[2];
+            let coefficient3 = GAMMA1 - coefficients[3];
 
-    for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
-        let coefficient0 = GAMMA1 - coefficients[0];
-        let coefficient1 = GAMMA1 - coefficients[1];
-        let coefficient2 = GAMMA1 - coefficients[2];
-        let coefficient3 = GAMMA1 - coefficients[3];
+            serialized[9 * i] = coefficient0 as u8;
+            serialized[9 * i + 1] = (coefficient0 >> 8) as u8;
 
-        serialized[9 * i] = coefficient0 as u8;
-        serialized[9 * i + 1] = (coefficient0 >> 8) as u8;
+            serialized[9 * i + 2] = (coefficient0 >> 16) as u8;
+            serialized[9 * i + 2] |= (coefficient1 << 2) as u8;
 
-        serialized[9 * i + 2] = (coefficient0 >> 16) as u8;
-        serialized[9 * i + 2] |= (coefficient1 << 2) as u8;
+            serialized[9 * i + 3] = (coefficient1 >> 6) as u8;
 
-        serialized[9 * i + 3] = (coefficient1 >> 6) as u8;
+            serialized[9 * i + 4] = (coefficient1 >> 14) as u8;
+            serialized[9 * i + 4] |= (coefficient2 << 4) as u8;
 
-        serialized[9 * i + 4] = (coefficient1 >> 14) as u8;
-        serialized[9 * i + 4] |= (coefficient2 << 4) as u8;
+            serialized[9 * i + 5] = (coefficient2 >> 4) as u8;
 
-        serialized[9 * i + 5] = (coefficient2 >> 4) as u8;
+            serialized[9 * i + 6] = (coefficient2 >> 12) as u8;
+            serialized[9 * i + 6] |= (coefficient3 << 6) as u8;
 
-        serialized[9 * i + 6] = (coefficient2 >> 12) as u8;
-        serialized[9 * i + 6] |= (coefficient3 << 6) as u8;
-
-        serialized[9 * i + 7] = (coefficient3 >> 2) as u8;
-        serialized[9 * i + 8] = (coefficient3 >> 10) as u8;
+            serialized[9 * i + 7] = (coefficient3 >> 2) as u8;
+            serialized[9 * i + 8] = (coefficient3 >> 10) as u8;
+        }
     }
-
-    serialized
+    ()
 }
 
 #[inline(always)]
-fn serialize_when_gamma1_is_2_pow_19<const OUTPUT_SIZE: usize>(
-    simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
+fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) {
     const GAMMA1: i32 = 1 << 19;
 
-    let mut serialized = [0u8; OUTPUT_SIZE];
+    cloop! {
+        for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
+            let coefficient0 = GAMMA1 - coefficients[0];
+            let coefficient1 = GAMMA1 - coefficients[1];
 
-    for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() {
-        let coefficient0 = GAMMA1 - coefficients[0];
-        let coefficient1 = GAMMA1 - coefficients[1];
+            serialized[5 * i] = coefficient0 as u8;
+            serialized[5 * i + 1] = (coefficient0 >> 8) as u8;
 
-        serialized[5 * i] = coefficient0 as u8;
-        serialized[5 * i + 1] = (coefficient0 >> 8) as u8;
+            serialized[5 * i + 2] = (coefficient0 >> 16) as u8;
+            serialized[5 * i + 2] |= (coefficient1 << 4) as u8;
 
-        serialized[5 * i + 2] = (coefficient0 >> 16) as u8;
-        serialized[5 * i + 2] |= (coefficient1 << 4) as u8;
-
-        serialized[5 * i + 3] = (coefficient1 >> 4) as u8;
-        serialized[5 * i + 4] = (coefficient1 >> 12) as u8;
+            serialized[5 * i + 3] = (coefficient1 >> 4) as u8;
+            serialized[5 * i + 4] = (coefficient1 >> 12) as u8;
+        }
     }
-
-    serialized
+    ()
 }
+
 #[inline(always)]
-pub(crate) fn serialize<const OUTPUT_SIZE: usize>(
+pub(crate) fn serialize<const GAMMA1_EXPONENT: usize>(
     simd_unit: PortableSIMDUnit,
-) -> [u8; OUTPUT_SIZE] {
-    match OUTPUT_SIZE as u8 {
-        18 => serialize_when_gamma1_is_2_pow_17::<OUTPUT_SIZE>(simd_unit),
-        20 => serialize_when_gamma1_is_2_pow_19::<OUTPUT_SIZE>(simd_unit),
+    serialized: &mut [u8],
+) {
+    match GAMMA1_EXPONENT as u8 {
+        17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized),
+        19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized),
         _ => unreachable!(),
     }
 }
@@ -83,35 +81,38 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit {
 
     let mut simd_unit = ZERO();
 
-    for (i, bytes) in serialized.chunks_exact(9).enumerate() {
-        let mut coefficient0 = bytes[0] as i32;
-        coefficient0 |= (bytes[1] as i32) << 8;
-        coefficient0 |= (bytes[2] as i32) << 16;
-        coefficient0 &= GAMMA1_TIMES_2_BITMASK;
-
-        let mut coefficient1 = (bytes[2] as i32) >> 2;
-        coefficient1 |= (bytes[3] as i32) << 6;
-        coefficient1 |= (bytes[4] as i32) << 14;
-        coefficient1 &= GAMMA1_TIMES_2_BITMASK;
-
-        let mut coefficient2 = (bytes[4] as i32) >> 4;
-        coefficient2 |= (bytes[5] as i32) << 4;
-        coefficient2 |= (bytes[6] as i32) << 12;
-        coefficient2 &= GAMMA1_TIMES_2_BITMASK;
-
-        let mut coefficient3 = (bytes[6] as i32) >> 6;
-        coefficient3 |= (bytes[7] as i32) << 2;
-        coefficient3 |= (bytes[8] as i32) << 10;
-        coefficient3 &= GAMMA1_TIMES_2_BITMASK;
-
-        simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0;
-        simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1;
-        simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2;
-        simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3;
+    cloop! {
+        for (i, bytes) in serialized.chunks_exact(9).enumerate() {
+            let mut coefficient0 = bytes[0] as i32;
+            coefficient0 |= (bytes[1] as i32) << 8;
+            coefficient0 |= (bytes[2] as i32) << 16;
+            coefficient0 &= GAMMA1_TIMES_2_BITMASK;
+
+            let mut coefficient1 = (bytes[2] as i32) >> 2;
+            coefficient1 |= (bytes[3] as i32) << 6;
+            coefficient1 |= (bytes[4] as i32) << 14;
+            coefficient1 &= GAMMA1_TIMES_2_BITMASK;
+
+            let mut coefficient2 = (bytes[4] as i32) >> 4;
+            coefficient2 |= (bytes[5] as i32) << 4;
+            coefficient2 |= (bytes[6] as i32) << 12;
+            coefficient2 &= GAMMA1_TIMES_2_BITMASK;
+
+            let mut coefficient3 = (bytes[6] as i32) >> 6;
+            coefficient3 |= (bytes[7] as i32) << 2;
+            coefficient3 |= (bytes[8] as i32) << 10;
+            coefficient3 &= GAMMA1_TIMES_2_BITMASK;
+
+            simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0;
+            simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1;
+            simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2;
+            simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3;
+        }
     }
 
     simd_unit
 }
+
 #[inline(always)]
 fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit {
     // Each set of 5 bytes deserializes to 2 elements, and since each PortableSIMDUnit
@@ -123,18 +124,20 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit {
 
     let mut simd_unit = ZERO();
 
-    for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let mut coefficient0 = bytes[0] as i32;
-        coefficient0 |= (bytes[1] as i32) << 8;
-        coefficient0 |= (bytes[2] as i32) << 16;
-        coefficient0 &= GAMMA1_TIMES_2_BITMASK;
+    cloop! {
+        for (i, bytes) in serialized.chunks_exact(5).enumerate() {
+            let mut coefficient0 = bytes[0] as i32;
+            coefficient0 |= (bytes[1] as i32) << 8;
+            coefficient0 |= (bytes[2] as i32) << 16;
+            coefficient0 &= GAMMA1_TIMES_2_BITMASK;
 
-        let mut coefficient1 = (bytes[2] as i32) >> 4;
-        coefficient1 |= (bytes[3] as i32) << 4;
-        coefficient1 |= (bytes[4] as i32) << 12;
+            let mut coefficient1 = (bytes[2] as i32) >> 4;
+            coefficient1 |= (bytes[3] as i32) << 4;
+            coefficient1 |= (bytes[4] as i32) << 12;
 
-        simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0;
-        simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1;
+            simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0;
+            simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1;
+        }
     }
 
     simd_unit
diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs
index c0fc9de40..5e39a338c 100644
--- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs
+++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs
@@ -1,4 +1,4 @@
-use crate::constants::BITS_IN_UPPER_PART_OF_T;
+use crate::{constants::BITS_IN_UPPER_PART_OF_T, helper::cloop};
 
 use super::super::vector_type::{PortableSIMDUnit, ZERO};
 
@@ -6,15 +6,17 @@ use super::super::vector_type::{PortableSIMDUnit, ZERO};
 pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] {
     let mut serialized = [0u8; 10];
 
-    for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
-        serialized[5 * i] = (coefficients[0] & 0xFF) as u8;
-        serialized[5 * i + 1] =
-            ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8;
-        serialized[5 * i + 2] =
-            ((coefficients[2] & 0x0F) as u8) << 4 | ((coefficients[1] >> 6) & 0x0F) as u8;
-        serialized[5 * i + 3] =
-            ((coefficients[3] & 0x03) as u8) << 6 | ((coefficients[2] >> 4) & 0x3F) as u8;
-        serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8;
+    cloop! {
+        for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() {
+            serialized[5 * i] = (coefficients[0] & 0xFF) as u8;
+            serialized[5 * i + 1] =
+                ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8;
+            serialized[5 * i + 2] =
+                ((coefficients[2] & 0x0F) as u8) << 4 | ((coefficients[1] >> 6) & 0x0F) as u8;
+            serialized[5 * i + 3] =
+                ((coefficients[3] & 0x03) as u8) << 6 | ((coefficients[2] >> 4) & 0x3F) as u8;
+            serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8;
+        }
     }
 
     serialized
@@ -27,17 +29,19 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit {
     let mut simd_unit = ZERO();
     let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1;
 
-    for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte0 = bytes[0] as i32;
-        let byte1 = bytes[1] as i32;
-        let byte2 = bytes[2] as i32;
-        let byte3 = bytes[3] as i32;
-        let byte4 = bytes[4] as i32;
-
-        simd_unit.coefficients[4 * i] = (byte0 | (byte1 << 8)) & mask;
-        simd_unit.coefficients[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask;
-        simd_unit.coefficients[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask;
-        simd_unit.coefficients[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask;
+    cloop! {
+        for (i, bytes) in serialized.chunks_exact(5).enumerate() {
+            let byte0 = bytes[0] as i32;
+            let byte1 = bytes[1] as i32;
+            let byte2 = bytes[2] as i32;
+            let byte3 = bytes[3] as i32;
+            let byte4 = bytes[4] as i32;
+
+            simd_unit.coefficients[4 * i] = (byte0 | (byte1 << 8)) & mask;
+            simd_unit.coefficients[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask;
+            simd_unit.coefficients[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask;
+            simd_unit.coefficients[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask;
+        }
     }
 
     simd_unit
diff --git a/libcrux-ml-dsa/src/simd/portable/sample.rs b/libcrux-ml-dsa/src/simd/portable/sample.rs
index 3f06380c5..8025024a5 100644
--- a/libcrux-ml-dsa/src/simd/portable/sample.rs
+++ b/libcrux-ml-dsa/src/simd/portable/sample.rs
@@ -1,19 +1,21 @@
-use crate::constants::FIELD_MODULUS;
+use crate::{constants::FIELD_MODULUS, helper::cloop};
 
 #[inline(always)]
 pub fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize {
     let mut sampled = 0;
 
-    for bytes in randomness.chunks(3) {
-        let b0 = bytes[0] as i32;
-        let b1 = bytes[1] as i32;
-        let b2 = bytes[2] as i32;
+    cloop! {
+        for bytes in randomness.chunks_exact(3) {
+            let b0 = bytes[0] as i32;
+            let b1 = bytes[1] as i32;
+            let b2 = bytes[2] as i32;
 
-        let coefficient = ((b2 << 16) | (b1 << 8) | b0) & 0x00_7F_FF_FF;
+            let coefficient = ((b2 << 16) | (b1 << 8) | b0) & 0x00_7F_FF_FF;
 
-        if coefficient < FIELD_MODULUS {
-            out[sampled] = coefficient;
-            sampled += 1;
+            if coefficient < FIELD_MODULUS {
+                out[sampled] = coefficient;
+                sampled += 1;
+            }
         }
     }
 
@@ -24,28 +26,30 @@ pub fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i3
 pub fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize {
     let mut sampled = 0;
 
-    for byte in randomness {
-        let try_0 = byte & 0xF;
-        let try_1 = byte >> 4;
+    cloop! {
+        for byte in randomness.iter() {
+            let try_0 = byte & 0xF;
+            let try_1 = byte >> 4;
 
-        if try_0 < 15 {
-            let try_0 = try_0 as i32;
+            if try_0 < 15 {
+                let try_0 = try_0 as i32;
 
-            // (try_0 * 26) >> 7 computes ⌊try_0 / 5⌋
-            let try_0_mod_5 = try_0 - ((try_0 * 26) >> 7) * 5;
+                // (try_0 * 26) >> 7 computes ⌊try_0 / 5⌋
+                let try_0_mod_5 = try_0 - ((try_0 * 26) >> 7) * 5;
 
-            out[sampled] = 2 - try_0_mod_5;
+                out[sampled] = 2 - try_0_mod_5;
 
-            sampled += 1;
-        }
+                sampled += 1;
+            }
 
-        if try_1 < 15 {
-            let try_1 = try_1 as i32;
-            let try_1_mod_5 = try_1 - ((try_1 * 26) >> 7) * 5;
+            if try_1 < 15 {
+                let try_1 = try_1 as i32;
+                let try_1_mod_5 = try_1 - ((try_1 * 26) >> 7) * 5;
 
-            out[sampled] = 2 - try_1_mod_5;
+                out[sampled] = 2 - try_1_mod_5;
 
-            sampled += 1;
+                sampled += 1;
+            }
         }
     }
 
@@ -56,18 +60,20 @@ pub fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32
 pub fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize {
     let mut sampled = 0;
 
-    for byte in randomness {
-        let try_0 = byte & 0xF;
-        let try_1 = byte >> 4;
+    cloop! {
+        for byte in randomness.iter() {
+            let try_0 = byte & 0xF;
+            let try_1 = byte >> 4;
 
-        if try_0 < 9 {
-            out[sampled] = 4 - (try_0 as i32);
-            sampled += 1;
-        }
+            if try_0 < 9 {
+                out[sampled] = 4 - (try_0 as i32);
+                sampled += 1;
+            }
 
-        if try_1 < 9 {
-            out[sampled] = 4 - (try_1 as i32);
-            sampled += 1;
+            if try_1 < 9 {
+                out[sampled] = 4 - (try_1 as i32);
+                sampled += 1;
+            }
         }
     }
 
diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs
index d851dab1a..30505cedb 100644
--- a/libcrux-ml-dsa/src/simd/traits.rs
+++ b/libcrux-ml-dsa/src/simd/traits.rs
@@ -53,14 +53,14 @@ pub(crate) trait Operations: Copy + Clone {
     // Encoding operations
 
     // Gamma1
-    fn gamma1_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE];
+    fn gamma1_serialize<const GAMMA1_EXPONENT: usize>(simd_unit: Self, serialized: &mut [u8]);
     fn gamma1_deserialize<const GAMMA1_EXPONENT: usize>(serialized: &[u8]) -> Self;
 
     // Commitment
-    fn commitment_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE];
+    fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]);
 
     // Error
-    fn error_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE];
+    fn error_serialize<const ETA: usize>(simd_unit: Self, serialized: &mut [u8]);
     fn error_deserialize<const ETA: usize>(serialized: &[u8]) -> Self;
 
     // t0
diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs
index 7b316e1d7..b31c9c7b8 100644
--- a/libcrux-ml-dsa/src/types.rs
+++ b/libcrux-ml-dsa/src/types.rs
@@ -66,15 +66,17 @@ pub struct MLDSAKeyPair<const VERIFICATION_KEY_SIZE: usize, const SIGNING_KEY_SI
     pub verification_key: MLDSAVerificationKey<VERIFICATION_KEY_SIZE>,
 }
 
-#[derive(Debug)]
+#[cfg_attr(not(eurydice), derive(Debug))]
 pub enum VerificationError {
     MalformedHintError,
     SignerResponseExceedsBoundError,
     CommitmentHashesDontMatchError,
-    ContextTooLongError,
+    // FIXME: Eurydice can't handle enum variants with the same name
+    // https://github.com/AeneasVerif/eurydice/issues/102
+    VerificationContextTooLongError,
 }
 
-#[derive(Debug)]
+#[cfg_attr(not(eurydice), derive(Debug))]
 pub enum SigningError {
     RejectionSamplingError,
     ContextTooLongError,
diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml
index 3c230e0e8..f35410e77 100644
--- a/libcrux-ml-kem/Cargo.toml
+++ b/libcrux-ml-kem/Cargo.toml
@@ -26,10 +26,6 @@ rand = { version = "0.8", optional = true }
 libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" }
 libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" }
 libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" }
-
-# This is only required for verification.
-# The hax config is set by the hax toolchain.
-[target.'cfg(hax)'.dependencies]
 hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [features]
@@ -50,9 +46,6 @@ mlkem1024 = []
 # Enable Round 3 Kyber in addition to ML-KEM
 kyber = []
 
-# Code that is not yet verified
-pre-verification = []
-
 # APIs that sample their own randomness
 rand = ["dep:rand"]
 
@@ -83,7 +76,7 @@ name = "keygen"
 required-features = ["mlkem768"]
 
 [package.metadata."docs.rs"]
-features = ["pre-verification", "kyber"]
+features = ["kyber"]
 rustdoc-args = ["--cfg", "doc_cfg"]
 
 [lints.rust]
diff --git a/libcrux-ml-kem/README.md b/libcrux-ml-kem/README.md
index ffb704662..56cdfc51c 100644
--- a/libcrux-ml-kem/README.md
+++ b/libcrux-ml-kem/README.md
@@ -52,14 +52,14 @@ By default, all ML-KEM parameter sets are enabled. If required, they are
 available individually under feature flags `mlkem512`, `mlkem768`,
 `mlkem1024`.
 
-In addition to the verified implementations of the ML-KEM variants, the
-feature flag `pre-verification` gives access to, as yet, unverified
-implementations of ML-KEM that are optimized for SIMD instruction sets.
+The implementation is optimized for the AVX2 and NEON SIMD instruction sets.
+
+Note that the NEON implementation is not yet fully verified.
 
 ### Kyber Round 3
 
-The `kyber` flag (in combination with `pre-verification`) also gives access
+The `kyber` flag also gives access
 to an, as yet, unverified implementation of Kyber as submitted in Round 3 of
 the NIST PQ competition.
 
-[verified]: https://img.shields.io/badge/verified-brightgreen.svg?style=for-the-badge&logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IS0tIFVwbG9hZGVkIHRvOiBTVkcgUmVwbywgd3d3LnN2Z3JlcG8uY29tLCBHZW5lcmF0b3I6IFNWRyBSZXBvIE1peGVyIFRvb2xzIC0tPg0KPHN2ZyB3aWR0aD0iODAwcHgiIGhlaWdodD0iODAwcHgiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4NCjxwYXRoIGQ9Ik05IDEyTDExIDE0TDE1IDkuOTk5OTlNMjAgMTJDMjAgMTYuNDYxMSAxNC41NCAxOS42OTM3IDEyLjY0MTQgMjAuNjgzQzEyLjQzNjEgMjAuNzkgMTIuMzMzNCAyMC44NDM1IDEyLjE5MSAyMC44NzEyQzEyLjA4IDIwLjg5MjggMTEuOTIgMjAuODkyOCAxMS44MDkgMjAuODcxMkMxMS42NjY2IDIwLjg0MzUgMTEuNTYzOSAyMC43OSAxMS4zNTg2IDIwLjY4M0M5LjQ1OTk2IDE5LjY5MzcgNCAxNi40NjExIDQgMTJWOC4yMTc1OUM0IDcuNDE4MDggNCA3LjAxODMzIDQuMTMwNzYgNi42NzQ3QzQuMjQ2MjcgNi4zNzExMyA0LjQzMzk4IDYuMTAwMjcgNC42Nzc2NiA1Ljg4NTUyQzQuOTUzNSA1LjY0MjQzIDUuMzI3OCA1LjUwMjA3IDYuMDc2NCA1LjIyMTM0TDExLjQzODIgMy4yMTA2N0MxMS42NDYxIDMuMTMyNzEgMTEuNzUgMy4wOTM3MyAxMS44NTcgMy4wNzgyN0MxMS45NTE4IDMuMDY0NTcgMTIuMDQ4MiAzLjA2NDU3IDEyLjE0MyAzLjA3ODI3QzEyLjI1IDMuMDkzNzMgMTIuMzUzOSAzLjEzMjcxIDEyLjU2MTggMy4yMTA2N0wxNy45MjM2IDUuMjIxMzRDMTguNjcyMiA1LjUwMjA3IDE5LjA0NjUgNS42NDI0MyAxOS4zMjIzIDUuODg1NTJDMTkuNTY2IDYuMTAwMjcgMTkuNzUzNyA2LjM3MTEzIDE5Ljg2OTIgNi42NzQ3QzIwIDcuMDE4MzMgMjAgNy40MTgwOCAyMCA4LjIxNzU5VjEyWiIgc3Ryb2tlPSIjMDAwMDAwIiBzdHJva2Utd2lkdGg9IjIiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIvPg0KPC9zdmc+
\ No newline at end of file
+[verified]: https://img.shields.io/badge/verified-brightgreen.svg?style=for-the-badge&logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IS0tIFVwbG9hZGVkIHRvOiBTVkcgUmVwbywgd3d3LnN2Z3JlcG8uY29tLCBHZW5lcmF0b3I6IFNWRyBSZXBvIE1peGVyIFRvb2xzIC0tPg0KPHN2ZyB3aWR0aD0iODAwcHgiIGhlaWdodD0iODAwcHgiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4NCjxwYXRoIGQ9Ik05IDEyTDExIDE0TDE1IDkuOTk5OTlNMjAgMTJDMjAgMTYuNDYxMSAxNC41NCAxOS42OTM3IDEyLjY0MTQgMjAuNjgzQzEyLjQzNjEgMjAuNzkgMTIuMzMzNCAyMC44NDM1IDEyLjE5MSAyMC44NzEyQzEyLjA4IDIwLjg5MjggMTEuOTIgMjAuODkyOCAxMS44MDkgMjAuODcxMkMxMS42NjY2IDIwLjg0MzUgMTEuNTYzOSAyMC43OSAxMS4zNTg2IDIwLjY4M0M5LjQ1OTk2IDE5LjY5MzcgNCAxNi40NjExIDQgMTJWOC4yMTc1OUM0IDcuNDE4MDggNCA3LjAxODMzIDQuMTMwNzYgNi42NzQ3QzQuMjQ2MjcgNi4zNzExMyA0LjQzMzk4IDYuMTAwMjcgNC42Nzc2NiA1Ljg4NTUyQzQuOTUzNSA1LjY0MjQzIDUuMzI3OCA1LjUwMjA3IDYuMDc2NCA1LjIyMTM0TDExLjQzODIgMy4yMTA2N0MxMS42NDYxIDMuMTMyNzEgMTEuNzUgMy4wOTM3MyAxMS44NTcgMy4wNzgyN0MxMS45NTE4IDMuMDY0NTcgMTIuMDQ4MiAzLjA2NDU3IDEyLjE0MyAzLjA3ODI3QzEyLjI1IDMuMDkzNzMgMTIuMzUzOSAzLjEzMjcxIDEyLjU2MTggMy4yMTA2N0wxNy45MjM2IDUuMjIxMzRDMTguNjcyMiA1LjUwMjA3IDE5LjA0NjUgNS42NDI0MyAxOS4zMjIzIDUuODg1NTJDMTkuNTY2IDYuMTAwMjcgMTkuNzUzNyA2LjM3MTEzIDE5Ljg2OTIgNi42NzQ3QzIwIDcuMDE4MzMgMjAgNy40MTgwOCAyMCA4LjIxNzU5VjEyWiIgc3Ryb2tlPSIjMDAwMDAwIiBzdHJva2Utd2lkdGg9IjIiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIvPg0KPC9zdmc+
diff --git a/libcrux-ml-kem/benches/ml-kem.rs b/libcrux-ml-kem/benches/ml-kem.rs
index 328f67f1c..7b86aff81 100644
--- a/libcrux-ml-kem/benches/ml-kem.rs
+++ b/libcrux-ml-kem/benches/ml-kem.rs
@@ -12,23 +12,18 @@ macro_rules! init {
         group.measurement_time(Duration::from_secs(10));
 
         use $version as version;
-        #[cfg(feature = "pre-verification")]
-        {
-            fun!("portable", version::portable, group);
-            fun_unpacked!("portable", version::portable::unpacked, group);
-        }
-        #[cfg(all(feature = "simd128", feature = "pre-verification"))]
+        fun!("portable", version::portable, group);
+        fun_unpacked!("portable", version::portable::unpacked, group);
+        #[cfg(feature = "simd128")]
         {
             fun!("neon", version::neon, group);
             fun_unpacked!("neon", version::neon::unpacked, group);
         }
-        #[cfg(all(feature = "simd256", feature = "pre-verification"))]
+        #[cfg(feature = "simd256")]
         {
             fun!("avx2", version::avx2, group);
             fun_unpacked!("avx2", version::avx2::unpacked, group);
         }
-        #[cfg(not(feature = "pre-verification"))]
-        fun!("verified", version, group);
     }};
 }
 
diff --git a/libcrux-ml-kem/c.sh b/libcrux-ml-kem/c.sh
index 142ece36a..822e252d8 100755
--- a/libcrux-ml-kem/c.sh
+++ b/libcrux-ml-kem/c.sh
@@ -23,7 +23,7 @@ clean=0
 config=c.yaml
 out=c
 glue=$EURYDICE_HOME/include/eurydice_glue.h
-features="--cargo-arg=--features=pre-verification"
+features=""
 eurydice_glue=1
 karamel_include=1
 unrolling=16
diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt
index 96556d5be..f79583aac 100644
--- a/libcrux-ml-kem/c/code_gen.txt
+++ b/libcrux-ml-kem/c/code_gen.txt
@@ -1,6 +1,6 @@
 This code was generated with the following revisions:
 Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
-Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
 Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
-F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
-Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+Libcrux: da72c141597b1db012f3bc23a96330f6de112770
diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h
index c5f48a4ce..12e124ead 100644
--- a/libcrux-ml-kem/c/internal/libcrux_core.h
+++ b/libcrux-ml-kem/c/internal/libcrux_core.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __internal_libcrux_core_H
@@ -60,117 +60,105 @@ typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s {
   uint8_t snd[1184U];
 } libcrux_ml_kem_utils_extraction_helper_Keypair768;
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
 */
-libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_17_94(
+libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_3a_94(
     libcrux_ml_kem_types_MlKemPrivateKey_83 sk,
     libcrux_ml_kem_types_MlKemPublicKey_64 pk);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 3168
 */
-libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_88_39(
+libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_9a_39(
     uint8_t value[3168U]);
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
 */
-libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_17_74(
+libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_3a_74(
     libcrux_ml_kem_types_MlKemPrivateKey_d9 sk,
     libcrux_ml_kem_types_MlKemPublicKey_30 pk);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 2400
 */
-libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_88_28(
+libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_9a_28(
     uint8_t value[2400U]);
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
 */
-libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_17_fa(
+libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_3a_fa(
     libcrux_ml_kem_types_MlKemPrivateKey_fa sk,
     libcrux_ml_kem_types_MlKemPublicKey_52 pk);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 1632
 */
-libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_88_2a(
+libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_9a_2a(
     uint8_t value[1632U]);
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 1184
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_d0(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_d0(
     libcrux_ml_kem_types_MlKemPublicKey_30 *self);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 1184
 */
-libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_40_d0(
+libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_5f_d0(
     uint8_t value[1184U]);
 
 typedef struct Eurydice_slice_uint8_t_x4_s {
@@ -196,26 +184,34 @@ Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_b4(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 1088
 */
-libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_fc_80(
+libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_00_80(
     uint8_t value[1088U]);
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 3
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_e0(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator);
+
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 1088
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_80(
     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self);
 
 /**
@@ -230,29 +226,26 @@ void libcrux_ml_kem_utils_into_padded_array_15(Eurydice_slice slice,
                                                uint8_t ret[1120U]);
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 800
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_4d(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_4d(
     libcrux_ml_kem_types_MlKemPublicKey_52 *self);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 800
 */
-libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_40_4d(
+libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_5f_4d(
     uint8_t value[800U]);
 
 /**
@@ -271,26 +264,34 @@ Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_0c(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 768
 */
-libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_fc_d0(
+libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_00_d0(
     uint8_t value[768U]);
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 2
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_fd(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator);
+
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 768
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_d0(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_d0(
     libcrux_ml_kem_types_MlKemCiphertext_1a *self);
 
 /**
@@ -305,29 +306,26 @@ void libcrux_ml_kem_utils_into_padded_array_4d(Eurydice_slice slice,
                                                uint8_t ret[800U]);
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 1568
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_af(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_af(
     libcrux_ml_kem_types_MlKemPublicKey_64 *self);
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 1568
 */
-libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_40_af(
+libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_5f_af(
     uint8_t value[1568U]);
 
 /**
@@ -381,16 +379,24 @@ void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice,
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 1568
 */
-libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_fc_af(
+libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_00_af(
     uint8_t value[1568U]);
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 4
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_ac(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator);
+
 /**
  Pad the `slice` with `0`s at the end.
 */
@@ -404,14 +410,14 @@ void libcrux_ml_kem_utils_into_padded_array_c8(Eurydice_slice slice,
 
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 1568
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_af(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_af(
     libcrux_ml_kem_types_MlKemCiphertext_64 *self);
 
 /**
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
index 01108cafb..db1273acd 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __internal_libcrux_mlkem_avx2_H
@@ -101,7 +101,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -121,7 +121,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -131,6 +131,9 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701(
     libcrux_ml_kem_types_MlKemPublicKey_30 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -225,7 +228,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1536
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
+- RANKED_BYTES_PER_RING_ELEMENT= 1536
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -245,7 +248,7 @@ with const generics
 - C2_SIZE= 160
 - VECTOR_U_COMPRESSION_FACTOR= 11
 - VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
+- C1_BLOCK_SIZE= 352
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -255,6 +258,9 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700(
     libcrux_ml_kem_types_MlKemPublicKey_64 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -349,7 +355,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 768
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
+- RANKED_BYTES_PER_RING_ELEMENT= 768
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 */
@@ -369,7 +375,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 - ETA2= 2
@@ -379,6 +385,9 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70(
     libcrux_ml_kem_types_MlKemPublicKey_52 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
index aca6e52eb..4eb95b685 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __internal_libcrux_mlkem_portable_H
@@ -23,7 +23,7 @@ extern "C" {
 #include "internal/libcrux_core.h"
 #include "internal/libcrux_sha3_internal.h"
 
-extern const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U];
+int16_t libcrux_ml_kem_polynomial_zeta(size_t i);
 
 #define LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT  \
   (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \
@@ -106,7 +106,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 1536
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
+- RANKED_BYTES_PER_RING_ELEMENT= 1536
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -126,7 +126,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 160
 - VECTOR_U_COMPRESSION_FACTOR= 11
 - VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
+- C1_BLOCK_SIZE= 352
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -136,6 +136,9 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1(
     libcrux_ml_kem_types_MlKemPublicKey_64 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -230,7 +233,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 768
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
+- RANKED_BYTES_PER_RING_ELEMENT= 768
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 */
@@ -250,7 +253,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 - ETA2= 2
@@ -260,6 +263,9 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0(
     libcrux_ml_kem_types_MlKemPublicKey_52 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -354,7 +360,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -374,7 +380,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -384,6 +390,9 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
     libcrux_ml_kem_types_MlKemPublicKey_30 *public_key,
     uint8_t randomness[32U]);
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
index fb158f1b4..a8e016886 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __internal_libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
index ca072118b..29d383df5 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __internal_libcrux_sha3_internal_H
@@ -42,16 +42,6 @@ libcrux_sha3_portable_incremental_shake128_absorb_final(
   libcrux_sha3_generic_keccak_absorb_final_9e(s, buf);
 }
 
-/**
- Squeeze another block
-*/
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
-    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
-  Eurydice_slice buf[1U] = {out0};
-  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf);
-}
-
 /**
 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks
 with types uint64_t
@@ -89,6 +79,16 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
   libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf);
 }
 
+/**
+ Squeeze another block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
+  Eurydice_slice buf[1U] = {out0};
+  libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf);
+}
+
 #define libcrux_sha3_Sha224 0
 #define libcrux_sha3_Sha256 1
 #define libcrux_sha3_Sha384 2
@@ -245,7 +245,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s {
 } libcrux_sha3_generic_keccak_KeccakXofState_e2;
 
 typedef libcrux_sha3_generic_keccak_KeccakXofState_e2
-    libcrux_sha3_portable_incremental_Shake256Absorb;
+    libcrux_sha3_portable_incremental_Shake256Xof;
 
 /**
  Consume the internal buffer and the required amount of the input to pad to
@@ -401,19 +401,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6(
  Shake256 absorb
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
-static inline void libcrux_sha3_portable_incremental_absorb_7d(
+static inline void libcrux_sha3_portable_incremental_absorb_68(
     libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
   libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf);
 }
 
-typedef libcrux_sha3_generic_keccak_KeccakXofState_e2
-    libcrux_sha3_portable_incremental_Shake256Squeeze;
-
 /**
  Absorb a final block.
 
@@ -479,16 +475,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e(
  Shake256 absorb final
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
-static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
-libcrux_sha3_portable_incremental_absorb_final_7d(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 self, Eurydice_slice input) {
+static inline void libcrux_sha3_portable_incremental_absorb_final_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
-  libcrux_sha3_generic_keccak_absorb_final_8b_9e(&self, buf);
-  return self;
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf);
 }
 
 /**
@@ -675,15 +668,132 @@ libcrux_sha3_generic_keccak_new_8b_c6(void) {
  Shake256 new state
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
 static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
-libcrux_sha3_portable_incremental_new_7d(void) {
+libcrux_sha3_portable_incremental_new_68(void) {
   return libcrux_sha3_generic_keccak_new_8b_c6();
 }
 
+/**
+ `out` has the exact size we want here. It must be less than or equal to `RATE`.
+*/
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b(
+    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
+  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
+  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
+  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+  if (last_block_len != (size_t)0U) {
+    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
+        out[0U], num_full_blocks * (size_t)8U,
+        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(
+        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____1,
+        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+ Squeeze `N` x `LEN` bytes.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice out[1U]) {
+  if (self->sponge) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = out_len / (size_t)136U;
+  size_t last = out_len - out_len % (size_t)136U;
+  size_t mid;
+  if ((size_t)136U >= out_len) {
+    mid = out_len;
+  } else {
+    mid = (size_t)136U;
+  }
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
+  Eurydice_slice out00[1U];
+  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice out_rest[1U];
+  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00);
+  core_ops_range_Range_08 iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                             .end = blocks}),
+          core_ops_range_Range_08, core_ops_range_Range_08);
+  while (true) {
+    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+            &iter, size_t, core_option_Option_08)
+            .tag == core_option_None) {
+      break;
+    } else {
+      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
+                                                         (size_t)136U);
+      Eurydice_slice out0[1U];
+      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+      Eurydice_slice tmp[1U];
+      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+      libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0);
+      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
+    }
+  }
+  if (last < out_len) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest);
+  }
+  self->sponge = true;
+}
+
+/**
+ Shake256 squeeze
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline void libcrux_sha3_portable_incremental_squeeze_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf);
+}
+
 /**
 A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
 with types uint64_t
@@ -699,7 +809,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s {
 } libcrux_sha3_generic_keccak_KeccakXofState_97;
 
 typedef libcrux_sha3_generic_keccak_KeccakXofState_97
-    libcrux_sha3_portable_incremental_Shake128Absorb;
+    libcrux_sha3_portable_incremental_Shake128Xof;
 
 /**
  Consume the internal buffer and the required amount of the input to pad to
@@ -852,19 +962,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60(
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline void libcrux_sha3_portable_incremental_absorb_1c(
+static inline void libcrux_sha3_portable_incremental_absorb_2f(
     libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
   libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf);
 }
 
-typedef libcrux_sha3_generic_keccak_KeccakXofState_97
-    libcrux_sha3_portable_incremental_Shake128Squeeze;
-
 /**
  Absorb a final block.
 
@@ -927,16 +1033,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0(
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline libcrux_sha3_generic_keccak_KeccakXofState_97
-libcrux_sha3_portable_incremental_absorb_final_1c(
-    libcrux_sha3_generic_keccak_KeccakXofState_97 self, Eurydice_slice input) {
+static inline void libcrux_sha3_portable_incremental_absorb_final_2f(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
-  libcrux_sha3_generic_keccak_absorb_final_8b_9e0(&self, buf);
-  return self;
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf);
 }
 
 /**
@@ -1152,134 +1255,14 @@ libcrux_sha3_generic_keccak_new_8b_c60(void) {
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
 static inline libcrux_sha3_generic_keccak_KeccakXofState_97
-libcrux_sha3_portable_incremental_new_1c(void) {
+libcrux_sha3_portable_incremental_new_2f(void) {
   return libcrux_sha3_generic_keccak_new_8b_c60();
 }
 
-/**
- `out` has the exact size we want here. It must be less than or equal to `RATE`.
-*/
-/**
-This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
-usize> for u64)}
-*/
-/**
-A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
-with const generics
-- RATE= 136
-*/
-static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b(
-    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
-  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
-  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
-  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
-    size_t i0 = i;
-    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
-        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
-    uint8_t ret[8U];
-    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
-    Eurydice_slice_copy(
-        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
-  }
-  if (last_block_len != (size_t)0U) {
-    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
-        out[0U], num_full_blocks * (size_t)8U,
-        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
-    uint8_t ret[8U];
-    core_num__u64_9__to_le_bytes(
-        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
-    Eurydice_slice_copy(
-        uu____1,
-        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
-        uint8_t);
-  }
-}
-
-/**
- Squeeze `N` x `LEN` bytes.
-*/
-/**
-This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
-PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
-with types uint64_t
-with const generics
-- PARALLEL_LANES= 1
-- RATE= 136
-*/
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
-    Eurydice_slice out[1U]) {
-  if (self->sponge) {
-    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-  }
-  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
-  size_t blocks = out_len / (size_t)136U;
-  size_t last = out_len - out_len % (size_t)136U;
-  size_t mid;
-  if ((size_t)136U >= out_len) {
-    mid = out_len;
-  } else {
-    mid = (size_t)136U;
-  }
-  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
-      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
-  Eurydice_slice out00[1U];
-  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
-  Eurydice_slice out_rest[1U];
-  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
-  libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00);
-  core_ops_range_Range_08 iter =
-      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
-          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
-                                             .end = blocks}),
-          core_ops_range_Range_08, core_ops_range_Range_08);
-  while (true) {
-    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
-            &iter, size_t, core_option_Option_08)
-            .tag == core_option_None) {
-      break;
-    } else {
-      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
-          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
-                                                         (size_t)136U);
-      Eurydice_slice out0[1U];
-      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
-      Eurydice_slice tmp[1U];
-      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
-      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-      libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0);
-      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
-    }
-  }
-  if (last < out_len) {
-    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-    libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest);
-  }
-  self->sponge = true;
-}
-
-/**
- Shake256 squeeze
-*/
-/**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofSqueeze<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Squeeze)#3}
-*/
-static inline void libcrux_sha3_portable_incremental_squeeze_8a(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) {
-  Eurydice_slice buf[1U] = {out};
-  libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf);
-}
-
 /**
  `out` has the exact size we want here. It must be less than or equal to `RATE`.
 */
@@ -1389,11 +1372,10 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60(
  Shake128 squeeze
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofSqueeze<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Squeeze)#1}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline void libcrux_sha3_portable_incremental_squeeze_10(
+static inline void libcrux_sha3_portable_incremental_squeeze_2f(
     libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
   libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf);
diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c
index 76677a85b..8d36883e4 100644
--- a/libcrux-ml-kem/c/libcrux_core.c
+++ b/libcrux-ml-kem/c/libcrux_core.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "internal/libcrux_core.h"
@@ -18,12 +18,9 @@
 */
 static uint8_t inz(uint8_t value) {
   uint16_t value0 = (uint16_t)value;
-  uint16_t result = (((uint32_t)value0 |
-                      (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
-                     0xFFFFU) >>
-                        8U &
-                    1U;
-  return (uint8_t)result;
+  uint8_t result =
+      (uint8_t)((uint32_t)core_num__u16_7__wrapping_add(~value0, 1U) >> 8U);
+  return (uint32_t)result & 1U;
 }
 
 static KRML_NOINLINE uint8_t is_non_zero(uint8_t value) { return inz(value); }
@@ -36,9 +33,10 @@ static uint8_t compare(Eurydice_slice lhs, Eurydice_slice rhs) {
   uint8_t r = 0U;
   for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) {
     size_t i0 = i;
-    r = (uint32_t)r |
-        ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^
-         (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *));
+    uint8_t nr = (uint32_t)r |
+                 ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^
+                  (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *));
+    r = nr;
   }
   return is_non_zero(r);
 }
@@ -59,10 +57,12 @@ static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector,
   for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE;
        i++) {
     size_t i0 = i;
-    out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) &
-               (uint32_t)mask) |
-              ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) &
-               (uint32_t)~mask);
+    uint8_t outi =
+        ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) &
+         (uint32_t)mask) |
+        ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) &
+         (uint32_t)~mask);
+    out[i0] = outi;
   }
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
@@ -82,20 +82,17 @@ void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_i
   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
 */
-libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_17_94(
+libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_3a_94(
     libcrux_ml_kem_types_MlKemPrivateKey_83 sk,
     libcrux_ml_kem_types_MlKemPublicKey_64 pk) {
   return (
@@ -104,14 +101,14 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_types_from_17_94(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 3168
 */
-libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_88_39(
+libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_9a_39(
     uint8_t value[3168U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[3168U];
@@ -121,20 +118,17 @@ libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_88_39(
   return lit;
 }
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
 */
-libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_17_74(
+libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_3a_74(
     libcrux_ml_kem_types_MlKemPrivateKey_d9 sk,
     libcrux_ml_kem_types_MlKemPublicKey_30 pk) {
   return (
@@ -143,14 +137,14 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_types_from_17_74(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 2400
 */
-libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_88_28(
+libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_9a_28(
     uint8_t value[2400U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[2400U];
@@ -160,20 +154,17 @@ libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_88_28(
   return lit;
 }
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
 */
-libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_17_fa(
+libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_3a_fa(
     libcrux_ml_kem_types_MlKemPrivateKey_fa sk,
     libcrux_ml_kem_types_MlKemPublicKey_52 pk) {
   return (CLITERAL(libcrux_ml_kem_types_MlKemKeyPair_3e){.sk = sk, .pk = pk});
@@ -181,14 +172,14 @@ libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_types_from_17_fa(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 1632
 */
-libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_88_2a(
+libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_9a_2a(
     uint8_t value[1632U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1632U];
@@ -199,31 +190,28 @@ libcrux_ml_kem_types_MlKemPrivateKey_fa libcrux_ml_kem_types_from_88_2a(
 }
 
 /**
- A reference to the raw byte slice.
-*/
-/**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 1184
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_d0(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_d0(
     libcrux_ml_kem_types_MlKemPublicKey_30 *self) {
   return self->value;
 }
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 1184
 */
-libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_40_d0(
+libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_types_from_5f_d0(
     uint8_t value[1184U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1184U];
@@ -267,14 +255,14 @@ Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_b4(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 1088
 */
-libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_fc_80(
+libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_00_80(
     uint8_t value[1088U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1088U];
@@ -284,16 +272,33 @@ libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_fc_80(
   return lit;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 3
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_e0(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator) {
+  uint8_t ret[3U][33U];
+  core_array___core__clone__Clone_for__Array_T__N___20__clone(
+      (size_t)3U, prf_inputs, ret, uint8_t[33U], void *);
+  LowStar_Ignore_ignore(ret, uint8_t[3U][33U], void *);
+  KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
+                  prf_inputs[i0][32U] = domain_separator;
+                  domain_separator = (uint32_t)domain_separator + 1U;);
+  return domain_separator;
+}
+
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 1088
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_80(
     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) {
   return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t);
 }
@@ -318,31 +323,28 @@ void libcrux_ml_kem_utils_into_padded_array_15(Eurydice_slice slice,
 }
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 800
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_4d(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_4d(
     libcrux_ml_kem_types_MlKemPublicKey_52 *self) {
   return self->value;
 }
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 800
 */
-libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_40_4d(
+libcrux_ml_kem_types_MlKemPublicKey_52 libcrux_ml_kem_types_from_5f_4d(
     uint8_t value[800U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[800U];
@@ -386,14 +388,14 @@ Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_0c(
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 768
 */
-libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_fc_d0(
+libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_00_d0(
     uint8_t value[768U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[768U];
@@ -403,16 +405,33 @@ libcrux_ml_kem_types_MlKemCiphertext_1a libcrux_ml_kem_types_from_fc_d0(
   return lit;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 2
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_fd(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator) {
+  uint8_t ret[2U][33U];
+  core_array___core__clone__Clone_for__Array_T__N___20__clone(
+      (size_t)2U, prf_inputs, ret, uint8_t[33U], void *);
+  LowStar_Ignore_ignore(ret, uint8_t[2U][33U], void *);
+  KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
+                  prf_inputs[i0][32U] = domain_separator;
+                  domain_separator = (uint32_t)domain_separator + 1U;);
+  return domain_separator;
+}
+
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 768
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_d0(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_d0(
     libcrux_ml_kem_types_MlKemCiphertext_1a *self) {
   return Eurydice_array_to_slice((size_t)768U, self->value, uint8_t);
 }
@@ -437,31 +456,28 @@ void libcrux_ml_kem_utils_into_padded_array_4d(Eurydice_slice slice,
 }
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 1568
 */
-uint8_t *libcrux_ml_kem_types_as_slice_ba_af(
+uint8_t *libcrux_ml_kem_types_as_slice_fd_af(
     libcrux_ml_kem_types_MlKemPublicKey_64 *self) {
   return self->value;
 }
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 1568
 */
-libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_40_af(
+libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_types_from_5f_af(
     uint8_t value[1568U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1568U];
@@ -545,14 +561,14 @@ void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice,
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 1568
 */
-libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_fc_af(
+libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_00_af(
     uint8_t value[1568U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1568U];
@@ -562,6 +578,23 @@ libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_fc_af(
   return lit;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 4
+*/
+uint8_t libcrux_ml_kem_utils_prf_input_inc_ac(uint8_t (*prf_inputs)[33U],
+                                              uint8_t domain_separator) {
+  uint8_t ret[4U][33U];
+  core_array___core__clone__Clone_for__Array_T__N___20__clone(
+      (size_t)4U, prf_inputs, ret, uint8_t[33U], void *);
+  LowStar_Ignore_ignore(ret, uint8_t[4U][33U], void *);
+  KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
+                  prf_inputs[i0][32U] = domain_separator;
+                  domain_separator = (uint32_t)domain_separator + 1U;);
+  return domain_separator;
+}
+
 /**
  Pad the `slice` with `0`s at the end.
 */
@@ -583,14 +616,14 @@ void libcrux_ml_kem_utils_into_padded_array_c8(Eurydice_slice slice,
 
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 1568
 */
-Eurydice_slice libcrux_ml_kem_types_as_ref_fd_af(
+Eurydice_slice libcrux_ml_kem_types_as_ref_43_af(
     libcrux_ml_kem_types_MlKemCiphertext_64 *self) {
   return Eurydice_array_to_slice((size_t)1568U, self->value, uint8_t);
 }
diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h
index a94f355d9..3e81d2dc0 100644
--- a/libcrux-ml-kem/c/libcrux_core.h
+++ b/libcrux-ml-kem/c/libcrux_core.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h
index b173ad526..fb6f70eaa 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem1024_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
index c43ee8f13..65c3d7236 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem1024_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
index afd941054..17b0c0046 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem1024_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c
deleted file mode 100644
index c95f9f673..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#include "libcrux_mlkem1024_neon.h"
-
-#include "internal/libcrux_mlkem_neon.h"
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate
-with const generics
-- K= 4
-- SECRET_KEY_SIZE= 3168
-- CPA_SECRET_KEY_SIZE= 1536
-- PUBLIC_KEY_SIZE= 1568
-- CIPHERTEXT_SIZE= 1568
-- T_AS_NTT_ENCODED_SIZE= 1536
-- C1_SIZE= 1408
-- C2_SIZE= 160
-- VECTOR_U_COMPRESSION_FACTOR= 11
-- VECTOR_V_COMPRESSION_FACTOR= 5
-- C1_BLOCK_SIZE= 352
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600
-*/
-static void decapsulate_f8(
-    libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext,
-    uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_82(private_key, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 1024
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem1024PrivateKey`] and an
- [`MlKem1024Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem1024_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext,
-    uint8_t ret[32U]) {
-  decapsulate_f8(private_key, ciphertext, ret);
-}
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate_unpacked with const
-generics
-- K= 4
-- SECRET_KEY_SIZE= 3168
-- CPA_SECRET_KEY_SIZE= 1536
-- PUBLIC_KEY_SIZE= 1568
-- CIPHERTEXT_SIZE= 1568
-- T_AS_NTT_ENCODED_SIZE= 1536
-- C1_SIZE= 1408
-- C2_SIZE= 160
-- VECTOR_U_COMPRESSION_FACTOR= 11
-- VECTOR_V_COMPRESSION_FACTOR= 5
-- C1_BLOCK_SIZE= 352
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600
-*/
-static void decapsulate_unpacked_c2(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *key_pair,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext,
-    uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec(key_pair, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 1024 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem1024_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *private_key,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext,
-    uint8_t ret[32U]) {
-  decapsulate_unpacked_c2(private_key, ciphertext, ret);
-}
-
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate
-with const generics
-- K= 4
-- CIPHERTEXT_SIZE= 1568
-- PUBLIC_KEY_SIZE= 1568
-- T_AS_NTT_ENCODED_SIZE= 1536
-- C1_SIZE= 1408
-- C2_SIZE= 160
-- VECTOR_U_COMPRESSION_FACTOR= 11
-- VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_21 encapsulate_6b(
-    libcrux_ml_kem_types_MlKemPublicKey_1f *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_28(uu____0, copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 1024
-
- Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem1024PublicKey`] and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_1f *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_6b(uu____0, copy_of_randomness);
-}
-
-/**
- Portable encapsualte
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate_unpacked with const
-generics
-- K= 4
-- CIPHERTEXT_SIZE= 1568
-- PUBLIC_KEY_SIZE= 1568
-- T_AS_NTT_ENCODED_SIZE= 1536
-- C1_SIZE= 1408
-- C2_SIZE= 160
-- VECTOR_U_COMPRESSION_FACTOR= 11
-- VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_21 encapsulate_unpacked_1c(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_unpacked_47(uu____0,
-                                                        copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 1024 (unpacked)
-
- Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
- TODO: The F* prefix opens required modules, it should go away when the
- following issue is resolved: https://github.com/hacspec/hax/issues/770
-*/
-tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_unpacked_1c(uu____0, copy_of_randomness);
-}
-
-/**
- Portable generate key pair.
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics
-- K= 4
-- CPA_PRIVATE_KEY_SIZE= 1536
-- PRIVATE_KEY_SIZE= 3168
-- PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-*/
-static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_91(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_72(copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 1024 Key Pair
-*/
-libcrux_ml_kem_mlkem1024_MlKem1024KeyPair
-libcrux_ml_kem_mlkem1024_neon_generate_key_pair(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_91(copy_of_randomness);
-}
-
-/**
- Unpacked API
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair_unpacked with const
-generics
-- K= 4
-- CPA_PRIVATE_KEY_SIZE= 1536
-- PRIVATE_KEY_SIZE= 3168
-- PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-*/
-static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c
-generate_keypair_unpacked_87(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b4(
-      copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 1024 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c
-libcrux_ml_kem_mlkem1024_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_unpacked_87(copy_of_randomness);
-}
-
-/**
- Portable public key validation
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.validate_public_key with const
-generics
-- K= 4
-- RANKED_BYTES_PER_RING_ELEMENT= 1536
-- PUBLIC_KEY_SIZE= 1568
-*/
-static bool validate_public_key_a3(uint8_t *public_key) {
-  return libcrux_ml_kem_ind_cca_validate_public_key_7e(public_key);
-}
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_99 libcrux_ml_kem_mlkem1024_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_1f public_key) {
-  core_option_Option_99 uu____0;
-  if (validate_public_key_a3(public_key.value)) {
-    uu____0 = (CLITERAL(core_option_Option_99){.tag = core_option_Some,
-                                               .f0 = public_key});
-  } else {
-    uu____0 = (CLITERAL(core_option_Option_99){.tag = core_option_None});
-  }
-  return uu____0;
-}
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h
deleted file mode 100644
index 1ed96ad65..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#ifndef __libcrux_mlkem1024_neon_H
-#define __libcrux_mlkem1024_neon_H
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-#include "eurydice_glue.h"
-#include "libcrux_core.h"
-#include "libcrux_mlkem_neon.h"
-
-/**
- Decapsulate ML-KEM 1024
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem1024PrivateKey`] and an
- [`MlKem1024Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem1024_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]);
-
-/**
- Decapsulate ML-KEM 1024 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem1024_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *private_key,
-    libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]);
-
-/**
- Encapsulate ML-KEM 1024
-
- Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem1024PublicKey`] and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_1f *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Encapsulate ML-KEM 1024 (unpacked)
-
- Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
- TODO: The F* prefix opens required modules, it should go away when the
- following issue is resolved: https://github.com/hacspec/hax/issues/770
-*/
-tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Generate ML-KEM 1024 Key Pair
-*/
-libcrux_ml_kem_mlkem1024_MlKem1024KeyPair
-libcrux_ml_kem_mlkem1024_neon_generate_key_pair(uint8_t randomness[64U]);
-
-/**
- Generate ML-KEM 1024 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c
-libcrux_ml_kem_mlkem1024_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]);
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_99 libcrux_ml_kem_mlkem1024_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_1f public_key);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#define __libcrux_mlkem1024_neon_H_DEFINED
-#endif
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
index 57e04e060..35b28ea4a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem1024_portable.h"
@@ -68,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics
 - C2_SIZE= 160
 - VECTOR_U_COMPRESSION_FACTOR= 11
 - VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
+- C1_BLOCK_SIZE= 352
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -112,7 +112,7 @@ generics
 - CPA_PRIVATE_KEY_SIZE= 1536
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
+- RANKED_BYTES_PER_RING_ELEMENT= 1536
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
index b1942de40..2d9862c52 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem1024_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h
index ab5380f35..26616454d 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem512_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
index e23ec575f..b3197512a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem512_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
index 6e4bc764c..17beb7efe 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem512_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c b/libcrux-ml-kem/c/libcrux_mlkem512_neon.c
deleted file mode 100644
index 5b9b0ad47..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#include "libcrux_mlkem512_neon.h"
-
-#include "internal/libcrux_mlkem_neon.h"
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate
-with const generics
-- K= 2
-- SECRET_KEY_SIZE= 1632
-- CPA_SECRET_KEY_SIZE= 768
-- PUBLIC_KEY_SIZE= 800
-- CIPHERTEXT_SIZE= 768
-- T_AS_NTT_ENCODED_SIZE= 768
-- C1_SIZE= 640
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- C1_BLOCK_SIZE= 320
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800
-*/
-static void decapsulate_55(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key,
-                           libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext,
-                           uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_821(private_key, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 512
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem512PrivateKey`] and an
- [`MlKem512Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem512_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key,
-    libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) {
-  decapsulate_55(private_key, ciphertext, ret);
-}
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate_unpacked with const
-generics
-- K= 2
-- SECRET_KEY_SIZE= 1632
-- CPA_SECRET_KEY_SIZE= 768
-- PUBLIC_KEY_SIZE= 800
-- CIPHERTEXT_SIZE= 768
-- T_AS_NTT_ENCODED_SIZE= 768
-- C1_SIZE= 640
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- C1_BLOCK_SIZE= 320
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800
-*/
-static void decapsulate_unpacked_53(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *key_pair,
-    libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec1(key_pair, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 512 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem512_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *private_key,
-    libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) {
-  decapsulate_unpacked_53(private_key, ciphertext, ret);
-}
-
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate
-with const generics
-- K= 2
-- CIPHERTEXT_SIZE= 768
-- PUBLIC_KEY_SIZE= 800
-- T_AS_NTT_ENCODED_SIZE= 768
-- C1_SIZE= 640
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_ec encapsulate_f8(
-    libcrux_ml_kem_types_MlKemPublicKey_be *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_281(uu____0, copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 512
-
- Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`]
- bytes of `randomness`.
-*/
-tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_be *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_f8(uu____0, copy_of_randomness);
-}
-
-/**
- Portable encapsualte
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate_unpacked with const
-generics
-- K= 2
-- CIPHERTEXT_SIZE= 768
-- PUBLIC_KEY_SIZE= 800
-- T_AS_NTT_ENCODED_SIZE= 768
-- C1_SIZE= 640
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_ec encapsulate_unpacked_ce(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_unpacked_471(uu____0,
-                                                         copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 512 (unpacked)
-
- Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_unpacked_ce(uu____0, copy_of_randomness);
-}
-
-/**
- Portable generate key pair.
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics
-- K= 2
-- CPA_PRIVATE_KEY_SIZE= 768
-- PRIVATE_KEY_SIZE= 1632
-- PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-*/
-static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_1a(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_721(copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 512 Key Pair
-*/
-libcrux_ml_kem_types_MlKemKeyPair_cb
-libcrux_ml_kem_mlkem512_neon_generate_key_pair(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_1a(copy_of_randomness);
-}
-
-/**
- Unpacked API
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair_unpacked with const
-generics
-- K= 2
-- CPA_PRIVATE_KEY_SIZE= 768
-- PRIVATE_KEY_SIZE= 1632
-- PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
-- ETA1= 3
-- ETA1_RANDOMNESS_SIZE= 192
-*/
-static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66
-generate_keypair_unpacked_38(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b41(
-      copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 512 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66
-libcrux_ml_kem_mlkem512_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_unpacked_38(copy_of_randomness);
-}
-
-/**
- Portable public key validation
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.validate_public_key with const
-generics
-- K= 2
-- RANKED_BYTES_PER_RING_ELEMENT= 768
-- PUBLIC_KEY_SIZE= 800
-*/
-static bool validate_public_key_a31(uint8_t *public_key) {
-  return libcrux_ml_kem_ind_cca_validate_public_key_7e1(public_key);
-}
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_04 libcrux_ml_kem_mlkem512_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_be public_key) {
-  core_option_Option_04 uu____0;
-  if (validate_public_key_a31(public_key.value)) {
-    uu____0 = (CLITERAL(core_option_Option_04){.tag = core_option_Some,
-                                               .f0 = public_key});
-  } else {
-    uu____0 = (CLITERAL(core_option_Option_04){.tag = core_option_None});
-  }
-  return uu____0;
-}
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h b/libcrux-ml-kem/c/libcrux_mlkem512_neon.h
deleted file mode 100644
index 211c714fc..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#ifndef __libcrux_mlkem512_neon_H
-#define __libcrux_mlkem512_neon_H
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-#include "eurydice_glue.h"
-#include "libcrux_core.h"
-#include "libcrux_mlkem_neon.h"
-
-/**
- Decapsulate ML-KEM 512
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem512PrivateKey`] and an
- [`MlKem512Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem512_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key,
-    libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]);
-
-/**
- Decapsulate ML-KEM 512 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem512_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *private_key,
-    libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]);
-
-/**
- Encapsulate ML-KEM 512
-
- Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`]
- bytes of `randomness`.
-*/
-tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_be *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Encapsulate ML-KEM 512 (unpacked)
-
- Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Generate ML-KEM 512 Key Pair
-*/
-libcrux_ml_kem_types_MlKemKeyPair_cb
-libcrux_ml_kem_mlkem512_neon_generate_key_pair(uint8_t randomness[64U]);
-
-/**
- Generate ML-KEM 512 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66
-libcrux_ml_kem_mlkem512_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]);
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_04 libcrux_ml_kem_mlkem512_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_be public_key);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#define __libcrux_mlkem512_neon_H_DEFINED
-#endif
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
index 0f919e950..95355e049 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem512_portable.h"
@@ -68,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 - ETA2= 2
@@ -112,7 +112,7 @@ generics
 - CPA_PRIVATE_KEY_SIZE= 768
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
+- RANKED_BYTES_PER_RING_ELEMENT= 768
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 */
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
index 4cdcf8d07..062f3666e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem512_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h
index adf020ae6..aae08ebb5 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem768_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
index b8fc9a3c4..e16553589 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem768_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
index e5c7f82c3..a2ac464f9 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c b/libcrux-ml-kem/c/libcrux_mlkem768_neon.c
deleted file mode 100644
index c252832a1..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#include "libcrux_mlkem768_neon.h"
-
-#include "internal/libcrux_mlkem_neon.h"
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate
-with const generics
-- K= 3
-- SECRET_KEY_SIZE= 2400
-- CPA_SECRET_KEY_SIZE= 1152
-- PUBLIC_KEY_SIZE= 1184
-- CIPHERTEXT_SIZE= 1088
-- T_AS_NTT_ENCODED_SIZE= 1152
-- C1_SIZE= 960
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- C1_BLOCK_SIZE= 320
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
-*/
-static void decapsulate_67(
-    libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_820(private_key, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 768
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem768PrivateKey`] and an
- [`MlKem768Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem768_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
-  decapsulate_67(private_key, ciphertext, ret);
-}
-
-/**
- Portable decapsulate
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.decapsulate_unpacked with const
-generics
-- K= 3
-- SECRET_KEY_SIZE= 2400
-- CPA_SECRET_KEY_SIZE= 1152
-- PUBLIC_KEY_SIZE= 1184
-- CIPHERTEXT_SIZE= 1088
-- T_AS_NTT_ENCODED_SIZE= 1152
-- C1_SIZE= 960
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- C1_BLOCK_SIZE= 320
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
-*/
-static void decapsulate_unpacked_70(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *key_pair,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
-  libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec0(key_pair, ciphertext, ret);
-}
-
-/**
- Decapsulate ML-KEM 768 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem768_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *private_key,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
-  decapsulate_unpacked_70(private_key, ciphertext, ret);
-}
-
-/**
-A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate
-with const generics
-- K= 3
-- CIPHERTEXT_SIZE= 1088
-- PUBLIC_KEY_SIZE= 1184
-- T_AS_NTT_ENCODED_SIZE= 1152
-- C1_SIZE= 960
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_3c encapsulate_ea(
-    libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_280(uu____0, copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 768
-
- Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`]
- bytes of `randomness`.
-*/
-tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_ea(uu____0, copy_of_randomness);
-}
-
-/**
- Portable encapsualte
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.encapsulate_unpacked with const
-generics
-- K= 3
-- CIPHERTEXT_SIZE= 1088
-- PUBLIC_KEY_SIZE= 1184
-- T_AS_NTT_ENCODED_SIZE= 1152
-- C1_SIZE= 960
-- C2_SIZE= 128
-- VECTOR_U_COMPRESSION_FACTOR= 10
-- VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-- ETA2= 2
-- ETA2_RANDOMNESS_SIZE= 128
-*/
-static tuple_3c encapsulate_unpacked_29(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_encapsulate_unpacked_470(uu____0,
-                                                         copy_of_randomness);
-}
-
-/**
- Encapsulate ML-KEM 768 (unpacked)
-
- Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key,
-    uint8_t randomness[32U]) {
-  libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *uu____0 =
-      public_key;
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[32U];
-  memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate_unpacked_29(uu____0, copy_of_randomness);
-}
-
-/**
- Portable generate key pair.
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics
-- K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-*/
-static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_1b(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_720(copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 768 Key Pair
-*/
-libcrux_ml_kem_mlkem768_MlKem768KeyPair
-libcrux_ml_kem_mlkem768_neon_generate_key_pair(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_1b(copy_of_randomness);
-}
-
-/**
- Unpacked API
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair_unpacked with const
-generics
-- K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
-*/
-static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd
-generate_keypair_unpacked_42(uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b40(
-      copy_of_randomness);
-}
-
-/**
- Generate ML-KEM 768 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd
-libcrux_ml_kem_mlkem768_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]) {
-  /* Passing arrays by value in Rust generates a copy in C */
-  uint8_t copy_of_randomness[64U];
-  memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair_unpacked_42(copy_of_randomness);
-}
-
-/**
- Portable public key validation
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.instantiations.neon.validate_public_key with const
-generics
-- K= 3
-- RANKED_BYTES_PER_RING_ELEMENT= 1152
-- PUBLIC_KEY_SIZE= 1184
-*/
-static bool validate_public_key_a30(uint8_t *public_key) {
-  return libcrux_ml_kem_ind_cca_validate_public_key_7e0(public_key);
-}
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_92 libcrux_ml_kem_mlkem768_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_15 public_key) {
-  core_option_Option_92 uu____0;
-  if (validate_public_key_a30(public_key.value)) {
-    uu____0 = (CLITERAL(core_option_Option_92){.tag = core_option_Some,
-                                               .f0 = public_key});
-  } else {
-    uu____0 = (CLITERAL(core_option_Option_92){.tag = core_option_None});
-  }
-  return uu____0;
-}
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h b/libcrux-ml-kem/c/libcrux_mlkem768_neon.h
deleted file mode 100644
index aaf2756d9..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 53530427db2941ce784201e64086766504bc5642
- * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb
- * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85
- * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38
- * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221
- */
-
-#ifndef __libcrux_mlkem768_neon_H
-#define __libcrux_mlkem768_neon_H
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-#include "eurydice_glue.h"
-#include "libcrux_core.h"
-#include "libcrux_mlkem_neon.h"
-
-/**
- Decapsulate ML-KEM 768
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an [`MlKem768PrivateKey`] and an
- [`MlKem768Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem768_neon_decapsulate(
-    libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]);
-
-/**
- Decapsulate ML-KEM 768 (unpacked)
-
- Generates an [`MlKemSharedSecret`].
- The input is a reference to an unpacked key pair of type
- [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`].
-*/
-void libcrux_ml_kem_mlkem768_neon_decapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *private_key,
-    libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]);
-
-/**
- Encapsulate ML-KEM 768
-
- Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`]
- bytes of `randomness`.
-*/
-tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate(
-    libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Encapsulate ML-KEM 768 (unpacked)
-
- Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
- The input is a reference to an unpacked public key of type
- [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and
- [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-*/
-tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate_unpacked(
-    libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key,
-    uint8_t randomness[32U]);
-
-/**
- Generate ML-KEM 768 Key Pair
-*/
-libcrux_ml_kem_mlkem768_MlKem768KeyPair
-libcrux_ml_kem_mlkem768_neon_generate_key_pair(uint8_t randomness[64U]);
-
-/**
- Generate ML-KEM 768 Key Pair in "unpacked" form
-*/
-libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd
-libcrux_ml_kem_mlkem768_neon_generate_key_pair_unpacked(
-    uint8_t randomness[64U]);
-
-/**
- Validate a public key.
-
- Returns `Some(public_key)` if valid, and `None` otherwise.
-*/
-core_option_Option_92 libcrux_ml_kem_mlkem768_neon_validate_public_key(
-    libcrux_ml_kem_types_MlKemPublicKey_15 public_key);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#define __libcrux_mlkem768_neon_H_DEFINED
-#endif
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
index a767de37e..60b294d9a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_mlkem768_portable.h"
@@ -68,7 +68,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -112,7 +112,7 @@ generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
index d3c6f6abc..d3ef0d130 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
index 8b8affa45..20fa22c11 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "internal/libcrux_mlkem_avx2.h"
@@ -33,34 +33,34 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H(Eurydice_slice input,
   memcpy(ret, digest, (size_t)32U * sizeof(uint8_t));
 }
 
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) {
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_vec_zero(void) {
   return mm256_setzero_si256();
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void) {
-  return libcrux_ml_kem_vector_avx2_zero();
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_9a(void) {
+  return libcrux_ml_kem_vector_avx2_vec_zero();
 }
 
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) {
+libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) {
   return mm256_loadu_si256_i16(array);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array) {
-  return libcrux_ml_kem_vector_avx2_from_i16_array(array);
+libcrux_ml_kem_vector_avx2_from_i16_array_9a(Eurydice_slice array) {
+  return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array);
 }
 
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v,
-                                                             int16_t ret[16U]) {
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_to_i16_array(
+    __m256i v, int16_t ret[16U]) {
   int16_t output[16U] = {0U};
   mm256_storeu_si256_i16(Eurydice_array_to_slice((size_t)16U, output, int16_t),
                          v);
@@ -69,11 +69,11 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v,
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_9a(
     __m256i x, int16_t ret[16U]) {
-  libcrux_ml_kem_vector_avx2_to_i16_array(x, ret);
+  libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs,
@@ -83,9 +83,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs,
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs,
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_9a(__m256i lhs,
                                                           __m256i *rhs) {
   return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]);
 }
@@ -97,9 +97,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs,
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs,
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_9a(__m256i lhs,
                                                           __m256i *rhs) {
   return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]);
 }
@@ -107,29 +107,31 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs,
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector,
                                                            int16_t constant) {
-  return mm256_mullo_epi16(vector, mm256_set1_epi16(constant));
+  __m256i cv = mm256_set1_epi16(constant);
+  return mm256_mullo_epi16(vector, cv);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v, int16_t c) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(v, c);
+libcrux_ml_kem_vector_avx2_multiply_by_constant_9a(__m256i vec, int16_t c) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c);
 }
 
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
     __m256i vector, int16_t constant) {
-  return mm256_and_si256(vector, mm256_set1_epi16(constant));
+  __m256i cv = mm256_set1_epi16(constant);
+  return mm256_and_si256(vector, cv);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(
     __m256i vector, int16_t constant) {
   return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
       vector, constant);
@@ -147,13 +149,18 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) {
   return mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+libcrux_ml_kem_vector_avx2_cond_subtract_3329_9a(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector);
 }
 
 /**
@@ -162,11 +169,12 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) {
 */
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) {
-  __m256i t = mm256_mulhi_epi16(
+  __m256i t0 = mm256_mulhi_epi16(
       vector, mm256_set1_epi16(
                   LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER));
-  __m256i t0 = mm256_add_epi16(t, mm256_set1_epi16((int16_t)512));
-  __m256i quotient = mm256_srai_epi16((int32_t)10, t0, __m256i);
+  __m256i t512 = mm256_set1_epi16((int16_t)512);
+  __m256i t1 = mm256_add_epi16(t0, t512);
+  __m256i quotient = mm256_srai_epi16((int32_t)10, t1, __m256i);
   __m256i quotient_times_field_modulus = mm256_mullo_epi16(
       quotient, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
   return mm256_sub_epi16(vector, quotient_times_field_modulus);
@@ -174,35 +182,36 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector) {
+libcrux_ml_kem_vector_avx2_barrett_reduce_9a(__m256i vector) {
   return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector);
 }
 
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(
     __m256i vector, int16_t constant) {
-  __m256i constant0 = mm256_set1_epi16(constant);
-  __m256i value_low = mm256_mullo_epi16(vector, constant0);
+  __m256i vec_constant = mm256_set1_epi16(constant);
+  __m256i value_low = mm256_mullo_epi16(vector, vec_constant);
   __m256i k = mm256_mullo_epi16(
       value_low,
       mm256_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m256i k_times_modulus = mm256_mulhi_epi16(
-      k, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m256i value_high = mm256_mulhi_epi16(vector, constant0);
+  __m256i modulus =
+      mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m256i k_times_modulus = mm256_mulhi_epi16(k, modulus);
+  __m256i value_high = mm256_mulhi_epi16(vector, vec_constant);
   return mm256_sub_epi16(value_high, k_times_modulus);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
     __m256i vector, int16_t constant) {
   return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(
       vector, constant);
@@ -223,14 +232,18 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
   return mm256_srli_epi16((int32_t)15, shifted_to_positive_in_range, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_1_9a(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_1(vector);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(
@@ -245,16 +258,17 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(
 
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants(
-    __m256i v, __m256i c) {
-  __m256i value_low = mm256_mullo_epi16(v, c);
+    __m256i vec, __m256i constants) {
+  __m256i value_low = mm256_mullo_epi16(vec, constants);
   __m256i k = mm256_mullo_epi16(
       value_low,
       mm256_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m256i k_times_modulus = mm256_mulhi_epi16(
-      k, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m256i value_high = mm256_mulhi_epi16(v, c);
+  __m256i modulus =
+      mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m256i k_times_modulus = mm256_mulhi_epi16(k, modulus);
+  __m256i value_high = mm256_mulhi_epi16(vec, constants);
   return mm256_sub_epi16(value_high, k_times_modulus);
 }
 
@@ -272,15 +286,22 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
   return mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
-                                                         zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                     zeta2, zeta3);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
@@ -296,27 +317,32 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
   return mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_MUSTINLINE __m128i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants(
-    __m128i v, __m128i c) {
-  __m128i value_low = mm_mullo_epi16(v, c);
+    __m128i vec, __m128i constants) {
+  __m128i value_low = mm_mullo_epi16(vec, constants);
   __m128i k = mm_mullo_epi16(
       value_low,
       mm_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m128i k_times_modulus = mm_mulhi_epi16(
-      k, mm_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m128i value_high = mm_mulhi_epi16(v, c);
+  __m128i modulus = mm_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m128i k_times_modulus = mm_mulhi_epi16(k, modulus);
+  __m128i value_high = mm_mulhi_epi16(vec, constants);
   return mm_sub_epi16(value_high, k_times_modulus);
 }
 
@@ -334,13 +360,18 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) {
                                 __m256i);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step_9a(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
@@ -364,15 +395,22 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
   return mm256_blend_epi16((int32_t)204, sum, sum_times_zetas, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
+      vector, zeta0, zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
-      vector, zeta0, zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(
@@ -394,14 +432,19 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(
   return mm256_blend_epi16((int32_t)240, sum, sum_times_zetas, __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
+                                                             zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
-                                                             zeta1);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(
@@ -418,25 +461,30 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(
                                 __m256i);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_9a(
     __m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v) {
+libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) {
   __m256i k = mm256_mullo_epi16(
-      v,
+      vec,
       mm256_set1_epi32(
           (int32_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
   __m256i k_times_modulus = mm256_mulhi_epi16(
       k, mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m256i value_high = mm256_srli_epi32((int32_t)16, v, __m256i);
+  __m256i value_high = mm256_srli_epi32((int32_t)16, vec, __m256i);
   __m256i result = mm256_sub_epi16(value_high, k_times_modulus);
   __m256i result0 = mm256_slli_epi32((int32_t)16, result, __m256i);
   return mm256_srai_epi32((int32_t)16, result0, __m256i);
@@ -499,15 +547,22 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(
                            __m256i);
 }
 
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply(
+    __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
+                                                     zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea(
+KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_9a(
     __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
-                                                     zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2,
+                                                 zeta3);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
@@ -517,68 +572,89 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
   __m128i high_msbs = mm256_extracti128_si256((int32_t)1, lsb_to_msb, __m128i);
   __m128i msbs = mm_packs_epi16(low_msbs, high_msbs);
   int32_t bits_packed = mm_movemask_epi8(msbs);
-  uint8_t serialized[2U] = {0U};
-  serialized[0U] = (uint8_t)bits_packed;
-  serialized[1U] = (uint8_t)(bits_packed >> 8U);
-  memcpy(ret, serialized, (size_t)2U * sizeof(uint8_t));
+  uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)};
+  memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
+}
+
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1(__m256i vector,
+                                                            uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_9a(
     __m256i vector, uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_1(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
-  __m256i coefficients = mm256_set_epi16(
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
-  __m256i shift_lsb_to_msb = mm256_set_epi16(
-      (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
-      (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768,
-      (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
-      (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768);
-  __m256i coefficients_in_msb =
-      mm256_mullo_epi16(coefficients, shift_lsb_to_msb);
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s(
+    int16_t a, int16_t b) {
+  __m256i coefficients =
+      mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a);
+  __m256i coefficients_in_msb = mm256_mullo_epi16(
+      coefficients,
+      mm256_set_epi16((int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U,
+                      (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U,
+                      (int16_t)1 << 14U, (int16_t)-32768, (int16_t)1 << 8U,
+                      (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
+                      (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U,
+                      (int16_t)-32768));
   return mm256_srli_epi16((int32_t)15, coefficients_in_msb, __m256i);
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
+    uint8_t a, uint8_t b) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s(
+      (int16_t)a, (int16_t)b);
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
+      Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *));
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_1_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_1(bytes);
+}
+
+/**
+ `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets
+ of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of
+ 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last
+ `n` bits are non-zero).
+*/
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n,
+                                                          __m256i x) {
+  int16_t n0 = (int16_t)1 << (uint32_t)n;
+  return mm256_madd_epi16(
+      x, mm256_set_epi16(n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0,
+                         (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0,
+                         (int16_t)1, n0, (int16_t)1));
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
     __m256i vector, uint8_t ret[8U]) {
   uint8_t serialized[16U] = {0U};
-  __m256i adjacent_2_combined = mm256_madd_epi16(
-      vector, mm256_set_epi16(
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1));
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector);
   __m256i adjacent_8_combined = mm256_shuffle_epi8(
       adjacent_2_combined,
       mm256_set_epi8((int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1,
@@ -605,54 +681,74 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
   memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4(__m256i vector,
+                                                            uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_9a(
     __m256i vector, uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_4(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
-  __m256i coefficients = mm256_set_epi16(
-      (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
-  __m256i shift_lsbs_to_msbs = mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U);
-  __m256i coefficients_in_msb =
-      mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs);
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s(
+    int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5,
+    int16_t b6, int16_t b7) {
+  __m256i coefficients = mm256_set_epi16(b7, b7, b6, b6, b5, b5, b4, b4, b3, b3,
+                                         b2, b2, b1, b1, b0, b0);
+  __m256i coefficients_in_msb = mm256_mullo_epi16(
+      coefficients,
+      mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U));
   __m256i coefficients_in_lsb =
       mm256_srli_epi16((int32_t)4, coefficients_in_msb, __m256i);
   return mm256_and_si256(coefficients_in_lsb,
                          mm256_set1_epi16(((int16_t)1 << 4U) - (int16_t)1));
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
+    uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5,
+    uint8_t b6, uint8_t b7) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s(
+      (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4,
+      (int16_t)b5, (int16_t)b6, (int16_t)b7);
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
+      Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *));
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_4_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_4(bytes);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5(
@@ -699,13 +795,29 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_9a(
     __m256i vector, uint8_t ret[10U]) {
   libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret);
 }
 
+/**
+ We cannot model `mm256_inserti128_si256` on its own: it produces a
+ Vec256 where the upper 128 bits are undefined. Thus
+ `mm256_inserti128_si256` is not pure.
+
+ Luckily, we always call `mm256_castsi128_si256` right after
+ `mm256_inserti128_si256`: this composition sets the upper bits,
+ making the whole computation pure again.
+*/
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower,
+                                                                __m128i upper) {
+  return mm256_inserti128_si256((int32_t)1, mm256_castsi128_si256(lower), upper,
+                                __m256i);
+}
+
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
   __m128i coefficients =
@@ -725,11 +837,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
                   Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
                   Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
                   Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
-  __m256i coefficients_loaded = mm256_castsi128_si256(coefficients);
-  __m256i coefficients_loaded0 = mm256_inserti128_si256(
-      (int32_t)1, coefficients_loaded, coefficients, __m256i);
+  __m256i coefficients_loaded =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          coefficients, coefficients);
   __m256i coefficients0 = mm256_shuffle_epi8(
-      coefficients_loaded0,
+      coefficients_loaded,
       mm256_set_epi8((int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13,
                      (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10,
                      (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)9,
@@ -750,23 +862,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_deserialize_5_9a(Eurydice_slice bytes) {
   return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes);
 }
 
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
-    __m256i vector, uint8_t ret[20U]) {
-  uint8_t serialized[32U] = {0U};
-  __m256i adjacent_2_combined = mm256_madd_epi16(
-      vector, mm256_set_epi16((int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U,
-                              (int16_t)1, (int16_t)1 << 10U, (int16_t)1,
-                              (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U,
-                              (int16_t)1, (int16_t)1 << 10U, (int16_t)1,
-                              (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U,
-                              (int16_t)1));
+core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
+    __m256i vector) {
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(10U, vector);
   __m256i adjacent_4_combined = mm256_sllv_epi32(
       adjacent_2_combined,
       mm256_set_epi32((int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12,
@@ -783,11 +890,23 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
                      (int8_t)9, (int8_t)8, (int8_t)4, (int8_t)3, (int8_t)2,
                      (int8_t)1, (int8_t)0));
   __m128i lower_8 = mm256_castsi256_si128(adjacent_8_combined);
+  __m128i upper_8 =
+      mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i);
+  return (
+      CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8});
+}
+
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
+    __m256i vector, uint8_t ret[20U]) {
+  core_core_arch_x86___m128i_x2 uu____0 =
+      libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
+          vector);
+  __m128i lower_8 = uu____0.fst;
+  __m128i upper_8 = uu____0.snd;
+  uint8_t serialized[32U] = {0U};
   mm_storeu_bytes_si128(
       Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
       lower_8);
-  __m128i upper_8 =
-      mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i);
   mm_storeu_bytes_si128(Eurydice_array_to_subslice2(serialized, (size_t)10U,
                                                     (size_t)26U, uint8_t),
                         upper_8);
@@ -801,48 +920,67 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
   memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10(__m256i vector,
+                                                             uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_9a(
     __m256i vector, uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_10(vector, ret);
 }
 
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
-  __m256i shift_lsbs_to_msbs = mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U);
-  __m128i lower_coefficients = mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t));
-  __m128i lower_coefficients0 = mm_shuffle_epi8(
-      lower_coefficients, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U,
-                                      3U, 2U, 2U, 1U, 1U, 0U));
-  __m128i upper_coefficients = mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t));
-  __m128i upper_coefficients0 = mm_shuffle_epi8(
-      upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U,
-                                      10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U));
-  __m256i coefficients = mm256_castsi128_si256(lower_coefficients0);
-  __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients,
-                                                 upper_coefficients0, __m256i);
-  __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs);
-  __m256i coefficients2 = mm256_srli_epi16((int32_t)6, coefficients1, __m256i);
-  return mm256_and_si256(coefficients2,
+libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0) {
+  __m128i lower_coefficients = mm_shuffle_epi8(
+      lower_coefficients0, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U,
+                                       3U, 2U, 2U, 1U, 1U, 0U));
+  __m128i upper_coefficients = mm_shuffle_epi8(
+      upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U,
+                                       10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U));
+  __m256i coefficients =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          lower_coefficients, upper_coefficients);
+  __m256i coefficients0 = mm256_mullo_epi16(
+      coefficients,
+      mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U,
+                      (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U,
+                      (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U,
+                      (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
+                      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U,
+                      (int16_t)1 << 6U));
+  __m256i coefficients1 = mm256_srli_epi16((int32_t)6, coefficients0, __m256i);
+  return mm256_and_si256(coefficients1,
                          mm256_set1_epi16(((int16_t)1 << 10U) - (int16_t)1));
 }
 
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
+  Eurydice_slice lower_coefficients =
+      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t);
+  Eurydice_slice upper_coefficients =
+      Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t);
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
+      mm_loadu_si128(lower_coefficients), mm_loadu_si128(upper_coefficients));
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_10_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_10(bytes);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11(
@@ -851,18 +989,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11(
   mm256_storeu_si256_i16(Eurydice_array_to_slice((size_t)16U, array, int16_t),
                          vector);
   libcrux_ml_kem_vector_portable_vector_type_PortableVector input =
-      libcrux_ml_kem_vector_portable_from_i16_array_0d(
+      libcrux_ml_kem_vector_portable_from_i16_array_2c(
           Eurydice_array_to_slice((size_t)16U, array, int16_t));
   uint8_t ret0[22U];
-  libcrux_ml_kem_vector_portable_serialize_11_0d(input, ret0);
+  libcrux_ml_kem_vector_portable_serialize_11_2c(input, ret0);
   memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t));
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_9a(
     __m256i vector, uint8_t ret[22U]) {
   libcrux_ml_kem_vector_avx2_serialize_serialize_11(vector, ret);
 }
@@ -870,32 +1008,27 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_ea(
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector output =
-      libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes);
+      libcrux_ml_kem_vector_portable_deserialize_11_2c(bytes);
   int16_t array[16U];
-  libcrux_ml_kem_vector_portable_to_i16_array_0d(output, array);
+  libcrux_ml_kem_vector_portable_to_i16_array_2c(output, array);
   return mm256_loadu_si256_i16(
       Eurydice_array_to_slice((size_t)16U, array, int16_t));
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_deserialize_11_9a(Eurydice_slice bytes) {
   return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes);
 }
 
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
-    __m256i vector, uint8_t ret[24U]) {
-  uint8_t serialized[32U] = {0U};
-  __m256i adjacent_2_combined = mm256_madd_epi16(
-      vector, mm256_set_epi16((int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U,
-                              (int16_t)1, (int16_t)1 << 12U, (int16_t)1,
-                              (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U,
-                              (int16_t)1, (int16_t)1 << 12U, (int16_t)1,
-                              (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U,
-                              (int16_t)1));
+KRML_MUSTINLINE core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
+    __m256i vector) {
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector);
   __m256i adjacent_4_combined = mm256_sllv_epi32(
       adjacent_2_combined,
       mm256_set_epi32((int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8,
@@ -914,6 +1047,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
   __m128i lower_8 = mm256_castsi256_si128(adjacent_8_combined);
   __m128i upper_8 =
       mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i);
+  return (
+      CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8});
+}
+
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
+    __m256i vector, uint8_t ret[24U]) {
+  uint8_t serialized[32U] = {0U};
+  core_core_arch_x86___m128i_x2 uu____0 =
+      libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
+          vector);
+  __m128i lower_8 = uu____0.fst;
+  __m128i upper_8 = uu____0.snd;
   mm_storeu_bytes_si128(
       Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
       lower_8);
@@ -930,48 +1075,67 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
   memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t));
 }
 
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12(__m256i vector,
+                                                             uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_ea(
+KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_9a(
     __m256i vector, uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_12(vector, ret);
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0) {
+  __m128i lower_coefficients = mm_shuffle_epi8(
+      lower_coefficients0, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U,
+                                       4U, 4U, 3U, 2U, 1U, 1U, 0U));
+  __m128i upper_coefficients = mm_shuffle_epi8(
+      upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U,
+                                       9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U));
+  __m256i coefficients =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          lower_coefficients, upper_coefficients);
+  __m256i coefficients0 = mm256_mullo_epi16(
+      coefficients,
+      mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                      (int16_t)1 << 4U));
+  __m256i coefficients1 = mm256_srli_epi16((int32_t)4, coefficients0, __m256i);
+  return mm256_and_si256(coefficients1,
+                         mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1));
 }
 
 KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) {
-  __m256i shift_lsbs_to_msbs = mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U);
   __m128i lower_coefficients = mm_loadu_si128(
       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t));
-  __m128i lower_coefficients0 = mm_shuffle_epi8(
-      lower_coefficients, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U,
-                                      4U, 3U, 2U, 1U, 1U, 0U));
   __m128i upper_coefficients = mm_loadu_si128(
       Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t));
-  __m128i upper_coefficients0 = mm_shuffle_epi8(
-      upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U,
-                                      9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U));
-  __m256i coefficients = mm256_castsi128_si256(lower_coefficients0);
-  __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients,
-                                                 upper_coefficients0, __m256i);
-  __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs);
-  __m256i coefficients2 = mm256_srli_epi16((int32_t)4, coefficients1, __m256i);
-  return mm256_and_si256(coefficients2,
-                         mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1));
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
+      lower_coefficients, upper_coefficients);
+}
+
+KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_12_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_12(bytes);
 }
 
 KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample(
@@ -1017,9 +1181,9 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_ea(
+KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_9a(
     Eurydice_slice input, Eurydice_slice output) {
   return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output);
 }
@@ -1032,35 +1196,43 @@ inline __m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self) {
   return self[0U];
 }
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+*/
+void libcrux_ml_kem_vector_avx2_repr_11(__m256i x, int16_t ret[16U]) {
+  libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret);
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_d6_79(void) {
+static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_ef_79(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
-  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
   return lit;
 }
 
@@ -1078,15 +1250,15 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_to_reduced_ring_element_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(coefficient);
+        libcrux_ml_kem_vector_avx2_cond_subtract_3329_9a(coefficient);
   }
   return re;
 }
@@ -1098,10 +1270,9 @@ deserialize_to_reduced_ring_element_79(Eurydice_slice serialized) {
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b1(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_ab(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -1130,16 +1301,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b1(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_b1(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_ab(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_79(););
-  deserialize_ring_elements_reduced_b1(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_79(););
+  deserialize_ring_elements_reduced_ab(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
@@ -1156,14 +1326,14 @@ static KRML_MUSTINLINE __m256i shift_right_ef(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_9a
 with const generics
 - SHIFT_BY= 15
 */
-static KRML_MUSTINLINE __m256i shift_right_ea_ef(__m256i vector) {
+static KRML_MUSTINLINE __m256i shift_right_9a_ef(__m256i vector) {
   return shift_right_ef(vector);
 }
 
@@ -1174,10 +1344,20 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 
 */
 static KRML_MUSTINLINE __m256i to_unsigned_representative_79(__m256i a) {
-  __m256i t = shift_right_ea_ef(a);
-  __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
+  __m256i t = shift_right_9a_ef(a);
+  __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(
       t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
-  return libcrux_ml_kem_vector_avx2_add_ea(a, &fm);
+  return libcrux_ml_kem_vector_avx2_add_9a(a, &fm);
+}
+
+/**
+A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE __m256i to_unsigned_field_modulus_79(__m256i a) {
+  return to_unsigned_representative_79(a);
 }
 
 /**
@@ -1192,9 +1372,9 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_79(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficient = to_unsigned_representative_79(re->coefficients[i0]);
+    __m256i coefficient = to_unsigned_field_modulus_79(re->coefficients[i0]);
     uint8_t bytes[24U];
-    libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_12_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t);
     Eurydice_slice_copy(
@@ -1300,7 +1480,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_ed(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U];
-  deserialize_ring_elements_reduced_out_b1(
+  deserialize_ring_elements_reduced_out_ab(
       Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -1398,9 +1578,9 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_63 default_1a_ab(void) {
   IndCpaPrivateKeyUnpacked_63 lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_79();
-  lit.secret_as_ntt[1U] = ZERO_d6_79();
-  lit.secret_as_ntt[2U] = ZERO_d6_79();
+  lit.secret_as_ntt[0U] = ZERO_ef_79();
+  lit.secret_as_ntt[1U] = ZERO_ef_79();
+  lit.secret_as_ntt[2U] = ZERO_ef_79();
   return lit;
 }
 
@@ -1430,22 +1610,22 @@ with const generics
 static IndCpaPublicKeyUnpacked_63 default_8d_ab(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_79(););
+                  uu____0[i] = ZERO_ef_79(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_63 lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_79();
-  lit.A[0U][1U] = ZERO_d6_79();
-  lit.A[0U][2U] = ZERO_d6_79();
-  lit.A[1U][0U] = ZERO_d6_79();
-  lit.A[1U][1U] = ZERO_d6_79();
-  lit.A[1U][2U] = ZERO_d6_79();
-  lit.A[2U][0U] = ZERO_d6_79();
-  lit.A[2U][1U] = ZERO_d6_79();
-  lit.A[2U][2U] = ZERO_d6_79();
+  lit.A[0U][0U] = ZERO_ef_79();
+  lit.A[0U][1U] = ZERO_ef_79();
+  lit.A[0U][2U] = ZERO_ef_79();
+  lit.A[1U][0U] = ZERO_ef_79();
+  lit.A[1U][1U] = ZERO_ef_79();
+  lit.A[1U][2U] = ZERO_ef_79();
+  lit.A[2U][0U] = ZERO_ef_79();
+  lit.A[2U][1U] = ZERO_ef_79();
+  lit.A[2U][2U] = ZERO_ef_79();
   return lit;
 }
 
@@ -1489,11 +1669,12 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_be(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const
+generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_e0(uint8_t input[3U][34U]) {
+shake128_init_absorb_final_e0(uint8_t input[3U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_55 state =
       libcrux_sha3_avx2_x4_incremental_init();
   libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
@@ -1510,24 +1691,25 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const
+generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_a9_e0(uint8_t input[3U][34U]) {
+shake128_init_absorb_final_a9_e0(uint8_t input[3U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[3U][34U];
   memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_e0(copy_of_input);
+  return shake128_init_absorb_final_e0(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with
+const generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_e0(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][504U]) {
   uint8_t out[3U][504U] = {{0U}};
   uint8_t out0[504U] = {0U};
@@ -1557,13 +1739,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with
+const generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_e0(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) {
-  shake128_squeeze_three_blocks_e0(self, ret);
+  shake128_squeeze_first_three_blocks_e0(self, ret);
 }
 
 /**
@@ -1626,7 +1808,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -1648,10 +1830,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const
+generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_e0(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][168U]) {
   uint8_t out[3U][168U] = {{0U}};
   uint8_t out0[168U] = {0U};
@@ -1681,12 +1864,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const
+generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_a9_e0(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) {
-  shake128_squeeze_block_e0(self, ret);
+  shake128_squeeze_next_block_e0(self, ret);
 }
 
 /**
@@ -1749,7 +1933,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed0(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -1770,29 +1954,67 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
 */
+static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_79(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-from_i16_array_d6_79(Eurydice_slice a) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+from_i16_array_79(Eurydice_slice a) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_79();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     result.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2(
+        libcrux_ml_kem_vector_avx2_from_i16_array_9a(Eurydice_slice_subslice2(
             a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t));
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+from_i16_array_ef_79(Eurydice_slice a) {
+  return from_i16_array_79(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -1801,7 +2023,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c1(
     int16_t s[272U]) {
-  return from_i16_array_d6_79(
+  return from_i16_array_ef_79(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -1820,9 +2042,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c1(
   uint8_t copy_of_seeds[3U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
   libcrux_sha3_avx2_x4_incremental_KeccakState xof_state =
-      shake128_init_absorb_a9_e0(copy_of_seeds);
+      shake128_init_absorb_final_a9_e0(copy_of_seeds);
   uint8_t randomness0[3U][504U];
-  shake128_squeeze_three_blocks_a9_e0(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_a9_e0(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[3U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U]));
@@ -1833,7 +2055,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c1(
       break;
     } else {
       uint8_t randomness[3U][168U];
-      shake128_squeeze_block_a9_e0(&xof_state, randomness);
+      shake128_squeeze_next_block_a9_e0(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[3U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -2033,7 +2255,7 @@ sample_from_binomial_distribution_2_79(Eurydice_slice randomness) {
       sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return from_i16_array_d6_79(
+  return from_i16_array_ef_79(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -2077,7 +2299,7 @@ sample_from_binomial_distribution_3_79(Eurydice_slice randomness) {
       sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return from_i16_array_d6_79(
+  return from_i16_array_ef_79(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -2103,12 +2325,12 @@ static KRML_MUSTINLINE void ntt_at_layer_7_79(
   size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U;
   for (size_t i = (size_t)0U; i < step; i++) {
     size_t j = i;
-    __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(
+    __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_9a(
         re->coefficients[j + step], (int16_t)-1600);
     re->coefficients[j + step] =
-        libcrux_ml_kem_vector_avx2_sub_ea(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_avx2_sub_9a(re->coefficients[j], &t);
     re->coefficients[j] =
-        libcrux_ml_kem_vector_avx2_add_ea(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_avx2_add_9a(re->coefficients[j], &t);
   }
 }
 
@@ -2125,7 +2347,7 @@ with const generics
 */
 static KRML_MUSTINLINE __m256i montgomery_multiply_fe_79(__m256i v,
                                                          int16_t fer) {
-  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(v, fer);
+  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(v, fer);
 }
 
 /**
@@ -2137,8 +2359,8 @@ with const generics
 static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2
 ntt_layer_int_vec_step_79(__m256i a, __m256i b, int16_t zeta_r) {
   __m256i t = montgomery_multiply_fe_79(b, zeta_r);
-  b = libcrux_ml_kem_vector_avx2_sub_ea(a, &t);
-  a = libcrux_ml_kem_vector_avx2_add_ea(a, &t);
+  b = libcrux_ml_kem_vector_avx2_sub_9a(a, &t);
+  a = libcrux_ml_kem_vector_avx2_add_9a(a, &t);
   return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a,
                                                                 .snd = b});
 }
@@ -2162,9 +2384,9 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_79(
     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
       size_t j = i;
       libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 =
-          ntt_layer_int_vec_step_79(
-              re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+          ntt_layer_int_vec_step_79(re->coefficients[j],
+                                    re->coefficients[j + step_vec],
+                                    libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       __m256i x = uu____0.fst;
       __m256i y = uu____0.snd;
       re->coefficients[j] = x;
@@ -2184,9 +2406,9 @@ static KRML_MUSTINLINE void ntt_at_layer_3_79(
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(
+      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_9a(
           re->coefficients[round],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]););
+          libcrux_ml_kem_polynomial_zeta(zeta_i[0U])););
 }
 
 /**
@@ -2200,11 +2422,9 @@ static KRML_MUSTINLINE void ntt_at_layer_2_79(
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(
-          re->coefficients[round],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                             (size_t)1U]);
+      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_9a(
+          re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+          libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U));
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;);
 }
 
@@ -2219,37 +2439,44 @@ static KRML_MUSTINLINE void ntt_at_layer_1_79(
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea(
-          re->coefficients[round],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                             (size_t)1U],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                             (size_t)2U],
-          libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                             (size_t)3U]);
+      re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_9a(
+          re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+          libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U),
+          libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U),
+          libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U));
       zeta_i[0U] = zeta_i[0U] + (size_t)3U;);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void poly_barrett_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    myself->coefficients[i0] =
+        libcrux_ml_kem_vector_avx2_barrett_reduce_9a(myself->coefficients[i0]);
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE void poly_barrett_reduce_d6_79(
+static KRML_MUSTINLINE void poly_barrett_reduce_ef_79(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    self->coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_ea(self->coefficients[i0]);
-  }
+  poly_barrett_reduce_79(self);
 }
 
 /**
@@ -2268,7 +2495,7 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_79(
   ntt_at_layer_3_79(&zeta_i, re);
   ntt_at_layer_2_79(&zeta_i, re);
   ntt_at_layer_1_79(&zeta_i, re);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -2293,9 +2520,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b41(
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   PRFxN_a9_41(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR3(
@@ -2329,7 +2555,7 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_79(););
+                  re_as_ntt[i] = ZERO_ef_79(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -2376,69 +2602,89 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41(
  <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-ntt_multiply_d6_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
-                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_d6_79();
+ntt_multiply_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+                libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_79();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_ea(
-        &self->coefficients[i0], &rhs->coefficients[i0],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)1U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)2U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)3U]);
+    out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_9a(
+        &myself->coefficients[i0], &rhs->coefficients[i0],
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)1U),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)2U),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)3U));
   }
   return out;
 }
 
-/**
- Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
- sum of their constituent coefficients.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+ntt_multiply_ef_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  return ntt_multiply_79(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_ab(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_9a(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_ab(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.vector.traits.to_standard_domain
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
@@ -2446,35 +2692,47 @@ with const generics
 
 */
 static KRML_MUSTINLINE __m256i to_standard_domain_79(__m256i v) {
-  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_standard_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_standard_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
-        to_standard_domain_79(self->coefficients[j]);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form,
+        to_standard_domain_79(myself->coefficients[j]);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_standard_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  add_standard_error_reduce_79(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -2498,7 +2756,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_79();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -2511,10 +2769,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab(
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_ab(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_79(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_ab(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_79(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -2721,9 +2979,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_ae(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash
@@ -2757,7 +3012,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -2786,13 +3041,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d61(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -2813,35 +3068,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_be(Eurydice_slice randomness,
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1152
-- K= 3
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_98(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-        deserialize_to_reduced_ring_element_79(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
-}
-
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -2849,12 +3075,12 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static void build_unpacked_public_key_mut_fa1(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_fa1(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_63 *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_98(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_ab(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] =
@@ -2871,8 +3097,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static IndCpaPublicKeyUnpacked_63 build_unpacked_public_key_fa1(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_63
+build_unpacked_public_key_fa1(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_63 unpacked_public_key = default_8d_ab();
   build_unpacked_public_key_mut_fa1(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -2893,7 +3119,7 @@ static KRML_MUSTINLINE tuple_23
 sample_ring_element_cbd_b41(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  error_1[i] = ZERO_d6_79(););
+                  error_1[i] = ZERO_ef_79(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -2901,9 +3127,8 @@ sample_ring_element_cbd_b41(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   PRFxN_a9_41(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR3(
@@ -2964,15 +3189,12 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_1_79(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(
+          libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_9a(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)1U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)2U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)3U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U));
       zeta_i[0U] = zeta_i[0U] - (size_t)3U;);
 }
 
@@ -2988,11 +3210,10 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_2_79(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(
+          libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_9a(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)1U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U));
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;);
 }
 
@@ -3002,15 +3223,14 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE void invert_ntt_at_layer_3_79(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
-  KRML_MAYBE_FOR16(
-      i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
-      zeta_i[0U] = zeta_i[0U] - (size_t)1U;
-      re->coefficients[round] =
-          libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(
-              re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]););
+static KRML_MUSTINLINE void invert_ntt_at_layer_3_79(
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
+  KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
+                   zeta_i[0U] = zeta_i[0U] - (size_t)1U;
+                   re->coefficients[round] =
+                       libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_9a(
+                           re->coefficients[round],
+                           libcrux_ml_kem_polynomial_zeta(zeta_i[0U])););
 }
 
 /**
@@ -3021,9 +3241,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2
 inv_ntt_layer_int_vec_step_reduce_79(__m256i a, __m256i b, int16_t zeta_r) {
-  __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_ea(b, &a);
-  a = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-      libcrux_ml_kem_vector_avx2_add_ea(a, &b));
+  __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_9a(b, &a);
+  a = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+      libcrux_ml_kem_vector_avx2_add_9a(a, &b));
   b = montgomery_multiply_fe_79(a_minus_b, zeta_r);
   return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a,
                                                                 .snd = b});
@@ -3052,7 +3272,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_79(
       libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 =
           inv_ntt_layer_int_vec_step_reduce_79(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       __m256i x = uu____0.fst;
       __m256i y = uu____0.snd;
       re->coefficients[j] = x;
@@ -3078,35 +3298,47 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_ab(
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
-            self->coefficients[j], (int16_t)1441);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form,
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
+            myself->coefficients[j], (int16_t)1441);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  add_error_reduce_79(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -3123,7 +3355,7 @@ static KRML_MUSTINLINE void compute_vector_u_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  result[i] = ZERO_d6_79(););
+                  result[i] = ZERO_ef_79(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -3143,11 +3375,11 @@ static KRML_MUSTINLINE void compute_vector_u_ab(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_ab(&result[i1], &product);
+          ntt_multiply_ef_79(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_ab(&result[i1], &product);
     }
     invert_ntt_montgomery_ab(&result[i1]);
-    add_error_reduce_d6_79(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_79(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -3160,11 +3392,11 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
-static KRML_MUSTINLINE __m256i decompress_1_79(__m256i v) {
-  return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
-      libcrux_ml_kem_vector_avx2_sub_ea(libcrux_ml_kem_vector_avx2_ZERO_ea(),
-                                        &v),
-      (int16_t)1665);
+static KRML_MUSTINLINE __m256i decompress_1_79(__m256i vec) {
+  __m256i z = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  __m256i s = libcrux_ml_kem_vector_avx2_sub_9a(z, &vec);
+  return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(s,
+                                                                 (int16_t)1665);
 }
 
 /**
@@ -3175,11 +3407,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_then_decompress_message_79(uint8_t serialized[32U]) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i;
       __m256i coefficient_compressed =
-          libcrux_ml_kem_vector_avx2_deserialize_1_ea(
+          libcrux_ml_kem_vector_avx2_deserialize_1_9a(
               Eurydice_array_to_subslice2(serialized, (size_t)2U * i0,
                                           (size_t)2U * i0 + (size_t)2U,
                                           uint8_t));
@@ -3188,37 +3420,51 @@ deserialize_then_decompress_message_79(uint8_t serialized[32U]) {
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-add_message_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+add_message_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
             result.coefficients[i0], (int16_t)1441);
-    __m256i tmp = libcrux_ml_kem_vector_avx2_add_ea(self->coefficients[i0],
+    __m256i tmp = libcrux_ml_kem_vector_avx2_add_9a(myself->coefficients[i0],
                                                     &message->coefficients[i0]);
     __m256i tmp0 =
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, &tmp);
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form, &tmp);
     result.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_ea(tmp0);
+        libcrux_ml_kem_vector_avx2_barrett_reduce_9a(tmp0);
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+add_message_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
+  return add_message_error_reduce_79(self, message, result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -3234,13 +3480,13 @@ compute_ring_element_v_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_ab(&result, &product););
+                      ntt_multiply_ef_79(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_ab(&result, &product););
   invert_ntt_montgomery_ab(&result);
-  result = add_message_error_reduce_d6_79(error_2, message, result);
+  result = add_message_error_reduce_ef_79(error_2, message, result);
   return result;
 }
 
@@ -3289,17 +3535,26 @@ compress_ciphertext_coefficient_ef(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 10
+*/
+static KRML_MUSTINLINE __m256i compress_ef(__m256i vector) {
+  return compress_ciphertext_coefficient_ef(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 10
 */
-static KRML_MUSTINLINE __m256i compress_ea_ef(__m256i vector) {
-  return compress_ciphertext_coefficient_ef(vector);
+static KRML_MUSTINLINE __m256i compress_9a_ef(__m256i vector) {
+  return compress_ef(vector);
 }
 
 /**
@@ -3315,9 +3570,9 @@ static KRML_MUSTINLINE void compress_then_serialize_10_0e0(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient =
-        compress_ea_ef(to_unsigned_representative_79(re->coefficients[i0]));
+        compress_9a_ef(to_unsigned_field_modulus_79(re->coefficients[i0]));
     uint8_t bytes[20U];
-    libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_10_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t);
     Eurydice_slice_copy(
@@ -3371,17 +3626,26 @@ compress_ciphertext_coefficient_c4(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 11
+*/
+static KRML_MUSTINLINE __m256i compress_c4(__m256i vector) {
+  return compress_ciphertext_coefficient_c4(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 11
 */
-static KRML_MUSTINLINE __m256i compress_ea_c4(__m256i vector) {
-  return compress_ciphertext_coefficient_c4(vector);
+static KRML_MUSTINLINE __m256i compress_9a_c4(__m256i vector) {
+  return compress_c4(vector);
 }
 
 /**
@@ -3477,17 +3741,26 @@ compress_ciphertext_coefficient_d1(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 4
+*/
+static KRML_MUSTINLINE __m256i compress_d1(__m256i vector) {
+  return compress_ciphertext_coefficient_d1(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 4
 */
-static KRML_MUSTINLINE __m256i compress_ea_d1(__m256i vector) {
-  return compress_ciphertext_coefficient_d1(vector);
+static KRML_MUSTINLINE __m256i compress_9a_d1(__m256i vector) {
+  return compress_d1(vector);
 }
 
 /**
@@ -3503,9 +3776,9 @@ static KRML_MUSTINLINE void compress_then_serialize_4_79(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient =
-        compress_ea_d1(to_unsigned_representative_79(re.coefficients[i0]));
+        compress_9a_d1(to_unsigned_field_modulus_79(re.coefficients[i0]));
     uint8_t bytes[8U];
-    libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_4_9a(coefficient, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)8U * i0,
                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
@@ -3558,17 +3831,26 @@ compress_ciphertext_coefficient_f4(__m256i vector) {
   return mm256_permute4x64_epi64((int32_t)216, compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 5
+*/
+static KRML_MUSTINLINE __m256i compress_f4(__m256i vector) {
+  return compress_ciphertext_coefficient_f4(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 5
 */
-static KRML_MUSTINLINE __m256i compress_ea_f4(__m256i vector) {
-  return compress_ciphertext_coefficient_f4(vector);
+static KRML_MUSTINLINE __m256i compress_9a_f4(__m256i vector) {
+  return compress_f4(vector);
 }
 
 /**
@@ -3584,9 +3866,9 @@ static KRML_MUSTINLINE void compress_then_serialize_5_79(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficients =
-        compress_ea_f4(to_unsigned_representative_79(re.coefficients[i0]));
+        compress_9a_f4(to_unsigned_representative_79(re.coefficients[i0]));
     uint8_t bytes[10U];
-    libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_5_9a(coefficients, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)10U * i0,
                                  (size_t)10U * i0 + (size_t)10U, uint8_t),
@@ -3598,10 +3880,11 @@ static KRML_MUSTINLINE void compress_then_serialize_5_79(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 - OUT_LEN= 128
 */
-static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_78(
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ed(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) {
   compress_then_serialize_4_79(re, out);
 }
@@ -3714,7 +3997,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_741(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____6 = v;
-  compress_then_serialize_ring_element_v_78(
+  compress_then_serialize_ring_element_v_ed(
       uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                                (size_t)960U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t));
@@ -3784,7 +4067,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -3804,7 +4087,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701(
       size_t);
   uint8_t ret[32U];
   H_a9_e0(Eurydice_array_to_slice(
-              (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+              (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -3818,7 +4101,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -3828,7 +4111,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_701(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_ae(shared_secret, shared_secret_array);
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0;
@@ -3850,13 +4133,13 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_to_uncompressed_ring_element_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
-    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes);
+    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_9a(bytes);
   }
   return re;
 }
@@ -3875,7 +4158,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_79(););
+                  secret_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -3938,16 +4221,16 @@ decompress_ciphertext_coefficient_ef(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 10
 */
 static KRML_MUSTINLINE __m256i
-decompress_ciphertext_coefficient_ea_ef(__m256i vector) {
+decompress_ciphertext_coefficient_9a_ef(__m256i vector) {
   return decompress_ciphertext_coefficient_ef(vector);
 }
 
@@ -3959,14 +4242,14 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_then_decompress_10_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes);
-    re.coefficients[i0] = decompress_ciphertext_coefficient_ea_ef(coefficient);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_9a(bytes);
+    re.coefficients[i0] = decompress_ciphertext_coefficient_9a_ef(coefficient);
   }
   return re;
 }
@@ -4014,16 +4297,16 @@ decompress_ciphertext_coefficient_c4(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 11
 */
 static KRML_MUSTINLINE __m256i
-decompress_ciphertext_coefficient_ea_c4(__m256i vector) {
+decompress_ciphertext_coefficient_9a_c4(__m256i vector) {
   return decompress_ciphertext_coefficient_c4(vector);
 }
 
@@ -4035,14 +4318,14 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_then_decompress_11_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes);
-    re.coefficients[i0] = decompress_ciphertext_coefficient_ea_c4(coefficient);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_9a(bytes);
+    re.coefficients[i0] = decompress_ciphertext_coefficient_9a_c4(coefficient);
   }
   return re;
 }
@@ -4074,7 +4357,7 @@ static KRML_MUSTINLINE void ntt_vector_u_ee(
   ntt_at_layer_3_79(&zeta_i, re);
   ntt_at_layer_2_79(&zeta_i, re);
   ntt_at_layer_1_79(&zeta_i, re);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -4094,7 +4377,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ed(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_79(););
+                  u_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t),
@@ -4163,16 +4446,16 @@ decompress_ciphertext_coefficient_d1(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 4
 */
 static KRML_MUSTINLINE __m256i
-decompress_ciphertext_coefficient_ea_d1(__m256i vector) {
+decompress_ciphertext_coefficient_9a_d1(__m256i vector) {
   return decompress_ciphertext_coefficient_d1(vector);
 }
 
@@ -4184,14 +4467,14 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_then_decompress_4_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes);
-    re.coefficients[i0] = decompress_ciphertext_coefficient_ea_d1(coefficient);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_9a(bytes);
+    re.coefficients[i0] = decompress_ciphertext_coefficient_9a_d1(coefficient);
   }
   return re;
 }
@@ -4239,16 +4522,16 @@ decompress_ciphertext_coefficient_f4(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 5
 */
 static KRML_MUSTINLINE __m256i
-decompress_ciphertext_coefficient_ea_f4(__m256i vector) {
+decompress_ciphertext_coefficient_9a_f4(__m256i vector) {
   return decompress_ciphertext_coefficient_f4(vector);
 }
 
@@ -4260,15 +4543,15 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 deserialize_then_decompress_5_79(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t);
-    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes);
+    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_9a(bytes);
     re.coefficients[i0] =
-        decompress_ciphertext_coefficient_ea_f4(re.coefficients[i0]);
+        decompress_ciphertext_coefficient_9a_f4(re.coefficients[i0]);
   }
   return re;
 }
@@ -4277,40 +4560,53 @@ deserialize_then_decompress_5_79(Eurydice_slice serialized) {
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-deserialize_then_decompress_ring_element_v_42(Eurydice_slice serialized) {
+deserialize_then_decompress_ring_element_v_ed(Eurydice_slice serialized) {
   return deserialize_then_decompress_4_79(serialized);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-subtract_reduce_d6_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
-                      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+subtract_reduce_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
             b.coefficients[i0], (int16_t)1441);
-    b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_sub_ea(self->coefficients[i0],
+    b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_sub_9a(myself->coefficients[i0],
                                           &coefficient_normal_form));
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+subtract_reduce_ef_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+                      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+  return subtract_reduce_79(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -4328,13 +4624,13 @@ compute_message_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_ab(&result, &product););
+                      ntt_multiply_ef_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_ab(&result, &product););
   invert_ntt_montgomery_ab(&result);
-  result = subtract_reduce_d6_79(v, result);
+  result = subtract_reduce_ef_79(v, result);
   return result;
 }
 
@@ -4349,11 +4645,11 @@ static KRML_MUSTINLINE void compress_then_serialize_message_79(
   uint8_t serialized[32U] = {0U};
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i;
-      __m256i coefficient = to_unsigned_representative_79(re.coefficients[i0]);
+      __m256i coefficient = to_unsigned_field_modulus_79(re.coefficients[i0]);
       __m256i coefficient_compressed =
-          libcrux_ml_kem_vector_avx2_compress_1_ea(coefficient);
+          libcrux_ml_kem_vector_avx2_compress_1_9a(coefficient);
       uint8_t bytes[2U];
-      libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes);
+      libcrux_ml_kem_vector_avx2_serialize_1_9a(coefficient_compressed, bytes);
       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
           serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t);
       Eurydice_slice_copy(uu____0,
@@ -4402,7 +4698,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_2f(
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U];
   deserialize_then_decompress_u_ed(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v =
-      deserialize_then_decompress_ring_element_v_42(
+      deserialize_then_decompress_ring_element_v_ed(
           Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                           (size_t)960U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message =
@@ -4466,6 +4762,9 @@ static KRML_MUSTINLINE void PRF_a9_41(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -4521,7 +4820,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_a9_41(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t),
@@ -4541,7 +4840,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11(
   kdf_d8_ae(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -4557,10 +4856,9 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1568
 - K= 4
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_88(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_42(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -4589,16 +4887,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_88(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1568
 - K= 4
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_88(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_42(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_79(););
-  deserialize_ring_elements_reduced_88(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_79(););
+  deserialize_ring_elements_reduced_42(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
@@ -4701,7 +4998,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_1e(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[4U];
-  deserialize_ring_elements_reduced_out_88(
+  deserialize_ring_elements_reduced_out_42(
       Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -4799,10 +5096,10 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_39 default_1a_42(void) {
   IndCpaPrivateKeyUnpacked_39 lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_79();
-  lit.secret_as_ntt[1U] = ZERO_d6_79();
-  lit.secret_as_ntt[2U] = ZERO_d6_79();
-  lit.secret_as_ntt[3U] = ZERO_d6_79();
+  lit.secret_as_ntt[0U] = ZERO_ef_79();
+  lit.secret_as_ntt[1U] = ZERO_ef_79();
+  lit.secret_as_ntt[2U] = ZERO_ef_79();
+  lit.secret_as_ntt[3U] = ZERO_ef_79();
   return lit;
 }
 
@@ -4832,29 +5129,29 @@ with const generics
 static IndCpaPublicKeyUnpacked_39 default_8d_42(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_79(););
+                  uu____0[i] = ZERO_ef_79(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_39 lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_79();
-  lit.A[0U][1U] = ZERO_d6_79();
-  lit.A[0U][2U] = ZERO_d6_79();
-  lit.A[0U][3U] = ZERO_d6_79();
-  lit.A[1U][0U] = ZERO_d6_79();
-  lit.A[1U][1U] = ZERO_d6_79();
-  lit.A[1U][2U] = ZERO_d6_79();
-  lit.A[1U][3U] = ZERO_d6_79();
-  lit.A[2U][0U] = ZERO_d6_79();
-  lit.A[2U][1U] = ZERO_d6_79();
-  lit.A[2U][2U] = ZERO_d6_79();
-  lit.A[2U][3U] = ZERO_d6_79();
-  lit.A[3U][0U] = ZERO_d6_79();
-  lit.A[3U][1U] = ZERO_d6_79();
-  lit.A[3U][2U] = ZERO_d6_79();
-  lit.A[3U][3U] = ZERO_d6_79();
+  lit.A[0U][0U] = ZERO_ef_79();
+  lit.A[0U][1U] = ZERO_ef_79();
+  lit.A[0U][2U] = ZERO_ef_79();
+  lit.A[0U][3U] = ZERO_ef_79();
+  lit.A[1U][0U] = ZERO_ef_79();
+  lit.A[1U][1U] = ZERO_ef_79();
+  lit.A[1U][2U] = ZERO_ef_79();
+  lit.A[1U][3U] = ZERO_ef_79();
+  lit.A[2U][0U] = ZERO_ef_79();
+  lit.A[2U][1U] = ZERO_ef_79();
+  lit.A[2U][2U] = ZERO_ef_79();
+  lit.A[2U][3U] = ZERO_ef_79();
+  lit.A[3U][0U] = ZERO_ef_79();
+  lit.A[3U][1U] = ZERO_ef_79();
+  lit.A[3U][2U] = ZERO_ef_79();
+  lit.A[3U][3U] = ZERO_ef_79();
   return lit;
 }
 
@@ -4898,11 +5195,12 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_6a(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const
+generics
 - K= 4
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_ac(uint8_t input[4U][34U]) {
+shake128_init_absorb_final_ac(uint8_t input[4U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_55 state =
       libcrux_sha3_avx2_x4_incremental_init();
   libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
@@ -4919,24 +5217,25 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const
+generics
 - K= 4
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_a9_ac(uint8_t input[4U][34U]) {
+shake128_init_absorb_final_a9_ac(uint8_t input[4U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[4U][34U];
   memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_ac(copy_of_input);
+  return shake128_init_absorb_final_ac(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with
+const generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_ac(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_ac(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[4U][504U]) {
   uint8_t out[4U][504U] = {{0U}};
   uint8_t out0[504U] = {0U};
@@ -4969,13 +5268,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with
+const generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_ac(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_ac(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][504U]) {
-  shake128_squeeze_three_blocks_ac(self, ret);
+  shake128_squeeze_first_three_blocks_ac(self, ret);
 }
 
 /**
@@ -5038,7 +5337,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_78(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -5060,10 +5359,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_78(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const
+generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_ac(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_ac(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[4U][168U]) {
   uint8_t out[4U][168U] = {{0U}};
   uint8_t out0[168U] = {0U};
@@ -5096,12 +5396,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const
+generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_a9_ac(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_ac(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][168U]) {
-  shake128_squeeze_block_ac(self, ret);
+  shake128_squeeze_next_block_ac(self, ret);
 }
 
 /**
@@ -5164,7 +5465,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_780(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -5192,7 +5493,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c(
     int16_t s[272U]) {
-  return from_i16_array_d6_79(
+  return from_i16_array_ef_79(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -5211,9 +5512,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c(
   uint8_t copy_of_seeds[4U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U]));
   libcrux_sha3_avx2_x4_incremental_KeccakState xof_state =
-      shake128_init_absorb_a9_ac(copy_of_seeds);
+      shake128_init_absorb_final_a9_ac(copy_of_seeds);
   uint8_t randomness0[4U][504U];
-  shake128_squeeze_three_blocks_a9_ac(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_a9_ac(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[4U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U]));
@@ -5224,7 +5525,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c(
       break;
     } else {
       uint8_t randomness[4U][168U];
-      shake128_squeeze_block_a9_ac(&xof_state, randomness);
+      shake128_squeeze_next_block_a9_ac(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[4U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -5359,9 +5660,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b4(
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator);
   uint8_t prf_outputs[4U][128U];
   PRFxN_a9_44(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR4(
@@ -5395,7 +5695,7 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_79(););
+                  re_as_ntt[i] = ZERO_ef_79(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -5419,30 +5719,42 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4(
  sum of their constituent coefficients.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 4
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_42(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_42(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_9a(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 4
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_42(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_42(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -5466,7 +5778,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_42(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_79();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -5479,10 +5791,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_42(
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_42(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_79(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_42(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_79(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -5689,9 +6001,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_5e(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash
@@ -5725,7 +6034,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1536
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
+- RANKED_BYTES_PER_RING_ELEMENT= 1536
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -5754,13 +6063,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d60(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)3168U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_83 private_key =
-      libcrux_ml_kem_types_from_88_39(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_39(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_83 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1568U];
   memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_94(
-      uu____2, libcrux_ml_kem_types_from_40_af(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_94(
+      uu____2, libcrux_ml_kem_types_from_5f_af(copy_of_public_key));
 }
 
 /**
@@ -5781,35 +6090,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_6a(Eurydice_slice randomness,
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1536
-- K= 4
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_3c(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-        deserialize_to_reduced_ring_element_79(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
-}
-
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -5817,12 +6097,12 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 4
 - T_AS_NTT_ENCODED_SIZE= 1536
 */
-static void build_unpacked_public_key_mut_fa0(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_fa0(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_39 *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_3c(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_42(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1536U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[4U] =
@@ -5839,8 +6119,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 4
 - T_AS_NTT_ENCODED_SIZE= 1536
 */
-static IndCpaPublicKeyUnpacked_39 build_unpacked_public_key_fa0(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_39
+build_unpacked_public_key_fa0(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_39 unpacked_public_key = default_8d_42();
   build_unpacked_public_key_mut_fa0(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -5861,7 +6141,7 @@ static KRML_MUSTINLINE tuple_dd
 sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  error_1[i] = ZERO_d6_79(););
+                  error_1[i] = ZERO_ef_79(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -5869,9 +6149,8 @@ sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator);
   uint8_t prf_outputs[4U][128U];
   PRFxN_a9_44(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR4(
@@ -5925,7 +6204,7 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_42(
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -5944,7 +6223,7 @@ static KRML_MUSTINLINE void compute_vector_u_42(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  result[i] = ZERO_d6_79(););
+                  result[i] = ZERO_ef_79(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -5964,11 +6243,11 @@ static KRML_MUSTINLINE void compute_vector_u_42(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_42(&result[i1], &product);
+          ntt_multiply_ef_79(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_42(&result[i1], &product);
     }
     invert_ntt_montgomery_42(&result[i1]);
-    add_error_reduce_d6_79(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_79(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -5990,13 +6269,13 @@ compute_ring_element_v_42(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_42(&result, &product););
+                      ntt_multiply_ef_79(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_42(&result, &product););
   invert_ntt_montgomery_42(&result);
-  result = add_message_error_reduce_d6_79(error_2, message, result);
+  result = add_message_error_reduce_ef_79(error_2, message, result);
   return result;
 }
 
@@ -6013,9 +6292,9 @@ static KRML_MUSTINLINE void compress_then_serialize_11_0e(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient =
-        compress_ea_c4(to_unsigned_representative_79(re->coefficients[i0]));
+        compress_9a_c4(to_unsigned_representative_79(re->coefficients[i0]));
     uint8_t bytes[22U];
-    libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_11_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t);
     Eurydice_slice_copy(
@@ -6076,10 +6355,11 @@ static KRML_MUSTINLINE void compress_then_serialize_u_c9(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 4
 - COMPRESSION_FACTOR= 5
 - OUT_LEN= 160
 */
-static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ff(
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_1e(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) {
   compress_then_serialize_5_79(re, out);
 }
@@ -6192,7 +6472,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_74(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U,
                                            (size_t)1408U, uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____6 = v;
-  compress_then_serialize_ring_element_v_ff(
+  compress_then_serialize_ring_element_v_1e(
       uu____6, Eurydice_array_to_subslice_from((size_t)1568U, ciphertext,
                                                (size_t)1408U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t));
@@ -6262,7 +6542,7 @@ with const generics
 - C2_SIZE= 160
 - VECTOR_U_COMPRESSION_FACTOR= 11
 - VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
+- C1_BLOCK_SIZE= 352
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -6282,7 +6562,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700(
       size_t);
   uint8_t ret[32U];
   H_a9_ac(Eurydice_array_to_slice(
-              (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key),
+              (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -6296,7 +6576,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t);
+      (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -6306,7 +6586,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700(
   uint8_t copy_of_ciphertext[1568U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemCiphertext_64 ciphertext0 =
-      libcrux_ml_kem_types_from_fc_af(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_af(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_5e(shared_secret, shared_secret_array);
   libcrux_ml_kem_types_MlKemCiphertext_64 uu____5 = ciphertext0;
@@ -6334,7 +6614,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_42(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_79(););
+                  secret_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -6381,7 +6661,7 @@ static KRML_MUSTINLINE void ntt_vector_u_85(
   ntt_at_layer_3_79(&zeta_i, re);
   ntt_at_layer_2_79(&zeta_i, re);
   ntt_at_layer_1_79(&zeta_i, re);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -6401,7 +6681,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_1e(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_79(););
+                  u_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t),
@@ -6431,10 +6711,11 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_1e(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 4
 - COMPRESSION_FACTOR= 5
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-deserialize_then_decompress_ring_element_v_b4(Eurydice_slice serialized) {
+deserialize_then_decompress_ring_element_v_78(Eurydice_slice serialized) {
   return deserialize_then_decompress_5_79(serialized);
 }
 
@@ -6455,13 +6736,13 @@ compute_message_42(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_42(&result, &product););
+                      ntt_multiply_ef_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_42(&result, &product););
   invert_ntt_montgomery_42(&result);
-  result = subtract_reduce_d6_79(v, result);
+  result = subtract_reduce_ef_79(v, result);
   return result;
 }
 
@@ -6505,7 +6786,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_37(
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[4U];
   deserialize_then_decompress_u_1e(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v =
-      deserialize_then_decompress_ring_element_v_b4(
+      deserialize_then_decompress_ring_element_v_78(
           Eurydice_array_to_subslice_from((size_t)1568U, ciphertext,
                                           (size_t)1408U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message =
@@ -6557,6 +6838,9 @@ static KRML_MUSTINLINE void PRF_a9_44(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -6612,7 +6896,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_af(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_af(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_a9_44(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t),
@@ -6632,7 +6916,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10(
   kdf_d8_5e(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_af(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_af(ciphertext),
       Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -6648,10 +6932,9 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 800
 - K= 2
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_bc(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_89(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -6680,16 +6963,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_bc(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 800
 - K= 2
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_bc(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_89(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_79(););
-  deserialize_ring_elements_reduced_bc(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_79(););
+  deserialize_ring_elements_reduced_89(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
@@ -6792,7 +7074,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_ba(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[2U];
-  deserialize_ring_elements_reduced_out_bc(
+  deserialize_ring_elements_reduced_out_89(
       Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -6890,8 +7172,8 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_94 default_1a_89(void) {
   IndCpaPrivateKeyUnpacked_94 lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_79();
-  lit.secret_as_ntt[1U] = ZERO_d6_79();
+  lit.secret_as_ntt[0U] = ZERO_ef_79();
+  lit.secret_as_ntt[1U] = ZERO_ef_79();
   return lit;
 }
 
@@ -6921,17 +7203,17 @@ with const generics
 static IndCpaPublicKeyUnpacked_94 default_8d_89(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_79(););
+                  uu____0[i] = ZERO_ef_79(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_94 lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_79();
-  lit.A[0U][1U] = ZERO_d6_79();
-  lit.A[1U][0U] = ZERO_d6_79();
-  lit.A[1U][1U] = ZERO_d6_79();
+  lit.A[0U][0U] = ZERO_ef_79();
+  lit.A[0U][1U] = ZERO_ef_79();
+  lit.A[1U][0U] = ZERO_ef_79();
+  lit.A[1U][1U] = ZERO_ef_79();
   return lit;
 }
 
@@ -6975,11 +7257,12 @@ static KRML_MUSTINLINE void cpa_keygen_seed_d8_f8(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const
+generics
 - K= 2
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_fd(uint8_t input[2U][34U]) {
+shake128_init_absorb_final_fd(uint8_t input[2U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_55 state =
       libcrux_sha3_avx2_x4_incremental_init();
   libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
@@ -6996,24 +7279,25 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const
+generics
 - K= 2
 */
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-shake128_init_absorb_a9_fd(uint8_t input[2U][34U]) {
+shake128_init_absorb_final_a9_fd(uint8_t input[2U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[2U][34U];
   memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_fd(copy_of_input);
+  return shake128_init_absorb_final_fd(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with
+const generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_fd(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_fd(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[2U][504U]) {
   uint8_t out[2U][504U] = {{0U}};
   uint8_t out0[504U] = {0U};
@@ -7040,13 +7324,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with
+const generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_a9_fd(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_fd(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][504U]) {
-  shake128_squeeze_three_blocks_fd(self, ret);
+  shake128_squeeze_first_three_blocks_fd(self, ret);
 }
 
 /**
@@ -7109,7 +7393,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_29(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -7131,10 +7415,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_29(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const
+generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_fd(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_fd(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[2U][168U]) {
   uint8_t out[2U][168U] = {{0U}};
   uint8_t out0[168U] = {0U};
@@ -7161,12 +7446,13 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const
+generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_a9_fd(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_fd(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][168U]) {
-  shake128_squeeze_block_fd(self, ret);
+  shake128_squeeze_next_block_fd(self, ret);
 }
 
 /**
@@ -7229,7 +7515,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_290(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+          size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -7257,7 +7543,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c0(
     int16_t s[272U]) {
-  return from_i16_array_d6_79(
+  return from_i16_array_ef_79(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -7276,9 +7562,9 @@ static KRML_MUSTINLINE void sample_from_xof_6c0(
   uint8_t copy_of_seeds[2U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U]));
   libcrux_sha3_avx2_x4_incremental_KeccakState xof_state =
-      shake128_init_absorb_a9_fd(copy_of_seeds);
+      shake128_init_absorb_final_a9_fd(copy_of_seeds);
   uint8_t randomness0[2U][504U];
-  shake128_squeeze_three_blocks_a9_fd(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_a9_fd(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[2U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U]));
@@ -7289,7 +7575,7 @@ static KRML_MUSTINLINE void sample_from_xof_6c0(
       break;
     } else {
       uint8_t randomness[2U][168U];
-      shake128_squeeze_block_a9_fd(&xof_state, randomness);
+      shake128_squeeze_next_block_a9_fd(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[2U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -7429,9 +7715,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b40(
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_fd(prf_inputs, domain_separator);
   uint8_t prf_outputs[2U][192U];
   PRFxN_a9_49(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR2(
@@ -7465,7 +7750,7 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_79(););
+                  re_as_ntt[i] = ZERO_ef_79(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -7489,30 +7774,42 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40(
  sum of their constituent coefficients.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 2
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_89(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void add_to_ring_element_89(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_9a(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 2
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_89(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  add_to_ring_element_89(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -7536,7 +7833,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_89(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_ef_79();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -7549,10 +7846,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_89(
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_89(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_79(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_89(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_79(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -7759,9 +8056,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_4d(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash
@@ -7795,7 +8089,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 768
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
+- RANKED_BYTES_PER_RING_ELEMENT= 768
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 */
@@ -7824,13 +8118,13 @@ libcrux_ml_kem_types_MlKemKeyPair_3e libcrux_ml_kem_ind_cca_generate_keypair_d6(
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)1632U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_fa private_key =
-      libcrux_ml_kem_types_from_88_2a(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_2a(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_fa uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[800U];
   memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_fa(
-      uu____2, libcrux_ml_kem_types_from_40_4d(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_fa(
+      uu____2, libcrux_ml_kem_types_from_5f_4d(copy_of_public_key));
 }
 
 /**
@@ -7851,35 +8145,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_f8(Eurydice_slice randomness,
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 768
-- K= 2
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_09(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-        deserialize_to_reduced_ring_element_79(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
-}
-
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -7887,12 +8152,12 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 2
 - T_AS_NTT_ENCODED_SIZE= 768
 */
-static void build_unpacked_public_key_mut_fa(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_fa(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_94 *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_09(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_89(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)768U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[2U] =
@@ -7909,8 +8174,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - K= 2
 - T_AS_NTT_ENCODED_SIZE= 768
 */
-static IndCpaPublicKeyUnpacked_94 build_unpacked_public_key_fa(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_94
+build_unpacked_public_key_fa(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_94 unpacked_public_key = default_8d_89();
   build_unpacked_public_key_mut_fa(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -7977,7 +8242,7 @@ static KRML_MUSTINLINE tuple_40
 sample_ring_element_cbd_b40(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  error_1[i] = ZERO_d6_79(););
+                  error_1[i] = ZERO_ef_79(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -7985,9 +8250,8 @@ sample_ring_element_cbd_b40(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_fd(prf_inputs, domain_separator);
   uint8_t prf_outputs[2U][128U];
   PRFxN_a9_490(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR2(
@@ -8041,7 +8305,7 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_89(
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U);
   invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_79(re);
+  poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -8060,7 +8324,7 @@ static KRML_MUSTINLINE void compute_vector_u_89(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  result[i] = ZERO_d6_79(););
+                  result[i] = ZERO_ef_79(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -8080,11 +8344,11 @@ static KRML_MUSTINLINE void compute_vector_u_89(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          ntt_multiply_d6_79(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_89(&result[i1], &product);
+          ntt_multiply_ef_79(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_89(&result[i1], &product);
     }
     invert_ntt_montgomery_89(&result[i1]);
-    add_error_reduce_d6_79(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_79(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -8106,13 +8370,13 @@ compute_ring_element_v_89(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_89(&result, &product););
+                      ntt_multiply_ef_79(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_89(&result, &product););
   invert_ntt_montgomery_89(&result);
-  result = add_message_error_reduce_d6_79(error_2, message, result);
+  result = add_message_error_reduce_ef_79(error_2, message, result);
   return result;
 }
 
@@ -8150,6 +8414,19 @@ static KRML_MUSTINLINE void compress_then_serialize_u_2d(
   }
 }
 
+/**
+A monomorphic instance of
+libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
+libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 2
+- COMPRESSION_FACTOR= 4
+- OUT_LEN= 128
+*/
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ba(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) {
+  compress_then_serialize_4_79(re, out);
+}
+
 /**
  This function implements <strong>Algorithm 13</strong> of the
  NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm.
@@ -8258,7 +8535,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_740(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)640U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____6 = v;
-  compress_then_serialize_ring_element_v_78(
+  compress_then_serialize_ring_element_v_ba(
       uu____6, Eurydice_array_to_subslice_from((size_t)768U, ciphertext,
                                                (size_t)640U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)768U * sizeof(uint8_t));
@@ -8328,7 +8605,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 - ETA2= 2
@@ -8348,7 +8625,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70(
       size_t);
   uint8_t ret[32U];
   H_a9_fd(Eurydice_array_to_slice(
-              (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key),
+              (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -8362,7 +8639,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t);
+      (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -8372,7 +8649,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70(
   uint8_t copy_of_ciphertext[768U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemCiphertext_1a ciphertext0 =
-      libcrux_ml_kem_types_from_fc_d0(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_d0(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_4d(shared_secret, shared_secret_array);
   libcrux_ml_kem_types_MlKemCiphertext_1a uu____5 = ciphertext0;
@@ -8400,7 +8677,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_89(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_79(););
+                  secret_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -8437,7 +8714,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ba(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_79(););
+                  u_as_ntt[i] = ZERO_ef_79(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t),
@@ -8463,6 +8740,18 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ba(
       (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
 }
 
+/**
+A monomorphic instance of
+libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
+libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 2
+- COMPRESSION_FACTOR= 4
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+deserialize_then_decompress_ring_element_v_29(Eurydice_slice serialized) {
+  return deserialize_then_decompress_4_79(serialized);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -8480,13 +8769,13 @@ compute_message_89(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_ef_79();
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-                      ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_89(&result, &product););
+                      ntt_multiply_ef_79(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_89(&result, &product););
   invert_ntt_montgomery_89(&result);
-  result = subtract_reduce_d6_79(v, result);
+  result = subtract_reduce_ef_79(v, result);
   return result;
 }
 
@@ -8530,7 +8819,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_4b(
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[2U];
   deserialize_then_decompress_u_ba(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v =
-      deserialize_then_decompress_ring_element_v_42(
+      deserialize_then_decompress_ring_element_v_29(
           Eurydice_array_to_subslice_from((size_t)768U, ciphertext,
                                           (size_t)640U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message =
@@ -8582,6 +8871,9 @@ static KRML_MUSTINLINE void PRF_a9_49(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -8637,7 +8929,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a1(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_d0(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_d0(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_a9_49(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t),
@@ -8656,7 +8948,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_a1(
   kdf_d8_4d(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_d0(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_d0(ciphertext),
       Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
index cbc9c0c6c..8f6b4009e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem_avx2_H
@@ -30,54 +30,54 @@ void libcrux_ml_kem_hash_functions_avx2_G(Eurydice_slice input,
 void libcrux_ml_kem_hash_functions_avx2_H(Eurydice_slice input,
                                           uint8_t ret[32U]);
 
-__m256i libcrux_ml_kem_vector_avx2_zero(void);
+__m256i libcrux_ml_kem_vector_avx2_vec_zero(void);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void);
+__m256i libcrux_ml_kem_vector_avx2_ZERO_9a(void);
 
-__m256i libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array);
+__m256i libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array);
+__m256i libcrux_ml_kem_vector_avx2_from_i16_array_9a(Eurydice_slice array);
 
-void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v, int16_t ret[16U]);
+void libcrux_ml_kem_vector_avx2_vec_to_i16_array(__m256i v, int16_t ret[16U]);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_to_i16_array_ea(__m256i x, int16_t ret[16U]);
+void libcrux_ml_kem_vector_avx2_to_i16_array_9a(__m256i x, int16_t ret[16U]);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs, __m256i *rhs);
+__m256i libcrux_ml_kem_vector_avx2_add_9a(__m256i lhs, __m256i *rhs);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs, __m256i *rhs);
+__m256i libcrux_ml_kem_vector_avx2_sub_9a(__m256i lhs, __m256i *rhs);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(
     __m256i vector, int16_t constant);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v,
+__m256i libcrux_ml_kem_vector_avx2_multiply_by_constant_9a(__m256i vec,
                                                            int16_t c);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
@@ -85,19 +85,21 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
+__m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(
     __m256i vector, int16_t constant);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(
     __m256i vector);
 
+__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector);
+__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_9a(__m256i vector);
 
 #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \
   ((int16_t)20159)
@@ -110,104 +112,127 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector);
+__m256i libcrux_ml_kem_vector_avx2_barrett_reduce_9a(__m256i vector);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(
     __m256i vector, int16_t constant);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+__m256i libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
     __m256i vector, int16_t constant);
 
 __m256i libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
     __m256i vector);
 
+__m256i libcrux_ml_kem_vector_avx2_compress_1(__m256i vector);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector);
+__m256i libcrux_ml_kem_vector_avx2_compress_1_9a(__m256i vector);
 
 __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs,
                                                               __m256i rhs);
 
 __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants(
-    __m256i v, __m256i c);
+    __m256i vec, __m256i constants);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea(
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(__m256i vector,
                                                         int16_t zeta0,
                                                         int16_t zeta1);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(__m256i vector,
+                                                    int16_t zeta0,
+                                                    int16_t zeta1);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(__m256i vector,
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_9a(__m256i vector,
                                                        int16_t zeta0,
                                                        int16_t zeta1);
 
 __m128i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants(
-    __m128i v, __m128i c);
+    __m128i vec, __m128i constants);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector,
                                                         int16_t zeta);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector,
+                                                    int16_t zeta);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector,
+__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step_9a(__m256i vector,
                                                        int16_t zeta);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector,
                                                             int16_t zeta0,
                                                             int16_t zeta1);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(__m256i vector,
+                                                        int16_t zeta0,
+                                                        int16_t zeta1);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(__m256i vector,
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_9a(__m256i vector,
                                                            int16_t zeta0,
                                                            int16_t zeta1);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector,
                                                             int16_t zeta);
 
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector,
+                                                        int16_t zeta);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(__m256i vector,
+__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_9a(__m256i vector,
                                                            int16_t zeta);
 
-__m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v);
+__m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(
+    __m256i vec);
 
 __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(__m256i lhs, __m256i rhs,
                                                     int16_t zeta0,
@@ -215,11 +240,15 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(__m256i lhs, __m256i rhs,
                                                     int16_t zeta2,
                                                     int16_t zeta3);
 
+__m256i libcrux_ml_kem_vector_avx2_ntt_multiply(__m256i *lhs, __m256i *rhs,
+                                                int16_t zeta0, int16_t zeta1,
+                                                int16_t zeta2, int16_t zeta3);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea(__m256i *lhs, __m256i *rhs,
+__m256i libcrux_ml_kem_vector_avx2_ntt_multiply_9a(__m256i *lhs, __m256i *rhs,
                                                    int16_t zeta0, int16_t zeta1,
                                                    int16_t zeta2,
                                                    int16_t zeta3);
@@ -227,85 +256,144 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea(__m256i *lhs, __m256i *rhs,
 void libcrux_ml_kem_vector_avx2_serialize_serialize_1(__m256i vector,
                                                       uint8_t ret[2U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_1(__m256i vector, uint8_t ret[2U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_1_ea(__m256i vector, uint8_t ret[2U]);
+void libcrux_ml_kem_vector_avx2_serialize_1_9a(__m256i vector, uint8_t ret[2U]);
+
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s(
+    int16_t a, int16_t b);
+
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
+    uint8_t a, uint8_t b);
 
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_1_9a(Eurydice_slice bytes);
+
+/**
+ `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets
+ of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of
+ 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last
+ `n` bits are non-zero).
+*/
+__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n,
+                                                                  __m256i x);
 
 void libcrux_ml_kem_vector_avx2_serialize_serialize_4(__m256i vector,
                                                       uint8_t ret[8U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_4(__m256i vector, uint8_t ret[8U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_4_ea(__m256i vector, uint8_t ret[8U]);
+void libcrux_ml_kem_vector_avx2_serialize_4_9a(__m256i vector, uint8_t ret[8U]);
+
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s(
+    int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5,
+    int16_t b6, int16_t b7);
+
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
+    uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5,
+    uint8_t b6, uint8_t b7);
 
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_4_9a(Eurydice_slice bytes);
 
 void libcrux_ml_kem_vector_avx2_serialize_serialize_5(__m256i vector,
                                                       uint8_t ret[10U]);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_5_ea(__m256i vector,
+void libcrux_ml_kem_vector_avx2_serialize_5_9a(__m256i vector,
                                                uint8_t ret[10U]);
 
+/**
+ We cannot model `mm256_inserti128_si256` on its own: it produces a
+ Vec256 where the upper 128 bits are undefined. Thus
+ `mm256_inserti128_si256` is not pure.
+
+ Luckily, we always call `mm256_castsi128_si256` right after
+ `mm256_inserti128_si256`: this composition sets the upper bits,
+ making the whole computation pure again.
+*/
+__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+    __m128i lower, __m128i upper);
+
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(
     Eurydice_slice bytes);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_5_9a(Eurydice_slice bytes);
+
+typedef struct core_core_arch_x86___m128i_x2_s {
+  __m128i fst;
+  __m128i snd;
+} core_core_arch_x86___m128i_x2;
+
+core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
+    __m256i vector);
 
 void libcrux_ml_kem_vector_avx2_serialize_serialize_10(__m256i vector,
                                                        uint8_t ret[20U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_10(__m256i vector, uint8_t ret[20U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_10_ea(__m256i vector,
+void libcrux_ml_kem_vector_avx2_serialize_10_9a(__m256i vector,
                                                 uint8_t ret[20U]);
 
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0);
+
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_10_9a(Eurydice_slice bytes);
 
 void libcrux_ml_kem_vector_avx2_serialize_serialize_11(__m256i vector,
                                                        uint8_t ret[22U]);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_11_ea(__m256i vector,
+void libcrux_ml_kem_vector_avx2_serialize_11_9a(__m256i vector,
                                                 uint8_t ret[22U]);
 
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_11(
@@ -313,37 +401,48 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_11(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_11_9a(Eurydice_slice bytes);
+
+core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
+    __m256i vector);
 
 void libcrux_ml_kem_vector_avx2_serialize_serialize_12(__m256i vector,
                                                        uint8_t ret[24U]);
 
+void libcrux_ml_kem_vector_avx2_serialize_12(__m256i vector, uint8_t ret[24U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-void libcrux_ml_kem_vector_avx2_serialize_12_ea(__m256i vector,
+void libcrux_ml_kem_vector_avx2_serialize_12_9a(__m256i vector,
                                                 uint8_t ret[24U]);
 
+__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0);
+
 __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12(
     Eurydice_slice bytes);
 
+__m256i libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-__m256i libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes);
+__m256i libcrux_ml_kem_vector_avx2_deserialize_12_9a(Eurydice_slice bytes);
 
 size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample(
     Eurydice_slice input, Eurydice_slice output);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
-size_t libcrux_ml_kem_vector_avx2_rej_sample_ea(Eurydice_slice input,
+size_t libcrux_ml_kem_vector_avx2_rej_sample_9a(Eurydice_slice input,
                                                 Eurydice_slice output);
 
 /**
@@ -352,6 +451,12 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#1}
 */
 __m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self);
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+*/
+void libcrux_ml_kem_vector_avx2_repr_11(__m256i x, int16_t ret[16U]);
+
 #if defined(__cplusplus)
 }
 #endif
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.c b/libcrux-ml-kem/c/libcrux_mlkem_neon.c
deleted file mode 100644
index 68997c944..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem_neon.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 962f26311ccdf09a6a3cfeacbccafba22bf3d405
- * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3
- * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a
- * F*: 58c915a86a2c07c8eca8d9deafd76cb7a91f0eb7
- * Libcrux: 6b71b5fae48b400c6dac49234638dd52385d111d
- */
-
-#include "libcrux_mlkem_neon.h"
-
-KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_G(Eurydice_slice input,
-                                                          uint8_t ret[64U]) {
-  uint8_t digest[64U] = {0U};
-  libcrux_sha3_neon_sha512(
-      Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input);
-  memcpy(ret, digest, (size_t)64U * sizeof(uint8_t));
-}
-
-KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_H(Eurydice_slice input,
-                                                          uint8_t ret[32U]) {
-  uint8_t digest[32U] = {0U};
-  libcrux_sha3_neon_sha256(
-      Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input);
-  memcpy(ret, digest, (size_t)32U * sizeof(uint8_t));
-}
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/libcrux_mlkem_neon.h
deleted file mode 100644
index aee7d70ec..000000000
--- a/libcrux-ml-kem/c/libcrux_mlkem_neon.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
- *
- * SPDX-License-Identifier: MIT or Apache-2.0
- *
- * This code was generated with the following revisions:
- * Charon: 962f26311ccdf09a6a3cfeacbccafba22bf3d405
- * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3
- * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a
- * F*: 58c915a86a2c07c8eca8d9deafd76cb7a91f0eb7
- * Libcrux: 6b71b5fae48b400c6dac49234638dd52385d111d
- */
-
-#ifndef __libcrux_mlkem_neon_H
-#define __libcrux_mlkem_neon_H
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-#include "eurydice_glue.h"
-#include "libcrux_core.h"
-#include "libcrux_sha3_neon.h"
-
-void libcrux_ml_kem_hash_functions_neon_G(Eurydice_slice input,
-                                          uint8_t ret[64U]);
-
-void libcrux_ml_kem_hash_functions_neon_H(Eurydice_slice input,
-                                          uint8_t ret[32U]);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#define __libcrux_mlkem_neon_H_DEFINED
-#endif
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
index 3272dbcf8..f787aa9c9 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "internal/libcrux_mlkem_portable.h"
@@ -32,7 +32,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H(
   memcpy(ret, digest, (size_t)32U * sizeof(uint8_t));
 }
 
-const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = {
+static const int16_t ZETAS_TIMES_MONTGOMERY_R[128U] = {
     (int16_t)-1044, (int16_t)-758,  (int16_t)-359,  (int16_t)-1517,
     (int16_t)1493,  (int16_t)1422,  (int16_t)287,   (int16_t)202,
     (int16_t)-171,  (int16_t)622,   (int16_t)1577,  (int16_t)182,
@@ -66,6 +66,10 @@ const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = {
     (int16_t)-108,  (int16_t)-308,  (int16_t)996,   (int16_t)991,
     (int16_t)958,   (int16_t)-1460, (int16_t)1522,  (int16_t)1628};
 
+int16_t libcrux_ml_kem_polynomial_zeta(size_t i) {
+  return ZETAS_TIMES_MONTGOMERY_R[i];
+}
+
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_vector_type_from_i16_array(
     Eurydice_slice array) {
@@ -82,10 +86,10 @@ libcrux_ml_kem_vector_portable_vector_type_from_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array) {
+libcrux_ml_kem_vector_portable_from_i16_array_2c(Eurydice_slice array) {
   return libcrux_ml_kem_vector_portable_vector_type_from_i16_array(array);
 }
 
@@ -171,40 +175,44 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_11(
       libcrux_ml_kem_vector_portable_serialize_serialize_11_int(
           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                       int16_t));
-  uint8_t result[22U] = {0U};
-  result[0U] = r0_10.fst;
-  result[1U] = r0_10.snd;
-  result[2U] = r0_10.thd;
-  result[3U] = r0_10.f3;
-  result[4U] = r0_10.f4;
-  result[5U] = r0_10.f5;
-  result[6U] = r0_10.f6;
-  result[7U] = r0_10.f7;
-  result[8U] = r0_10.f8;
-  result[9U] = r0_10.f9;
-  result[10U] = r0_10.f10;
-  result[11U] = r11_21.fst;
-  result[12U] = r11_21.snd;
-  result[13U] = r11_21.thd;
-  result[14U] = r11_21.f3;
-  result[15U] = r11_21.f4;
-  result[16U] = r11_21.f5;
-  result[17U] = r11_21.f6;
-  result[18U] = r11_21.f7;
-  result[19U] = r11_21.f8;
-  result[20U] = r11_21.f9;
-  result[21U] = r11_21.f10;
-  memcpy(ret, result, (size_t)22U * sizeof(uint8_t));
+  ret[0U] = r0_10.fst;
+  ret[1U] = r0_10.snd;
+  ret[2U] = r0_10.thd;
+  ret[3U] = r0_10.f3;
+  ret[4U] = r0_10.f4;
+  ret[5U] = r0_10.f5;
+  ret[6U] = r0_10.f6;
+  ret[7U] = r0_10.f7;
+  ret[8U] = r0_10.f8;
+  ret[9U] = r0_10.f9;
+  ret[10U] = r0_10.f10;
+  ret[11U] = r11_21.fst;
+  ret[12U] = r11_21.snd;
+  ret[13U] = r11_21.thd;
+  ret[14U] = r11_21.f3;
+  ret[15U] = r11_21.f4;
+  ret[16U] = r11_21.f5;
+  ret[17U] = r11_21.f6;
+  ret[18U] = r11_21.f7;
+  ret[19U] = r11_21.f8;
+  ret[20U] = r11_21.f9;
+  ret[21U] = r11_21.f10;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_11(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[22U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_11_0d(
+void libcrux_ml_kem_vector_portable_serialize_11_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[22U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_11(a, ret);
 }
 
 KRML_MUSTINLINE int16_t_x8
@@ -270,28 +278,6 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
                                .f7 = r7});
 }
 
-KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_vector_type_zero(void) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
-  lit.elements[0U] = (int16_t)0;
-  lit.elements[1U] = (int16_t)0;
-  lit.elements[2U] = (int16_t)0;
-  lit.elements[3U] = (int16_t)0;
-  lit.elements[4U] = (int16_t)0;
-  lit.elements[5U] = (int16_t)0;
-  lit.elements[6U] = (int16_t)0;
-  lit.elements[7U] = (int16_t)0;
-  lit.elements[8U] = (int16_t)0;
-  lit.elements[9U] = (int16_t)0;
-  lit.elements[10U] = (int16_t)0;
-  lit.elements[11U] = (int16_t)0;
-  lit.elements[12U] = (int16_t)0;
-  lit.elements[13U] = (int16_t)0;
-  lit.elements[14U] = (int16_t)0;
-  lit.elements[15U] = (int16_t)0;
-  return lit;
-}
-
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) {
   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
@@ -299,34 +285,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) {
   int16_t_x8 v8_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
           Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a);
+libcrux_ml_kem_vector_portable_deserialize_11_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_11(a);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
@@ -337,9 +327,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_to_i16_array_0d(
+void libcrux_ml_kem_vector_portable_to_i16_array_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
     int16_t ret[16U]) {
   libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret);
@@ -860,12 +850,34 @@ const uint8_t
                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U,
                         13U, 14U, 15U}};
 
+KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_vector_type_zero(void) {
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = (int16_t)0;
+  lit.elements[1U] = (int16_t)0;
+  lit.elements[2U] = (int16_t)0;
+  lit.elements[3U] = (int16_t)0;
+  lit.elements[4U] = (int16_t)0;
+  lit.elements[5U] = (int16_t)0;
+  lit.elements[6U] = (int16_t)0;
+  lit.elements[7U] = (int16_t)0;
+  lit.elements[8U] = (int16_t)0;
+  lit.elements[9U] = (int16_t)0;
+  lit.elements[10U] = (int16_t)0;
+  lit.elements[11U] = (int16_t)0;
+  lit.elements[12U] = (int16_t)0;
+  lit.elements[13U] = (int16_t)0;
+  lit.elements[14U] = (int16_t)0;
+  lit.elements[15U] = (int16_t)0;
+  return lit;
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ZERO_0d(void) {
+libcrux_ml_kem_vector_portable_ZERO_2c(void) {
   return libcrux_ml_kem_vector_portable_vector_type_zero();
 }
 
@@ -884,10 +896,10 @@ libcrux_ml_kem_vector_portable_arithmetic_add(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_add_0d(
+libcrux_ml_kem_vector_portable_add_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
   return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs);
@@ -908,10 +920,10 @@ libcrux_ml_kem_vector_portable_arithmetic_sub(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_sub_0d(
+libcrux_ml_kem_vector_portable_sub_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
   return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs);
@@ -919,80 +931,73 @@ libcrux_ml_kem_vector_portable_sub_0d(
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     size_t uu____0 = i0;
-    v.elements[uu____0] = v.elements[uu____0] * c;
+    vec.elements[uu____0] = vec.elements[uu____0] * c;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
-  return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c);
+libcrux_ml_kem_vector_portable_multiply_by_constant_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
+  return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c);
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     size_t uu____0 = i0;
-    v.elements[uu____0] = v.elements[uu____0] & c;
+    vec.elements[uu____0] = vec.elements[uu____0] & c;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
+libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
   return libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(v,
                                                                              c);
 }
 
+/**
+ Note: This function is not secret independent
+ Only use with public values.
+*/
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  core_ops_range_Range_08 iter =
-      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
-          (CLITERAL(core_ops_range_Range_08){
-              .start = (size_t)0U,
-              .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}),
-          core_ops_range_Range_08, core_ops_range_Range_08);
-  while (true) {
-    core_option_Option_08 uu____0 =
-        core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
-            &iter, size_t, core_option_Option_08);
-    if (uu____0.tag == core_option_None) {
-      return v;
-    } else {
-      size_t i = uu____0.f0;
-      if (v.elements[i] >= (int16_t)3329) {
-        size_t uu____1 = i;
-        v.elements[uu____1] = v.elements[uu____1] - (int16_t)3329;
-      }
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
+    size_t i0 = i;
+    if (vec.elements[i0] >= (int16_t)3329) {
+      size_t uu____0 = i0;
+      vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329;
     }
   }
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
+libcrux_ml_kem_vector_portable_cond_subtract_3329_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v);
 }
@@ -1008,39 +1013,40 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
 
  `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
 
- In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
+ Note: The input bound is 28296 to prevent overflow in the multiplication of
+ quotient by FIELD_MODULUS
+
 */
 int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
     int16_t value) {
   int32_t t = (int32_t)value *
                   LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER +
-              (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U);
+              (LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R >> 1U);
   int16_t quotient =
-      (int16_t)(t >>
-                (uint32_t)
-                    LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT);
+      (int16_t)(t >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT);
   return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] =
+    int16_t vi =
         libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
-            v.elements[i0]);
+            vec.elements[i0]);
+    vec.elements[i0] = vi;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_barrett_reduce_0d(
+libcrux_ml_kem_vector_portable_barrett_reduce_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v);
 }
@@ -1054,10 +1060,12 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d(
  - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
  - the absolute value of `o` is bound as follows:
 
- `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
+ `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665
+
+ In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS + 1664
 
- In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 ·
- FIELD_MODULUS) / 2`.
 */
 int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
     int32_t value) {
@@ -1091,29 +1099,30 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
 KRML_MUSTINLINE int16_t
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
     int16_t fe, int16_t fer) {
+  int32_t product = (int32_t)fe * (int32_t)fer;
   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-      (int32_t)fe * (int32_t)fer);
+      product);
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] =
+    vec.elements[i0] =
         libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
-            v.elements[i0], c);
+            vec.elements[i0], c);
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r) {
   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
       v, r);
@@ -1147,30 +1156,32 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
   int16_t mask = shifted >> 15U;
   int16_t shifted_to_positive = mask ^ shifted;
   int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832;
-  return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1);
+  int16_t r0 = shifted_positive_in_range >> 15U;
+  int16_t r1 = r0 & (int16_t)1;
+  return (uint8_t)r1;
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] = (int16_t)
+    a.elements[i0] = (int16_t)
         libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
-            (uint16_t)v.elements[i0]);
+            (uint16_t)a.elements[i0]);
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_1_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_1(v);
+libcrux_ml_kem_vector_portable_compress_1_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_1(a);
 }
 
 KRML_MUSTINLINE uint32_t
@@ -1191,44 +1202,46 @@ int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j) {
   int16_t t =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
-          v->elements[j], zeta);
-  v->elements[j] = v->elements[i] - t;
-  v->elements[i] = v->elements[i] + t;
+          vec->elements[j], zeta);
+  int16_t a_minus_t = vec->elements[i] - t;
+  int16_t a_plus_t = vec->elements[i] + t;
+  vec->elements[j] = a_minus_t;
+  vec->elements[i] = a_plus_t;
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U,
                                               (size_t)2U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U,
                                               (size_t)3U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U,
                                               (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U,
                                               (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U,
                                               (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U,
                                               (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1,
@@ -1237,33 +1250,33 @@ libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U,
                                               (size_t)4U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U,
                                               (size_t)5U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U,
                                               (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U,
                                               (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U,
                                               (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U,
                                               (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1);
@@ -1271,75 +1284,80 @@ libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U,
+                                              (size_t)8U);
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U,
+                                              (size_t)9U);
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U,
                                               (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U,
                                               (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U,
                                               (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U,
                                               (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta);
 }
 
 KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j) {
-  int16_t a_minus_b = v->elements[j] - v->elements[i];
-  v->elements[i] =
-      libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
-          v->elements[i] + v->elements[j]);
-  v->elements[j] =
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j) {
+  int16_t a_minus_b = vec->elements[j] - vec->elements[i];
+  int16_t a_plus_b = vec->elements[j] + vec->elements[i];
+  int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
+      a_plus_b);
+  int16_t o1 =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
           a_minus_b, zeta);
+  vec->elements[i] = o0;
+  vec->elements[j] = o1;
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U,
                                                   (size_t)2U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U,
                                                   (size_t)3U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U,
                                                   (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U,
                                                   (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U,
                                                   (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U,
                                                   (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)12U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)13U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
@@ -1348,33 +1366,33 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U,
                                                   (size_t)4U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U,
                                                   (size_t)5U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U,
                                                   (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U,
                                                   (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U,
                                                   (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U,
                                                   (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)10U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)11U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0,
@@ -1383,32 +1401,33 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U,
                                                   (size_t)8U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U,
                                                   (size_t)9U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U,
                                                   (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U,
                                                   (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U,
                                                   (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U,
                                                   (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)6U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)7U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta);
 }
@@ -1438,20 +1457,31 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
 KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *a,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta,
-    size_t i, size_t j,
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) {
-  int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-      (int32_t)a->elements[i] * (int32_t)b->elements[i] +
-      (int32_t)
-              libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-                  (int32_t)a->elements[j] * (int32_t)b->elements[j]) *
-          (int32_t)zeta);
+    size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) {
+  int16_t ai = a->elements[(size_t)2U * i];
+  int16_t bi = b->elements[(size_t)2U * i];
+  int16_t aj = a->elements[(size_t)2U * i + (size_t)1U];
+  int16_t bj = b->elements[(size_t)2U * i + (size_t)1U];
+  int32_t ai_bi = (int32_t)ai * (int32_t)bi;
+  int32_t aj_bj_ = (int32_t)aj * (int32_t)bj;
+  int16_t aj_bj =
+      libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
+          aj_bj_);
+  int32_t aj_bj_zeta = (int32_t)aj_bj * (int32_t)zeta;
+  int32_t ai_bi_aj_bj = ai_bi + aj_bj_zeta;
+  int16_t o0 =
+      libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
+          ai_bi_aj_bj);
+  int32_t ai_bj = (int32_t)ai * (int32_t)bj;
+  int32_t aj_bi = (int32_t)aj * (int32_t)bi;
+  int32_t ai_bj_aj_bi = ai_bj + aj_bi;
   int16_t o1 =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-          (int32_t)a->elements[i] * (int32_t)b->elements[j] +
-          (int32_t)a->elements[j] * (int32_t)b->elements[i]);
-  out->elements[i] = o0;
-  out->elements[j] = o1;
+          ai_bj_aj_bi);
+  int16_t _out0[16U];
+  memcpy(_out0, out->elements, (size_t)16U * sizeof(int16_t));
+  out->elements[(size_t)2U * i] = o0;
+  out->elements[(size_t)2U * i + (size_t)1U] = o1;
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -1459,33 +1489,37 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  int16_t nzeta0 = -zeta0;
+  int16_t nzeta1 = -zeta1;
+  int16_t nzeta2 = -zeta2;
+  int16_t nzeta3 = -zeta3;
   libcrux_ml_kem_vector_portable_vector_type_PortableVector out =
       libcrux_ml_kem_vector_portable_vector_type_zero();
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta0,
+                                                            (size_t)0U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta0,
+                                                            (size_t)1U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta1,
+                                                            (size_t)2U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta1,
+                                                            (size_t)3U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta2,
+                                                            (size_t)4U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta2,
+                                                            (size_t)5U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta3,
+                                                            (size_t)6U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta3,
+                                                            (size_t)7U, &out);
   return out;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_multiply_0d(
+libcrux_ml_kem_vector_portable_ntt_multiply_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
@@ -1496,58 +1530,138 @@ libcrux_ml_kem_vector_portable_ntt_multiply_0d(
 KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[2U]) {
-  uint8_t result[2U] = {0U};
-  KRML_MAYBE_FOR8(
-      i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i;
-      size_t uu____0 = (size_t)0U;
-      result[uu____0] = (uint32_t)result[uu____0] |
-                        (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0;);
-  KRML_MAYBE_FOR8(i, (size_t)8U, (size_t)16U, (size_t)1U, size_t i0 = i;
-                  size_t uu____1 = (size_t)1U;
-                  result[uu____1] = (uint32_t)result[uu____1] |
-                                    (uint32_t)(uint8_t)v.elements[i0]
-                                        << (uint32_t)(i0 - (size_t)8U););
-  memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
+  uint8_t result0 = (((((((uint32_t)(uint8_t)v.elements[0U] |
+                          (uint32_t)(uint8_t)v.elements[1U] << 1U) |
+                         (uint32_t)(uint8_t)v.elements[2U] << 2U) |
+                        (uint32_t)(uint8_t)v.elements[3U] << 3U) |
+                       (uint32_t)(uint8_t)v.elements[4U] << 4U) |
+                      (uint32_t)(uint8_t)v.elements[5U] << 5U) |
+                     (uint32_t)(uint8_t)v.elements[6U] << 6U) |
+                    (uint32_t)(uint8_t)v.elements[7U] << 7U;
+  uint8_t result1 = (((((((uint32_t)(uint8_t)v.elements[8U] |
+                          (uint32_t)(uint8_t)v.elements[9U] << 1U) |
+                         (uint32_t)(uint8_t)v.elements[10U] << 2U) |
+                        (uint32_t)(uint8_t)v.elements[11U] << 3U) |
+                       (uint32_t)(uint8_t)v.elements[12U] << 4U) |
+                      (uint32_t)(uint8_t)v.elements[13U] << 5U) |
+                     (uint32_t)(uint8_t)v.elements[14U] << 6U) |
+                    (uint32_t)(uint8_t)v.elements[15U] << 7U;
+  ret[0U] = result0;
+  ret[1U] = result1;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_1_0d(
+void libcrux_ml_kem_vector_portable_serialize_1_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_1(a, ret);
 }
 
 KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector result =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  KRML_MAYBE_FOR8(
-      i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i;
-      result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
-                                          v, (size_t)0U, uint8_t, uint8_t *) >>
-                                          (uint32_t)i0 &
-                                      1U););
-  for (size_t i = (size_t)8U;
-       i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
-    size_t i0 = i;
-    result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
-                                        v, (size_t)1U, uint8_t, uint8_t *) >>
-                                        (uint32_t)(i0 - (size_t)8U) &
-                                    1U);
-  }
-  return result;
+  int16_t result0 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) &
+                              1U);
+  int16_t result1 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  1U &
+                              1U);
+  int16_t result2 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  2U &
+                              1U);
+  int16_t result3 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  3U &
+                              1U);
+  int16_t result4 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  4U &
+                              1U);
+  int16_t result5 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  5U &
+                              1U);
+  int16_t result6 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  6U &
+                              1U);
+  int16_t result7 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  7U &
+                              1U);
+  int16_t result8 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)1U, uint8_t, uint8_t *) &
+                              1U);
+  int16_t result9 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)1U, uint8_t, uint8_t *) >>
+                                  1U &
+                              1U);
+  int16_t result10 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   2U &
+                               1U);
+  int16_t result11 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   3U &
+                               1U);
+  int16_t result12 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   4U &
+                               1U);
+  int16_t result13 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   5U &
+                               1U);
+  int16_t result14 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   6U &
+                               1U);
+  int16_t result15 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   7U &
+                               1U);
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = result0;
+  lit.elements[1U] = result1;
+  lit.elements[2U] = result2;
+  lit.elements[3U] = result3;
+  lit.elements[4U] = result4;
+  lit.elements[5U] = result5;
+  lit.elements[6U] = result6;
+  lit.elements[7U] = result7;
+  lit.elements[8U] = result8;
+  lit.elements[9U] = result9;
+  lit.elements[10U] = result10;
+  lit.elements[11U] = result11;
+  lit.elements[12U] = result12;
+  lit.elements[13U] = result13;
+  lit.elements[14U] = result14;
+  lit.elements[15U] = result15;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a);
+libcrux_ml_kem_vector_portable_deserialize_1_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_1(a);
 }
 
 KRML_MUSTINLINE uint8_t_x4
@@ -1587,26 +1701,30 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4(
       libcrux_ml_kem_vector_portable_serialize_serialize_4_int(
           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                       int16_t));
-  uint8_t result[8U] = {0U};
-  result[0U] = result0_3.fst;
-  result[1U] = result0_3.snd;
-  result[2U] = result0_3.thd;
-  result[3U] = result0_3.f3;
-  result[4U] = result4_7.fst;
-  result[5U] = result4_7.snd;
-  result[6U] = result4_7.thd;
-  result[7U] = result4_7.f3;
-  memcpy(ret, result, (size_t)8U * sizeof(uint8_t));
+  ret[0U] = result0_3.fst;
+  ret[1U] = result0_3.snd;
+  ret[2U] = result0_3.thd;
+  ret[3U] = result0_3.f3;
+  ret[4U] = result4_7.fst;
+  ret[5U] = result4_7.snd;
+  ret[6U] = result4_7.thd;
+  ret[7U] = result4_7.f3;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_4_0d(
+void libcrux_ml_kem_vector_portable_serialize_4_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_4(a, ret);
 }
 
 KRML_MUSTINLINE int16_t_x8
@@ -1656,34 +1774,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) {
       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t));
   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
       Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a);
+libcrux_ml_kem_vector_portable_deserialize_4_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_4(a);
 }
 
 KRML_MUSTINLINE uint8_t_x5
@@ -1719,28 +1841,32 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_5(
   uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                   int16_t));
-  uint8_t result[10U] = {0U};
-  result[0U] = r0_4.fst;
-  result[1U] = r0_4.snd;
-  result[2U] = r0_4.thd;
-  result[3U] = r0_4.f3;
-  result[4U] = r0_4.f4;
-  result[5U] = r5_9.fst;
-  result[6U] = r5_9.snd;
-  result[7U] = r5_9.thd;
-  result[8U] = r5_9.f3;
-  result[9U] = r5_9.f4;
-  memcpy(ret, result, (size_t)10U * sizeof(uint8_t));
+  ret[0U] = r0_4.fst;
+  ret[1U] = r0_4.snd;
+  ret[2U] = r0_4.thd;
+  ret[3U] = r0_4.f3;
+  ret[4U] = r0_4.f4;
+  ret[5U] = r5_9.fst;
+  ret[6U] = r5_9.snd;
+  ret[7U] = r5_9.thd;
+  ret[8U] = r5_9.f3;
+  ret[9U] = r5_9.f4;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_5(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[10U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_5_0d(
+void libcrux_ml_kem_vector_portable_serialize_5_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[10U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_5(a, ret);
 }
 
 KRML_MUSTINLINE int16_t_x8
@@ -1801,34 +1927,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) {
       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t));
   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
       Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a);
+libcrux_ml_kem_vector_portable_deserialize_5_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_5(a);
 }
 
 KRML_MUSTINLINE uint8_t_x5
@@ -1880,38 +2010,42 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10(
   uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U,
                                   int16_t));
-  uint8_t result[20U] = {0U};
-  result[0U] = r0_4.fst;
-  result[1U] = r0_4.snd;
-  result[2U] = r0_4.thd;
-  result[3U] = r0_4.f3;
-  result[4U] = r0_4.f4;
-  result[5U] = r5_9.fst;
-  result[6U] = r5_9.snd;
-  result[7U] = r5_9.thd;
-  result[8U] = r5_9.f3;
-  result[9U] = r5_9.f4;
-  result[10U] = r10_14.fst;
-  result[11U] = r10_14.snd;
-  result[12U] = r10_14.thd;
-  result[13U] = r10_14.f3;
-  result[14U] = r10_14.f4;
-  result[15U] = r15_19.fst;
-  result[16U] = r15_19.snd;
-  result[17U] = r15_19.thd;
-  result[18U] = r15_19.f3;
-  result[19U] = r15_19.f4;
-  memcpy(ret, result, (size_t)20U * sizeof(uint8_t));
+  ret[0U] = r0_4.fst;
+  ret[1U] = r0_4.snd;
+  ret[2U] = r0_4.thd;
+  ret[3U] = r0_4.f3;
+  ret[4U] = r0_4.f4;
+  ret[5U] = r5_9.fst;
+  ret[6U] = r5_9.snd;
+  ret[7U] = r5_9.thd;
+  ret[8U] = r5_9.f3;
+  ret[9U] = r5_9.f4;
+  ret[10U] = r10_14.fst;
+  ret[11U] = r10_14.snd;
+  ret[12U] = r10_14.thd;
+  ret[13U] = r10_14.f3;
+  ret[14U] = r10_14.f4;
+  ret[15U] = r15_19.fst;
+  ret[16U] = r15_19.snd;
+  ret[17U] = r15_19.thd;
+  ret[18U] = r15_19.f3;
+  ret[19U] = r15_19.f4;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_10(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_10_0d(
+void libcrux_ml_kem_vector_portable_serialize_10_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_10(a, ret);
 }
 
 KRML_MUSTINLINE int16_t_x8
@@ -1980,34 +2114,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) {
   int16_t_x8 v8_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
           Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a);
+libcrux_ml_kem_vector_portable_deserialize_10_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_10(a);
 }
 
 KRML_MUSTINLINE uint8_t_x3
@@ -2049,42 +2187,46 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12(
   uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U,
                                   int16_t));
-  uint8_t result[24U] = {0U};
-  result[0U] = r0_2.fst;
-  result[1U] = r0_2.snd;
-  result[2U] = r0_2.thd;
-  result[3U] = r3_5.fst;
-  result[4U] = r3_5.snd;
-  result[5U] = r3_5.thd;
-  result[6U] = r6_8.fst;
-  result[7U] = r6_8.snd;
-  result[8U] = r6_8.thd;
-  result[9U] = r9_11.fst;
-  result[10U] = r9_11.snd;
-  result[11U] = r9_11.thd;
-  result[12U] = r12_14.fst;
-  result[13U] = r12_14.snd;
-  result[14U] = r12_14.thd;
-  result[15U] = r15_17.fst;
-  result[16U] = r15_17.snd;
-  result[17U] = r15_17.thd;
-  result[18U] = r18_20.fst;
-  result[19U] = r18_20.snd;
-  result[20U] = r18_20.thd;
-  result[21U] = r21_23.fst;
-  result[22U] = r21_23.snd;
-  result[23U] = r21_23.thd;
-  memcpy(ret, result, (size_t)24U * sizeof(uint8_t));
+  ret[0U] = r0_2.fst;
+  ret[1U] = r0_2.snd;
+  ret[2U] = r0_2.thd;
+  ret[3U] = r3_5.fst;
+  ret[4U] = r3_5.snd;
+  ret[5U] = r3_5.thd;
+  ret[6U] = r6_8.fst;
+  ret[7U] = r6_8.snd;
+  ret[8U] = r6_8.thd;
+  ret[9U] = r9_11.fst;
+  ret[10U] = r9_11.snd;
+  ret[11U] = r9_11.thd;
+  ret[12U] = r12_14.fst;
+  ret[13U] = r12_14.snd;
+  ret[14U] = r12_14.thd;
+  ret[15U] = r15_17.fst;
+  ret[16U] = r15_17.snd;
+  ret[17U] = r15_17.thd;
+  ret[18U] = r18_20.fst;
+  ret[19U] = r18_20.snd;
+  ret[20U] = r18_20.thd;
+  ret[21U] = r21_23.fst;
+  ret[22U] = r21_23.snd;
+  ret[23U] = r21_23.thd;
+}
+
+void libcrux_ml_kem_vector_portable_serialize_12(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_12_0d(
+void libcrux_ml_kem_vector_portable_serialize_12_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_12(a, ret);
 }
 
 KRML_MUSTINLINE int16_t_x2
@@ -2122,34 +2264,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) {
   int16_t_x2 v14_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
           Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector re =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  re.elements[0U] = v0_1.fst;
-  re.elements[1U] = v0_1.snd;
-  re.elements[2U] = v2_3.fst;
-  re.elements[3U] = v2_3.snd;
-  re.elements[4U] = v4_5.fst;
-  re.elements[5U] = v4_5.snd;
-  re.elements[6U] = v6_7.fst;
-  re.elements[7U] = v6_7.snd;
-  re.elements[8U] = v8_9.fst;
-  re.elements[9U] = v8_9.snd;
-  re.elements[10U] = v10_11.fst;
-  re.elements[11U] = v10_11.snd;
-  re.elements[12U] = v12_13.fst;
-  re.elements[13U] = v12_13.snd;
-  re.elements[14U] = v14_15.fst;
-  re.elements[15U] = v14_15.snd;
-  return re;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_1.fst;
+  lit.elements[1U] = v0_1.snd;
+  lit.elements[2U] = v2_3.fst;
+  lit.elements[3U] = v2_3.snd;
+  lit.elements[4U] = v4_5.fst;
+  lit.elements[5U] = v4_5.snd;
+  lit.elements[6U] = v6_7.fst;
+  lit.elements[7U] = v6_7.snd;
+  lit.elements[8U] = v8_9.fst;
+  lit.elements[9U] = v8_9.snd;
+  lit.elements[10U] = v10_11.fst;
+  lit.elements[11U] = v10_11.snd;
+  lit.elements[12U] = v12_13.fst;
+  lit.elements[13U] = v12_13.snd;
+  lit.elements[14U] = v14_15.fst;
+  lit.elements[15U] = v14_15.snd;
+  return lit;
+}
+
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a);
+libcrux_ml_kem_vector_portable_deserialize_12_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_12(a);
 }
 
 KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample(
@@ -2214,9 +2360,9 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-size_t libcrux_ml_kem_vector_portable_rej_sample_0d(Eurydice_slice a,
+size_t libcrux_ml_kem_vector_portable_rej_sample_2c(Eurydice_slice a,
                                                     Eurydice_slice out) {
   return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out);
 }
@@ -2231,35 +2377,45 @@ libcrux_ml_kem_vector_portable_vector_type_clone_3b(
   return self[0U];
 }
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+*/
+void libcrux_ml_kem_vector_portable_repr_94(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
+    int16_t ret[16U]) {
+  libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret);
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_d6_8c(void) {
+static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_ef_96(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
-  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_2c();
   return lit;
 }
 
@@ -2276,17 +2432,17 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_to_reduced_ring_element_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_to_reduced_ring_element_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_12_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(coefficient);
+        libcrux_ml_kem_vector_portable_cond_subtract_3329_2c(coefficient);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -2299,10 +2455,9 @@ deserialize_to_reduced_ring_element_8c(Eurydice_slice serialized) {
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1568
 - K= 4
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f0(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_d0(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -2316,7 +2471,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f0(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
+        deserialize_to_reduced_ring_element_96(ring_element);
     deserialized_pk[i0] = uu____0;
   }
 }
@@ -2331,16 +2486,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f0(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1568
 - K= 4
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_5f(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_d0(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_8c(););
-  deserialize_ring_elements_reduced_5f0(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_96(););
+  deserialize_ring_elements_reduced_d0(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
@@ -2352,26 +2506,26 @@ with const generics
 - SHIFT_BY= 15
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-shift_right_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+shift_right_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15;
+    vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.shift_right_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.shift_right_2c
 with const generics
 - SHIFT_BY= 15
 */
 static libcrux_ml_kem_vector_portable_vector_type_PortableVector
-shift_right_0d_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+shift_right_2c_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return shift_right_ef(v);
 }
 
@@ -2382,14 +2536,26 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-to_unsigned_representative_8c(
+to_unsigned_representative_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-      shift_right_0d_ef(a);
+      shift_right_2c_ef(a);
   libcrux_ml_kem_vector_portable_vector_type_PortableVector fm =
-      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
+      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
           t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
-  return libcrux_ml_kem_vector_portable_add_0d(a, &fm);
+  return libcrux_ml_kem_vector_portable_add_2c(a, &fm);
+}
+
+/**
+A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
+to_unsigned_field_modulus_96(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return to_unsigned_representative_96(a);
 }
 
 /**
@@ -2398,16 +2564,16 @@ libcrux_ml_kem.serialize.serialize_uncompressed_ring_element with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
-static KRML_MUSTINLINE void serialize_uncompressed_ring_element_8c(
+static KRML_MUSTINLINE void serialize_uncompressed_ring_element_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[384U]) {
   uint8_t serialized[384U] = {0U};
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        to_unsigned_representative_8c(re->coefficients[i0]);
+        to_unsigned_field_modulus_96(re->coefficients[i0]);
     uint8_t bytes[24U];
-    libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_12_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t);
     Eurydice_slice_copy(
@@ -2444,7 +2610,7 @@ static KRML_MUSTINLINE void serialize_secret_key_ff(
         (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     uint8_t ret0[384U];
-    serialize_uncompressed_ring_element_8c(&re, ret0);
+    serialize_uncompressed_ring_element_96(&re, ret0);
     Eurydice_slice_copy(
         uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t);
   }
@@ -2513,7 +2679,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_00(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U];
-  deserialize_ring_elements_reduced_out_5f(
+  deserialize_ring_elements_reduced_out_d0(
       Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -2611,10 +2777,10 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_af default_1a_d0(void) {
   IndCpaPrivateKeyUnpacked_af lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_8c();
-  lit.secret_as_ntt[1U] = ZERO_d6_8c();
-  lit.secret_as_ntt[2U] = ZERO_d6_8c();
-  lit.secret_as_ntt[3U] = ZERO_d6_8c();
+  lit.secret_as_ntt[0U] = ZERO_ef_96();
+  lit.secret_as_ntt[1U] = ZERO_ef_96();
+  lit.secret_as_ntt[2U] = ZERO_ef_96();
+  lit.secret_as_ntt[3U] = ZERO_ef_96();
   return lit;
 }
 
@@ -2644,29 +2810,29 @@ with const generics
 static IndCpaPublicKeyUnpacked_af default_8d_d0(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_8c(););
+                  uu____0[i] = ZERO_ef_96(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_af lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_8c();
-  lit.A[0U][1U] = ZERO_d6_8c();
-  lit.A[0U][2U] = ZERO_d6_8c();
-  lit.A[0U][3U] = ZERO_d6_8c();
-  lit.A[1U][0U] = ZERO_d6_8c();
-  lit.A[1U][1U] = ZERO_d6_8c();
-  lit.A[1U][2U] = ZERO_d6_8c();
-  lit.A[1U][3U] = ZERO_d6_8c();
-  lit.A[2U][0U] = ZERO_d6_8c();
-  lit.A[2U][1U] = ZERO_d6_8c();
-  lit.A[2U][2U] = ZERO_d6_8c();
-  lit.A[2U][3U] = ZERO_d6_8c();
-  lit.A[3U][0U] = ZERO_d6_8c();
-  lit.A[3U][1U] = ZERO_d6_8c();
-  lit.A[3U][2U] = ZERO_d6_8c();
-  lit.A[3U][3U] = ZERO_d6_8c();
+  lit.A[0U][0U] = ZERO_ef_96();
+  lit.A[0U][1U] = ZERO_ef_96();
+  lit.A[0U][2U] = ZERO_ef_96();
+  lit.A[0U][3U] = ZERO_ef_96();
+  lit.A[1U][0U] = ZERO_ef_96();
+  lit.A[1U][1U] = ZERO_ef_96();
+  lit.A[1U][2U] = ZERO_ef_96();
+  lit.A[1U][3U] = ZERO_ef_96();
+  lit.A[2U][0U] = ZERO_ef_96();
+  lit.A[2U][1U] = ZERO_ef_96();
+  lit.A[2U][2U] = ZERO_ef_96();
+  lit.A[2U][3U] = ZERO_ef_96();
+  lit.A[3U][0U] = ZERO_ef_96();
+  lit.A[3U][1U] = ZERO_ef_96();
+  lit.A[3U][2U] = ZERO_ef_96();
+  lit.A[3U][3U] = ZERO_ef_96();
   return lit;
 }
 
@@ -2719,11 +2885,12 @@ typedef struct PortableHash_44_s {
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const
+generics
 - K= 4
 */
 static KRML_MUSTINLINE PortableHash_44
-shake128_init_absorb_ac(uint8_t input[4U][34U]) {
+shake128_init_absorb_final_ac(uint8_t input[4U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U];
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U,
@@ -2749,25 +2916,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const
 generics
 - K= 4
 */
 static KRML_MUSTINLINE PortableHash_44
-shake128_init_absorb_f1_ac(uint8_t input[4U][34U]) {
+shake128_init_absorb_final_f1_ac(uint8_t input[4U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[4U][34U];
   memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_ac(copy_of_input);
+  return shake128_init_absorb_final_ac(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with
+const generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_ac(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_ac(
     PortableHash_44 *st, uint8_t ret[4U][504U]) {
   uint8_t out[4U][504U] = {{0U}};
   KRML_MAYBE_FOR4(
@@ -2784,13 +2951,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with
-const generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1
+with const generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_ac(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_ac(
     PortableHash_44 *self, uint8_t ret[4U][504U]) {
-  shake128_squeeze_three_blocks_ac(self, ret);
+  shake128_squeeze_first_three_blocks_ac(self, ret);
 }
 
 /**
@@ -2853,7 +3020,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -2875,12 +3042,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const
 generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_ac(PortableHash_44 *st,
-                                                      uint8_t ret[4U][168U]) {
+static KRML_MUSTINLINE void shake128_squeeze_next_block_ac(
+    PortableHash_44 *st, uint8_t ret[4U][168U]) {
   uint8_t out[4U][168U] = {{0U}};
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
@@ -2896,13 +3063,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const
 generics
 - K= 4
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_f1_ac(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_ac(
     PortableHash_44 *self, uint8_t ret[4U][168U]) {
-  shake128_squeeze_block_ac(self, ret);
+  shake128_squeeze_next_block_ac(self, ret);
 }
 
 /**
@@ -2965,7 +3132,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff0(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -2986,24 +3153,46 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
 */
+static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_96(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  return lit;
+}
+
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-from_i16_array_d6_8c(Eurydice_slice a) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+from_i16_array_96(Eurydice_slice a) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_96();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_from_i16_array_0d(
+        libcrux_ml_kem_vector_portable_from_i16_array_2c(
             Eurydice_slice_subslice2(a, i0 * (size_t)16U,
                                      (i0 + (size_t)1U) * (size_t)16U, int16_t));
     result.coefficients[i0] = uu____0;
@@ -3011,6 +3200,22 @@ from_i16_array_d6_8c(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+from_i16_array_ef_96(Eurydice_slice a) {
+  return from_i16_array_96(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -3020,7 +3225,7 @@ generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b(
     int16_t s[272U]) {
-  return from_i16_array_d6_8c(
+  return from_i16_array_ef_96(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -3039,9 +3244,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b(
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_seeds[4U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U]));
-  PortableHash_44 xof_state = shake128_init_absorb_f1_ac(copy_of_seeds);
+  PortableHash_44 xof_state = shake128_init_absorb_final_f1_ac(copy_of_seeds);
   uint8_t randomness0[4U][504U];
-  shake128_squeeze_three_blocks_f1_ac(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_f1_ac(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[4U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U]));
@@ -3052,7 +3257,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b(
       break;
     } else {
       uint8_t randomness[4U][168U];
-      shake128_squeeze_block_f1_ac(&xof_state, randomness);
+      shake128_squeeze_next_block_f1_ac(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[4U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -3202,7 +3407,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-sample_from_binomial_distribution_2_8c(Eurydice_slice randomness) {
+sample_from_binomial_distribution_2_96(Eurydice_slice randomness) {
   int16_t sampled_i16s[256U] = {0U};
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) {
@@ -3236,7 +3441,7 @@ sample_from_binomial_distribution_2_8c(Eurydice_slice randomness) {
       sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return from_i16_array_d6_8c(
+  return from_i16_array_ef_96(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -3247,7 +3452,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-sample_from_binomial_distribution_3_8c(Eurydice_slice randomness) {
+sample_from_binomial_distribution_3_96(Eurydice_slice randomness) {
   int16_t sampled_i16s[256U] = {0U};
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) {
@@ -3280,7 +3485,7 @@ sample_from_binomial_distribution_3_8c(Eurydice_slice randomness) {
       sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return from_i16_array_d6_8c(
+  return from_i16_array_ef_96(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -3292,7 +3497,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 sample_from_binomial_distribution_a0(Eurydice_slice randomness) {
-  return sample_from_binomial_distribution_2_8c(randomness);
+  return sample_from_binomial_distribution_2_96(randomness);
 }
 
 /**
@@ -3301,18 +3506,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_at_layer_7_8c(
+static KRML_MUSTINLINE void ntt_at_layer_7_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U;
   for (size_t i = (size_t)0U; i < step; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-        libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
+        libcrux_ml_kem_vector_portable_multiply_by_constant_2c(
             re->coefficients[j + step], (int16_t)-1600);
     re->coefficients[j + step] =
-        libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_portable_sub_2c(re->coefficients[j], &t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
-        libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_portable_add_2c(re->coefficients[j], &t);
     re->coefficients[j] = uu____1;
   }
 }
@@ -3329,9 +3534,9 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-montgomery_multiply_fe_8c(
+montgomery_multiply_fe_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t fer) {
-  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(v,
+  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(v,
                                                                            fer);
 }
 
@@ -3343,14 +3548,14 @@ with const generics
 */
 static KRML_MUSTINLINE
     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
-    ntt_layer_int_vec_step_8c(
+    ntt_layer_int_vec_step_96(
         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
         int16_t zeta_r) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-      montgomery_multiply_fe_8c(b, zeta_r);
-  b = libcrux_ml_kem_vector_portable_sub_0d(a, &t);
-  a = libcrux_ml_kem_vector_portable_add_0d(a, &t);
+      montgomery_multiply_fe_96(b, zeta_r);
+  b = libcrux_ml_kem_vector_portable_sub_2c(a, &t);
+  a = libcrux_ml_kem_vector_portable_add_2c(a, &t);
   return (
       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
           .fst = a, .snd = b});
@@ -3362,7 +3567,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_at_layer_4_plus_8c(
+static KRML_MUSTINLINE void ntt_at_layer_4_plus_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
     size_t layer) {
   size_t step = (size_t)1U << (uint32_t)layer;
@@ -3375,9 +3580,9 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_8c(
     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
       size_t j = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
-          ntt_layer_int_vec_step_8c(
-              re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+          ntt_layer_int_vec_step_96(re->coefficients[j],
+                                    re->coefficients[j + step_vec],
+                                    libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
       re->coefficients[j] = x;
@@ -3392,15 +3597,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_at_layer_3_8c(
+static KRML_MUSTINLINE void ntt_at_layer_3_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-          libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
+          libcrux_ml_kem_vector_portable_ntt_layer_3_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       re->coefficients[round] = uu____0;);
 }
 
@@ -3410,17 +3615,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_at_layer_2_8c(
+static KRML_MUSTINLINE void ntt_at_layer_2_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
+          libcrux_ml_kem_vector_portable_ntt_layer_2_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                                 (size_t)1U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U));
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;);
 }
 
@@ -3430,64 +3634,72 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_at_layer_1_8c(
+static KRML_MUSTINLINE void ntt_at_layer_1_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] + (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
+          libcrux_ml_kem_vector_portable_ntt_layer_1_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                                 (size_t)1U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                                 (size_t)2U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                                 (size_t)3U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U));
       zeta_i[0U] = zeta_i[0U] + (size_t)3U;);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void poly_barrett_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
+static KRML_MUSTINLINE void poly_barrett_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            self->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            myself->coefficients[i0]);
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void poly_barrett_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
+  poly_barrett_reduce_96(self);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.ntt.ntt_binomially_sampled_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_8c(
+static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
-  ntt_at_layer_7_8c(re);
+  ntt_at_layer_7_96(re);
   size_t zeta_i = (size_t)1U;
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  ntt_at_layer_3_8c(&zeta_i, re);
-  ntt_at_layer_2_8c(&zeta_i, re);
-  ntt_at_layer_1_8c(&zeta_i, re);
-  poly_barrett_reduce_d6_8c(re);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  ntt_at_layer_3_96(&zeta_i, re);
+  ntt_at_layer_2_96(&zeta_i, re);
+  ntt_at_layer_1_96(&zeta_i, re);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -3513,16 +3725,15 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b(
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator);
   uint8_t prf_outputs[4U][128U];
   PRFxN_f1_44(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
       re_as_ntt[i0] = sample_from_binomial_distribution_a0(
           Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t));
-      ntt_binomially_sampled_ring_element_8c(&re_as_ntt[i0]););
+      ntt_binomially_sampled_ring_element_96(&re_as_ntt[i0]););
   return domain_separator;
 }
 
@@ -3550,7 +3761,7 @@ static KRML_MUSTINLINE tuple_dd0 sample_vector_cbd_then_ntt_out_3b(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_8c(););
+                  re_as_ntt[i] = ZERO_ef_96(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -3597,75 +3808,95 @@ static KRML_MUSTINLINE tuple_dd0 sample_vector_cbd_then_ntt_out_3b(
  <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-ntt_multiply_d6_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
-                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_d6_8c();
+ntt_multiply_96(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+                libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_96();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_ntt_multiply_0d(
-            &self->coefficients[i0], &rhs->coefficients[i0],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)1U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)2U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)3U]);
+        libcrux_ml_kem_vector_portable_ntt_multiply_2c(
+            &myself->coefficients[i0], &rhs->coefficients[i0],
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)1U),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)2U),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)3U));
     out.coefficients[i0] = uu____0;
   }
   return out;
 }
 
-/**
- Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
- sum of their constituent coefficients.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+ntt_multiply_ef_96(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  return ntt_multiply_96(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 4
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_d0(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_d0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 4
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_d0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_d0(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.vector.traits.to_standard_domain
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -3673,39 +3904,52 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-to_standard_domain_8c(
+to_standard_domain_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_standard_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_standard_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
-        coefficient_normal_form = to_standard_domain_8c(self->coefficients[j]);
+        coefficient_normal_form =
+            to_standard_domain_96(myself->coefficients[j]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_standard_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  add_standard_error_reduce_96(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -3729,7 +3973,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_96();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -3742,10 +3986,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0(
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_d0(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_96(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_d0(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_96(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -3952,9 +4196,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_60(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]]
@@ -3988,7 +4229,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 1536
 - PRIVATE_KEY_SIZE= 3168
 - PUBLIC_KEY_SIZE= 1568
-- BYTES_PER_RING_ELEMENT= 1536
+- RANKED_BYTES_PER_RING_ELEMENT= 1536
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -4017,60 +4258,31 @@ libcrux_ml_kem_ind_cca_generate_keypair_f81(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)3168U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_83 private_key =
-      libcrux_ml_kem_types_from_88_39(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_39(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_83 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1568U];
   memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_94(
-      uu____2, libcrux_ml_kem_types_from_40_af(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_94(
+      uu____2, libcrux_ml_kem_types_from_5f_af(copy_of_public_key));
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::variant::Variant for
-libcrux_ml_kem::variant::MlKem)}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_d8
-with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]]
-with const generics
-- K= 4
-*/
-static KRML_MUSTINLINE void entropy_preprocess_d8_03(Eurydice_slice randomness,
-                                                     uint8_t ret[32U]) {
-  uint8_t out[32U] = {0U};
-  Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
-                      randomness, uint8_t);
-  memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
-}
-
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1536
-- K= 4
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_0d(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
+libcrux_ml_kem::variant::MlKem)}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_d8
+with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]]
+with const generics
+- K= 4
+*/
+static KRML_MUSTINLINE void entropy_preprocess_d8_03(Eurydice_slice randomness,
+                                                     uint8_t ret[32U]) {
+  uint8_t out[32U] = {0U};
+  Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
+                      randomness, uint8_t);
+  memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
 /**
@@ -4081,12 +4293,12 @@ generics
 - K= 4
 - T_AS_NTT_ENCODED_SIZE= 1536
 */
-static void build_unpacked_public_key_mut_3f(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_3f(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_af *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_0d(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_d0(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1536U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[4U] =
@@ -4104,8 +4316,8 @@ generics
 - K= 4
 - T_AS_NTT_ENCODED_SIZE= 1536
 */
-static IndCpaPublicKeyUnpacked_af build_unpacked_public_key_3f1(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_af
+build_unpacked_public_key_3f1(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_af unpacked_public_key = default_8d_d0();
   build_unpacked_public_key_mut_3f(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -4127,7 +4339,7 @@ static KRML_MUSTINLINE tuple_dd0
 sample_ring_element_cbd_3b(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  error_1[i] = ZERO_d6_8c(););
+                  error_1[i] = ZERO_ef_96(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -4135,9 +4347,8 @@ sample_ring_element_cbd_3b(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR4(
       i, (size_t)0U, (size_t)4U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator);
   uint8_t prf_outputs[4U][128U];
   PRFxN_f1_44(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR4(
@@ -4192,21 +4403,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void invert_ntt_at_layer_1_8c(
+static KRML_MUSTINLINE void invert_ntt_at_layer_1_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
+          libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)1U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)2U],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)3U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U));
       zeta_i[0U] = zeta_i[0U] - (size_t)3U;);
 }
 
@@ -4216,17 +4424,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void invert_ntt_at_layer_2_8c(
+static KRML_MUSTINLINE void invert_ntt_at_layer_2_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;
       re->coefficients[round] =
-          libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
+          libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                                 (size_t)1U]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U));
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;);
 }
 
@@ -4236,15 +4443,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void invert_ntt_at_layer_3_8c(
+static KRML_MUSTINLINE void invert_ntt_at_layer_3_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i;
       zeta_i[0U] = zeta_i[0U] - (size_t)1U;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-          libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
+          libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_2c(
               re->coefficients[round],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       re->coefficients[round] = uu____0;);
 }
 
@@ -4256,15 +4463,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE
     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
-    inv_ntt_layer_int_vec_step_reduce_8c(
+    inv_ntt_layer_int_vec_step_reduce_96(
         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
         int16_t zeta_r) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b =
-      libcrux_ml_kem_vector_portable_sub_0d(b, &a);
-  a = libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-      libcrux_ml_kem_vector_portable_add_0d(a, &b));
-  b = montgomery_multiply_fe_8c(a_minus_b, zeta_r);
+      libcrux_ml_kem_vector_portable_sub_2c(b, &a);
+  a = libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+      libcrux_ml_kem_vector_portable_add_2c(a, &b));
+  b = montgomery_multiply_fe_96(a_minus_b, zeta_r);
   return (
       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
           .fst = a, .snd = b});
@@ -4276,7 +4483,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_8c(
+static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
     size_t layer) {
   size_t step = (size_t)1U << (uint32_t)layer;
@@ -4291,9 +4498,9 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_8c(
     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
       size_t j = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
-          inv_ntt_layer_int_vec_step_reduce_8c(
+          inv_ntt_layer_int_vec_step_reduce_96(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
       re->coefficients[j] = x;
@@ -4312,45 +4519,57 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_d0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i =
       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  invert_ntt_at_layer_1_8c(&zeta_i, re);
-  invert_ntt_at_layer_2_8c(&zeta_i, re);
-  invert_ntt_at_layer_3_8c(&zeta_i, re);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_8c(re);
+  invert_ntt_at_layer_1_96(&zeta_i, re);
+  invert_ntt_at_layer_2_96(&zeta_i, re);
+  invert_ntt_at_layer_3_96(&zeta_i, re);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void add_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
-                self->coefficients[j], (int16_t)1441);
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
+                myself->coefficients[j], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void add_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  add_error_reduce_96(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -4367,7 +4586,7 @@ static KRML_MUSTINLINE void compute_vector_u_d0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  result[i] = ZERO_d6_8c(););
+                  result[i] = ZERO_ef_96(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -4387,11 +4606,11 @@ static KRML_MUSTINLINE void compute_vector_u_d0(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_d0(&result[i1], &product);
+          ntt_multiply_ef_96(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_d0(&result[i1], &product);
     }
     invert_ntt_montgomery_d0(&result[i1]);
-    add_error_reduce_d6_8c(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_96(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -4405,11 +4624,15 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-decompress_1_8c(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-      libcrux_ml_kem_vector_portable_ZERO_0d();
-  return libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
-      libcrux_ml_kem_vector_portable_sub_0d(uu____0, &v), (int16_t)1665);
+decompress_1_96(libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector z =
+      libcrux_ml_kem_vector_portable_ZERO_2c();
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector s =
+      libcrux_ml_kem_vector_portable_sub_2c(z, &vec);
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector res =
+      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
+          s, (int16_t)1665);
+  return res;
 }
 
 /**
@@ -4419,36 +4642,31 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_message_8c(uint8_t serialized[32U]) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_then_decompress_message_96(uint8_t serialized[32U]) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector
           coefficient_compressed =
-              libcrux_ml_kem_vector_portable_deserialize_1_0d(
+              libcrux_ml_kem_vector_portable_deserialize_1_2c(
                   Eurydice_array_to_subslice2(serialized, (size_t)2U * i0,
                                               (size_t)2U * i0 + (size_t)2U,
                                               uint8_t));
       libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-          decompress_1_8c(coefficient_compressed);
+          decompress_1_96(coefficient_compressed);
       re.coefficients[i0] = uu____0;);
   return re;
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-add_message_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+add_message_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
   for (size_t i = (size_t)0U;
@@ -4456,20 +4674,39 @@ add_message_error_reduce_d6_8c(
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
                 result.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &message->coefficients[i0]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 =
-        libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, &tmp);
+        libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form, &tmp);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(tmp0);
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(tmp0);
     result.coefficients[i0] = uu____0;
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+add_message_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
+  return add_message_error_reduce_96(self, message, result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -4485,13 +4722,13 @@ compute_ring_element_v_d0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_d0(&result, &product););
+                      ntt_multiply_ef_96(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_d0(&result, &product););
   invert_ntt_montgomery_d0(&result);
-  result = add_message_error_reduce_d6_8c(error_2, message, result);
+  result = add_message_error_reduce_ef_96(error_2, message, result);
   return result;
 }
 
@@ -4501,30 +4738,30 @@ with const generics
 - COEFFICIENT_BITS= 10
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-compress_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+compress_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)10, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 10
 */
-static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return compress_ef(v);
+static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_2c_ef(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return compress_ef(a);
 }
 
 /**
@@ -4533,30 +4770,30 @@ with const generics
 - COEFFICIENT_BITS= 11
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-compress_c4(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+compress_c4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)11, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 11
 */
-static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return compress_c4(v);
+static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_2c_c4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return compress_c4(a);
 }
 
 /**
@@ -4572,9 +4809,9 @@ static KRML_MUSTINLINE void compress_then_serialize_11_54(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        compress_0d_c4(to_unsigned_representative_8c(re->coefficients[i0]));
+        compress_2c_c4(to_unsigned_representative_96(re->coefficients[i0]));
     uint8_t bytes[22U];
-    libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_11_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t);
     Eurydice_slice_copy(
@@ -4637,30 +4874,30 @@ with const generics
 - COEFFICIENT_BITS= 4
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-compress_d1(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+compress_d1(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)4, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 4
 */
-static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return compress_d1(v);
+static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_2c_d1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return compress_d1(a);
 }
 
 /**
@@ -4669,16 +4906,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void compress_then_serialize_4_8c(
+static KRML_MUSTINLINE void compress_then_serialize_4_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re,
     Eurydice_slice serialized) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        compress_0d_d1(to_unsigned_representative_8c(re.coefficients[i0]));
+        compress_2c_d1(to_unsigned_field_modulus_96(re.coefficients[i0]));
     uint8_t bytes[8U];
-    libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_4_2c(coefficient, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)8U * i0,
                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
@@ -4692,30 +4929,30 @@ with const generics
 - COEFFICIENT_BITS= 5
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-compress_f4(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+compress_f4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)5, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 5
 */
-static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_0d_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return compress_f4(v);
+static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_2c_f4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return compress_f4(a);
 }
 
 /**
@@ -4724,16 +4961,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void compress_then_serialize_5_8c(
+static KRML_MUSTINLINE void compress_then_serialize_5_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re,
     Eurydice_slice serialized) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients =
-        compress_0d_f4(to_unsigned_representative_8c(re.coefficients[i0]));
+        compress_2c_f4(to_unsigned_representative_96(re.coefficients[i0]));
     uint8_t bytes[10U];
-    libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes);
+    libcrux_ml_kem_vector_portable_serialize_5_2c(coefficients, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)10U * i0,
                                  (size_t)10U * i0 + (size_t)10U, uint8_t),
@@ -4745,12 +4982,13 @@ static KRML_MUSTINLINE void compress_then_serialize_5_8c(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 4
 - COMPRESSION_FACTOR= 5
 - OUT_LEN= 160
 */
-static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_8e(
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_00(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) {
-  compress_then_serialize_5_8c(re, out);
+  compress_then_serialize_5_96(re, out);
 }
 
 /**
@@ -4849,7 +5087,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a(
   uint8_t copy_of_message[32U];
   memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element =
-      deserialize_then_decompress_message_8c(copy_of_message);
+      deserialize_then_decompress_message_96(copy_of_message);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
       compute_ring_element_v_d0(public_key->t_as_ntt, r_as_ntt, &error_2,
                                 &message_as_ring_element);
@@ -4862,7 +5100,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U,
                                            (size_t)1408U, uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____6 = v;
-  compress_then_serialize_ring_element_v_8e(
+  compress_then_serialize_ring_element_v_00(
       uu____6, Eurydice_array_to_subslice_from((size_t)1568U, ciphertext,
                                                (size_t)1408U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t));
@@ -4933,7 +5171,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 160
 - VECTOR_U_COMPRESSION_FACTOR= 11
 - VECTOR_V_COMPRESSION_FACTOR= 5
-- VECTOR_U_BLOCK_LEN= 352
+- C1_BLOCK_SIZE= 352
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -4953,7 +5191,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1(
       size_t);
   uint8_t ret[32U];
   H_f1_ac(Eurydice_array_to_slice(
-              (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key),
+              (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -4967,7 +5205,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1568U, libcrux_ml_kem_types_as_slice_ba_af(public_key), uint8_t);
+      (size_t)1568U, libcrux_ml_kem_types_as_slice_fd_af(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -4977,7 +5215,7 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca1(
   uint8_t copy_of_ciphertext[1568U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemCiphertext_64 ciphertext0 =
-      libcrux_ml_kem_types_from_fc_af(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_af(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_60(shared_secret, shared_secret_array);
   libcrux_ml_kem_types_MlKemCiphertext_64 uu____5 = ciphertext0;
@@ -4998,15 +5236,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_to_uncompressed_ring_element_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_to_uncompressed_ring_element_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_12_2c(bytes);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -5026,7 +5264,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_d0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_8c(););
+                  secret_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -5038,7 +5276,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_d0(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_uncompressed_ring_element_8c(secret_bytes);
+        deserialize_to_uncompressed_ring_element_96(secret_bytes);
     secret_as_ntt[i0] = uu____0;
   }
   memcpy(
@@ -5054,33 +5292,33 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 decompress_ciphertext_coefficient_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10);
     decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 10
 */
 static libcrux_ml_kem_vector_portable_vector_type_PortableVector
-decompress_ciphertext_coefficient_0d_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return decompress_ciphertext_coefficient_ef(v);
+decompress_ciphertext_coefficient_2c_ef(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return decompress_ciphertext_coefficient_ef(a);
 }
 
 /**
@@ -5090,17 +5328,17 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_10_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_then_decompress_10_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_10_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_10_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        decompress_ciphertext_coefficient_0d_ef(coefficient);
+        decompress_ciphertext_coefficient_2c_ef(coefficient);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -5114,33 +5352,33 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 decompress_ciphertext_coefficient_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11);
     decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 11
 */
 static libcrux_ml_kem_vector_portable_vector_type_PortableVector
-decompress_ciphertext_coefficient_0d_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return decompress_ciphertext_coefficient_c4(v);
+decompress_ciphertext_coefficient_2c_c4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return decompress_ciphertext_coefficient_c4(a);
 }
 
 /**
@@ -5150,17 +5388,17 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_11_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_then_decompress_11_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_11_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        decompress_ciphertext_coefficient_0d_c4(coefficient);
+        decompress_ciphertext_coefficient_2c_c4(coefficient);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -5174,7 +5412,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 deserialize_then_decompress_ring_element_u_5e(Eurydice_slice serialized) {
-  return deserialize_then_decompress_11_8c(serialized);
+  return deserialize_then_decompress_11_96(serialized);
 }
 
 /**
@@ -5186,14 +5424,14 @@ with const generics
 static KRML_MUSTINLINE void ntt_vector_u_5e(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i = (size_t)0U;
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  ntt_at_layer_3_8c(&zeta_i, re);
-  ntt_at_layer_2_8c(&zeta_i, re);
-  ntt_at_layer_1_8c(&zeta_i, re);
-  poly_barrett_reduce_d6_8c(re);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  ntt_at_layer_3_96(&zeta_i, re);
+  ntt_at_layer_2_96(&zeta_i, re);
+  ntt_at_layer_1_96(&zeta_i, re);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -5213,7 +5451,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_00(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[4U];
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_8c(););
+                  u_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t),
@@ -5247,33 +5485,33 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 decompress_ciphertext_coefficient_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4);
     decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 4
 */
 static libcrux_ml_kem_vector_portable_vector_type_PortableVector
-decompress_ciphertext_coefficient_0d_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return decompress_ciphertext_coefficient_d1(v);
+decompress_ciphertext_coefficient_2c_d1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return decompress_ciphertext_coefficient_d1(a);
 }
 
 /**
@@ -5283,17 +5521,17 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_4_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_then_decompress_4_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_4_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_4_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        decompress_ciphertext_coefficient_0d_d1(coefficient);
+        decompress_ciphertext_coefficient_2c_d1(coefficient);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -5307,33 +5545,33 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 decompress_ciphertext_coefficient_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5);
     decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 5
 */
 static libcrux_ml_kem_vector_portable_vector_type_PortableVector
-decompress_ciphertext_coefficient_0d_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return decompress_ciphertext_coefficient_f4(v);
+decompress_ciphertext_coefficient_2c_f4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return decompress_ciphertext_coefficient_f4(a);
 }
 
 /**
@@ -5343,17 +5581,17 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_5_8c(Eurydice_slice serialized) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_8c();
+deserialize_then_decompress_5_96(Eurydice_slice serialized) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_portable_deserialize_5_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_5_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
-        decompress_ciphertext_coefficient_0d_f4(re.coefficients[i0]);
+        decompress_ciphertext_coefficient_2c_f4(re.coefficients[i0]);
     re.coefficients[i0] = uu____1;
   }
   return re;
@@ -5363,43 +5601,56 @@ deserialize_then_decompress_5_8c(Eurydice_slice serialized) {
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 4
 - COMPRESSION_FACTOR= 5
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_ring_element_v_9f(Eurydice_slice serialized) {
-  return deserialize_then_decompress_5_8c(serialized);
+deserialize_then_decompress_ring_element_v_ff(Eurydice_slice serialized) {
+  return deserialize_then_decompress_5_96(serialized);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-subtract_reduce_d6_8c(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
-                      libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+subtract_reduce_96(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
                 b.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_sub_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_sub_2c(myself->coefficients[i0],
                                                   &coefficient_normal_form));
     b.coefficients[i0] = uu____0;
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+subtract_reduce_ef_96(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+                      libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+  return subtract_reduce_96(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -5417,13 +5668,13 @@ compute_message_d0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_d0(&result, &product););
+                      ntt_multiply_ef_96(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_d0(&result, &product););
   invert_ntt_montgomery_d0(&result);
-  result = subtract_reduce_d6_8c(v, result);
+  result = subtract_reduce_ef_96(v, result);
   return result;
 }
 
@@ -5433,17 +5684,17 @@ libcrux_ml_kem.serialize.compress_then_serialize_message with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
-static KRML_MUSTINLINE void compress_then_serialize_message_8c(
+static KRML_MUSTINLINE void compress_then_serialize_message_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, uint8_t ret[32U]) {
   uint8_t serialized[32U] = {0U};
   KRML_MAYBE_FOR16(
       i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-          to_unsigned_representative_8c(re.coefficients[i0]);
+          to_unsigned_field_modulus_96(re.coefficients[i0]);
       libcrux_ml_kem_vector_portable_vector_type_PortableVector
           coefficient_compressed =
-              libcrux_ml_kem_vector_portable_compress_1_0d(coefficient);
-      uint8_t bytes[2U]; libcrux_ml_kem_vector_portable_serialize_1_0d(
+              libcrux_ml_kem_vector_portable_compress_1_2c(coefficient);
+      uint8_t bytes[2U]; libcrux_ml_kem_vector_portable_serialize_1_2c(
           coefficient_compressed, bytes);
       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
           serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t);
@@ -5493,13 +5744,13 @@ static KRML_MUSTINLINE void decrypt_unpacked_7d(
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[4U];
   deserialize_then_decompress_u_00(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
-      deserialize_then_decompress_ring_element_v_9f(
+      deserialize_then_decompress_ring_element_v_ff(
           Eurydice_array_to_subslice_from((size_t)1568U, ciphertext,
                                           (size_t)1408U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message =
       compute_message_d0(&v, secret_key->secret_as_ntt, u_as_ntt);
   uint8_t ret0[32U];
-  compress_then_serialize_message_8c(message, ret0);
+  compress_then_serialize_message_96(message, ret0);
   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
 }
 
@@ -5557,6 +5808,9 @@ static KRML_MUSTINLINE void PRF_f1_44(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -5612,7 +5866,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_621(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_af(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_af(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_f1_44(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t),
@@ -5632,7 +5886,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_621(
   kdf_d8_60(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_af(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_af(ciphertext),
       Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -5648,10 +5902,9 @@ void libcrux_ml_kem_ind_cca_decapsulate_621(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 800
 - K= 2
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1e(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_a0(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -5665,7 +5918,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1e(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
+        deserialize_to_reduced_ring_element_96(ring_element);
     deserialized_pk[i0] = uu____0;
   }
 }
@@ -5680,16 +5933,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1e(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 800
 - K= 2
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1e(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_a0(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_8c(););
-  deserialize_ring_elements_reduced_1e(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_96(););
+  deserialize_ring_elements_reduced_a0(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
@@ -5723,7 +5975,7 @@ static KRML_MUSTINLINE void serialize_secret_key_64(
         (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     uint8_t ret0[384U];
-    serialize_uncompressed_ring_element_8c(&re, ret0);
+    serialize_uncompressed_ring_element_96(&re, ret0);
     Eurydice_slice_copy(
         uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t);
   }
@@ -5792,7 +6044,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_86(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[2U];
-  deserialize_ring_elements_reduced_out_1e(
+  deserialize_ring_elements_reduced_out_a0(
       Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -5890,8 +6142,8 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_d4 default_1a_a0(void) {
   IndCpaPrivateKeyUnpacked_d4 lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_8c();
-  lit.secret_as_ntt[1U] = ZERO_d6_8c();
+  lit.secret_as_ntt[0U] = ZERO_ef_96();
+  lit.secret_as_ntt[1U] = ZERO_ef_96();
   return lit;
 }
 
@@ -5921,17 +6173,17 @@ with const generics
 static IndCpaPublicKeyUnpacked_d4 default_8d_a0(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_8c(););
+                  uu____0[i] = ZERO_ef_96(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_d4 lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_8c();
-  lit.A[0U][1U] = ZERO_d6_8c();
-  lit.A[1U][0U] = ZERO_d6_8c();
-  lit.A[1U][1U] = ZERO_d6_8c();
+  lit.A[0U][0U] = ZERO_ef_96();
+  lit.A[0U][1U] = ZERO_ef_96();
+  lit.A[1U][0U] = ZERO_ef_96();
+  lit.A[1U][1U] = ZERO_ef_96();
   return lit;
 }
 
@@ -5984,11 +6236,12 @@ typedef struct PortableHash_cf_s {
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const
+generics
 - K= 2
 */
 static KRML_MUSTINLINE PortableHash_cf
-shake128_init_absorb_fd(uint8_t input[2U][34U]) {
+shake128_init_absorb_final_fd(uint8_t input[2U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[2U];
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U,
@@ -6014,25 +6267,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const
 generics
 - K= 2
 */
 static KRML_MUSTINLINE PortableHash_cf
-shake128_init_absorb_f1_fd(uint8_t input[2U][34U]) {
+shake128_init_absorb_final_f1_fd(uint8_t input[2U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[2U][34U];
   memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_fd(copy_of_input);
+  return shake128_init_absorb_final_fd(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with
+const generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_fd(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_fd(
     PortableHash_cf *st, uint8_t ret[2U][504U]) {
   uint8_t out[2U][504U] = {{0U}};
   KRML_MAYBE_FOR2(
@@ -6049,13 +6302,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with
-const generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1
+with const generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_fd(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_fd(
     PortableHash_cf *self, uint8_t ret[2U][504U]) {
-  shake128_squeeze_three_blocks_fd(self, ret);
+  shake128_squeeze_first_three_blocks_fd(self, ret);
 }
 
 /**
@@ -6118,7 +6371,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_64(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -6140,12 +6393,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_64(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const
 generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_fd(PortableHash_cf *st,
-                                                      uint8_t ret[2U][168U]) {
+static KRML_MUSTINLINE void shake128_squeeze_next_block_fd(
+    PortableHash_cf *st, uint8_t ret[2U][168U]) {
   uint8_t out[2U][168U] = {{0U}};
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
@@ -6161,13 +6414,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const
 generics
 - K= 2
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_f1_fd(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_fd(
     PortableHash_cf *self, uint8_t ret[2U][168U]) {
-  shake128_squeeze_block_fd(self, ret);
+  shake128_squeeze_next_block_fd(self, ret);
 }
 
 /**
@@ -6230,7 +6483,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_640(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -6259,7 +6512,7 @@ generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b0(
     int16_t s[272U]) {
-  return from_i16_array_d6_8c(
+  return from_i16_array_ef_96(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -6278,9 +6531,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b0(
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_seeds[2U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U]));
-  PortableHash_cf xof_state = shake128_init_absorb_f1_fd(copy_of_seeds);
+  PortableHash_cf xof_state = shake128_init_absorb_final_f1_fd(copy_of_seeds);
   uint8_t randomness0[2U][504U];
-  shake128_squeeze_three_blocks_f1_fd(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_f1_fd(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[2U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U]));
@@ -6291,7 +6544,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b0(
       break;
     } else {
       uint8_t randomness[2U][168U];
-      shake128_squeeze_block_f1_fd(&xof_state, randomness);
+      shake128_squeeze_next_block_f1_fd(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[2U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -6393,7 +6646,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 sample_from_binomial_distribution_1b(Eurydice_slice randomness) {
-  return sample_from_binomial_distribution_3_8c(randomness);
+  return sample_from_binomial_distribution_3_96(randomness);
 }
 
 /**
@@ -6419,16 +6672,15 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b0(
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_fd(prf_inputs, domain_separator);
   uint8_t prf_outputs[2U][192U];
   PRFxN_f1_49(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
       re_as_ntt[i0] = sample_from_binomial_distribution_1b(
           Eurydice_array_to_slice((size_t)192U, prf_outputs[i0], uint8_t));
-      ntt_binomially_sampled_ring_element_8c(&re_as_ntt[i0]););
+      ntt_binomially_sampled_ring_element_96(&re_as_ntt[i0]););
   return domain_separator;
 }
 
@@ -6456,7 +6708,7 @@ static KRML_MUSTINLINE tuple_400 sample_vector_cbd_then_ntt_out_3b0(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_8c(););
+                  re_as_ntt[i] = ZERO_ef_96(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -6480,34 +6732,46 @@ static KRML_MUSTINLINE tuple_400 sample_vector_cbd_then_ntt_out_3b0(
  sum of their constituent coefficients.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 2
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_a0(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_a0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 2
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_a0(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_a0(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -6531,7 +6795,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_a0(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_96();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -6544,10 +6808,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_a0(
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_a0(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_96(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_a0(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_96(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -6754,9 +7018,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_30(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$2size_t]]
@@ -6790,7 +7051,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 768
 - PRIVATE_KEY_SIZE= 1632
 - PUBLIC_KEY_SIZE= 800
-- BYTES_PER_RING_ELEMENT= 768
+- RANKED_BYTES_PER_RING_ELEMENT= 768
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 */
@@ -6819,13 +7080,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f80(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)1632U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_fa private_key =
-      libcrux_ml_kem_types_from_88_2a(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_2a(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_fa uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[800U];
   memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_fa(
-      uu____2, libcrux_ml_kem_types_from_40_4d(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_fa(
+      uu____2, libcrux_ml_kem_types_from_5f_4d(copy_of_public_key));
 }
 
 /**
@@ -6846,35 +7107,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_10(Eurydice_slice randomness,
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 768
-- K= 2
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5f(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
-}
-
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -6883,12 +7115,12 @@ generics
 - K= 2
 - T_AS_NTT_ENCODED_SIZE= 768
 */
-static void build_unpacked_public_key_mut_3f0(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_3f0(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_d4 *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_5f(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_a0(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)768U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[2U] =
@@ -6906,8 +7138,8 @@ generics
 - K= 2
 - T_AS_NTT_ENCODED_SIZE= 768
 */
-static IndCpaPublicKeyUnpacked_d4 build_unpacked_public_key_3f0(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_d4
+build_unpacked_public_key_3f0(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_d4 unpacked_public_key = default_8d_a0();
   build_unpacked_public_key_mut_3f0(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -6961,7 +7193,7 @@ static KRML_MUSTINLINE tuple_400
 sample_ring_element_cbd_3b0(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  error_1[i] = ZERO_d6_8c(););
+                  error_1[i] = ZERO_ef_96(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -6969,9 +7201,8 @@ sample_ring_element_cbd_3b0(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR2(
       i, (size_t)0U, (size_t)2U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_fd(prf_inputs, domain_separator);
   uint8_t prf_outputs[2U][128U];
   PRFxN_f1_490(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR2(
@@ -7018,14 +7249,14 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_a0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i =
       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  invert_ntt_at_layer_1_8c(&zeta_i, re);
-  invert_ntt_at_layer_2_8c(&zeta_i, re);
-  invert_ntt_at_layer_3_8c(&zeta_i, re);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_8c(re);
+  invert_ntt_at_layer_1_96(&zeta_i, re);
+  invert_ntt_at_layer_2_96(&zeta_i, re);
+  invert_ntt_at_layer_3_96(&zeta_i, re);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -7044,7 +7275,7 @@ static KRML_MUSTINLINE void compute_vector_u_a0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  result[i] = ZERO_d6_8c(););
+                  result[i] = ZERO_ef_96(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -7064,11 +7295,11 @@ static KRML_MUSTINLINE void compute_vector_u_a0(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_a0(&result[i1], &product);
+          ntt_multiply_ef_96(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_a0(&result[i1], &product);
     }
     invert_ntt_montgomery_a0(&result[i1]);
-    add_error_reduce_d6_8c(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_96(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -7090,13 +7321,13 @@ compute_ring_element_v_a0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_a0(&result, &product););
+                      ntt_multiply_ef_96(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_a0(&result, &product););
   invert_ntt_montgomery_a0(&result);
-  result = add_message_error_reduce_d6_8c(error_2, message, result);
+  result = add_message_error_reduce_ef_96(error_2, message, result);
   return result;
 }
 
@@ -7113,9 +7344,9 @@ static KRML_MUSTINLINE void compress_then_serialize_10_ff(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        compress_0d_ef(to_unsigned_representative_8c(re->coefficients[i0]));
+        compress_2c_ef(to_unsigned_field_modulus_96(re->coefficients[i0]));
     uint8_t bytes[20U];
-    libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_10_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t);
     Eurydice_slice_copy(
@@ -7176,12 +7407,13 @@ static KRML_MUSTINLINE void compress_then_serialize_u_6d(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 2
 - COMPRESSION_FACTOR= 4
 - OUT_LEN= 128
 */
-static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ff0(
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_86(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) {
-  compress_then_serialize_4_8c(re, out);
+  compress_then_serialize_4_96(re, out);
 }
 
 /**
@@ -7281,7 +7513,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a0(
   uint8_t copy_of_message[32U];
   memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element =
-      deserialize_then_decompress_message_8c(copy_of_message);
+      deserialize_then_decompress_message_96(copy_of_message);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
       compute_ring_element_v_a0(public_key->t_as_ntt, r_as_ntt, &error_2,
                                 &message_as_ring_element);
@@ -7294,7 +7526,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a0(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)640U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____6 = v;
-  compress_then_serialize_ring_element_v_ff0(
+  compress_then_serialize_ring_element_v_86(
       uu____6, Eurydice_array_to_subslice_from((size_t)768U, ciphertext,
                                                (size_t)640U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)768U * sizeof(uint8_t));
@@ -7365,7 +7597,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 3
 - ETA1_RANDOMNESS_SIZE= 192
 - ETA2= 2
@@ -7385,7 +7617,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0(
       size_t);
   uint8_t ret[32U];
   H_f1_fd(Eurydice_array_to_slice(
-              (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key),
+              (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -7399,7 +7631,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)800U, libcrux_ml_kem_types_as_slice_ba_4d(public_key), uint8_t);
+      (size_t)800U, libcrux_ml_kem_types_as_slice_fd_4d(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -7409,7 +7641,7 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0(
   uint8_t copy_of_ciphertext[768U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemCiphertext_1a ciphertext0 =
-      libcrux_ml_kem_types_from_fc_d0(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_d0(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_30(shared_secret, shared_secret_array);
   libcrux_ml_kem_types_MlKemCiphertext_1a uu____5 = ciphertext0;
@@ -7437,7 +7669,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_a0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_8c(););
+                  secret_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -7449,7 +7681,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_a0(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_uncompressed_ring_element_8c(secret_bytes);
+        deserialize_to_uncompressed_ring_element_96(secret_bytes);
     secret_as_ntt[i0] = uu____0;
   }
   memcpy(
@@ -7465,7 +7697,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 deserialize_then_decompress_ring_element_u_0a(Eurydice_slice serialized) {
-  return deserialize_then_decompress_10_8c(serialized);
+  return deserialize_then_decompress_10_96(serialized);
 }
 
 /**
@@ -7477,14 +7709,14 @@ with const generics
 static KRML_MUSTINLINE void ntt_vector_u_0a(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i = (size_t)0U;
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  ntt_at_layer_3_8c(&zeta_i, re);
-  ntt_at_layer_2_8c(&zeta_i, re);
-  ntt_at_layer_1_8c(&zeta_i, re);
-  poly_barrett_reduce_d6_8c(re);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  ntt_at_layer_3_96(&zeta_i, re);
+  ntt_at_layer_2_96(&zeta_i, re);
+  ntt_at_layer_1_96(&zeta_i, re);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -7504,7 +7736,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_86(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[2U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[2U];
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_8c(););
+                  u_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t),
@@ -7534,11 +7766,12 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_86(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 2
 - COMPRESSION_FACTOR= 4
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-deserialize_then_decompress_ring_element_v_d0(Eurydice_slice serialized) {
-  return deserialize_then_decompress_4_8c(serialized);
+deserialize_then_decompress_ring_element_v_64(Eurydice_slice serialized) {
+  return deserialize_then_decompress_4_96(serialized);
 }
 
 /**
@@ -7558,13 +7791,13 @@ compute_message_a0(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_a0(&result, &product););
+                      ntt_multiply_ef_96(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_a0(&result, &product););
   invert_ntt_montgomery_a0(&result);
-  result = subtract_reduce_d6_8c(v, result);
+  result = subtract_reduce_ef_96(v, result);
   return result;
 }
 
@@ -7608,13 +7841,13 @@ static KRML_MUSTINLINE void decrypt_unpacked_d1(
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[2U];
   deserialize_then_decompress_u_86(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
-      deserialize_then_decompress_ring_element_v_d0(
+      deserialize_then_decompress_ring_element_v_64(
           Eurydice_array_to_subslice_from((size_t)768U, ciphertext,
                                           (size_t)640U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message =
       compute_message_a0(&v, secret_key->secret_as_ntt, u_as_ntt);
   uint8_t ret0[32U];
-  compress_then_serialize_message_8c(message, ret0);
+  compress_then_serialize_message_96(message, ret0);
   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
 }
 
@@ -7660,6 +7893,9 @@ static KRML_MUSTINLINE void PRF_f1_49(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -7715,7 +7951,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_620(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_d0(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_d0(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_f1_49(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t),
@@ -7735,7 +7971,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_620(
   kdf_d8_30(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_d0(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_d0(ciphertext),
       Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -7751,10 +7987,9 @@ void libcrux_ml_kem_ind_cca_decapsulate_620(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_c0(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1b(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -7768,7 +8003,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_c0(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
+        deserialize_to_reduced_ring_element_96(ring_element);
     deserialized_pk[i0] = uu____0;
   }
 }
@@ -7783,16 +8018,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_c0(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_c0(
+static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1b(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  deserialized_pk[i] = ZERO_d6_8c(););
-  deserialize_ring_elements_reduced_c0(public_key, deserialized_pk);
+                  deserialized_pk[i] = ZERO_ef_96(););
+  deserialize_ring_elements_reduced_1b(public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
@@ -7826,7 +8060,7 @@ static KRML_MUSTINLINE void serialize_secret_key_89(
         (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     uint8_t ret0[384U];
-    serialize_uncompressed_ring_element_8c(&re, ret0);
+    serialize_uncompressed_ring_element_96(&re, ret0);
     Eurydice_slice_copy(
         uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t);
   }
@@ -7895,7 +8129,7 @@ with const generics
 */
 bool libcrux_ml_kem_ind_cca_validate_public_key_6c(uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U];
-  deserialize_ring_elements_reduced_out_c0(
+  deserialize_ring_elements_reduced_out_1b(
       Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -7993,9 +8227,9 @@ with const generics
 */
 static IndCpaPrivateKeyUnpacked_a0 default_1a_1b(void) {
   IndCpaPrivateKeyUnpacked_a0 lit;
-  lit.secret_as_ntt[0U] = ZERO_d6_8c();
-  lit.secret_as_ntt[1U] = ZERO_d6_8c();
-  lit.secret_as_ntt[2U] = ZERO_d6_8c();
+  lit.secret_as_ntt[0U] = ZERO_ef_96();
+  lit.secret_as_ntt[1U] = ZERO_ef_96();
+  lit.secret_as_ntt[2U] = ZERO_ef_96();
   return lit;
 }
 
@@ -8025,22 +8259,22 @@ with const generics
 static IndCpaPublicKeyUnpacked_a0 default_8d_1b(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  uu____0[i] = ZERO_d6_8c(););
+                  uu____0[i] = ZERO_ef_96(););
   uint8_t uu____1[32U] = {0U};
   IndCpaPublicKeyUnpacked_a0 lit;
   memcpy(
       lit.t_as_ntt, uu____0,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = ZERO_d6_8c();
-  lit.A[0U][1U] = ZERO_d6_8c();
-  lit.A[0U][2U] = ZERO_d6_8c();
-  lit.A[1U][0U] = ZERO_d6_8c();
-  lit.A[1U][1U] = ZERO_d6_8c();
-  lit.A[1U][2U] = ZERO_d6_8c();
-  lit.A[2U][0U] = ZERO_d6_8c();
-  lit.A[2U][1U] = ZERO_d6_8c();
-  lit.A[2U][2U] = ZERO_d6_8c();
+  lit.A[0U][0U] = ZERO_ef_96();
+  lit.A[0U][1U] = ZERO_ef_96();
+  lit.A[0U][2U] = ZERO_ef_96();
+  lit.A[1U][0U] = ZERO_ef_96();
+  lit.A[1U][1U] = ZERO_ef_96();
+  lit.A[1U][2U] = ZERO_ef_96();
+  lit.A[2U][0U] = ZERO_ef_96();
+  lit.A[2U][1U] = ZERO_ef_96();
+  lit.A[2U][2U] = ZERO_ef_96();
   return lit;
 }
 
@@ -8093,11 +8327,12 @@ typedef struct PortableHash_88_s {
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const
+generics
 - K= 3
 */
 static KRML_MUSTINLINE PortableHash_88
-shake128_init_absorb_e0(uint8_t input[3U][34U]) {
+shake128_init_absorb_final_e0(uint8_t input[3U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U];
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U,
@@ -8123,25 +8358,25 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const
 generics
 - K= 3
 */
 static KRML_MUSTINLINE PortableHash_88
-shake128_init_absorb_f1_e0(uint8_t input[3U][34U]) {
+shake128_init_absorb_final_f1_e0(uint8_t input[3U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[3U][34U];
   memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U]));
-  return shake128_init_absorb_e0(copy_of_input);
+  return shake128_init_absorb_final_e0(copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with
+const generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_e0(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_e0(
     PortableHash_88 *st, uint8_t ret[3U][504U]) {
   uint8_t out[3U][504U] = {{0U}};
   KRML_MAYBE_FOR3(
@@ -8158,13 +8393,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with
-const generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1
+with const generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_three_blocks_f1_e0(
+static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_e0(
     PortableHash_88 *self, uint8_t ret[3U][504U]) {
-  shake128_squeeze_three_blocks_e0(self, ret);
+  shake128_squeeze_first_three_blocks_e0(self, ret);
 }
 
 /**
@@ -8227,7 +8462,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_89(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -8249,12 +8484,12 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_89(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const
 generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_e0(PortableHash_88 *st,
-                                                      uint8_t ret[3U][168U]) {
+static KRML_MUSTINLINE void shake128_squeeze_next_block_e0(
+    PortableHash_88 *st, uint8_t ret[3U][168U]) {
   uint8_t out[3U][168U] = {{0U}};
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
@@ -8270,13 +8505,13 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const
 generics
 - K= 3
 */
-static KRML_MUSTINLINE void shake128_squeeze_block_f1_e0(
+static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_e0(
     PortableHash_88 *self, uint8_t ret[3U][168U]) {
-  shake128_squeeze_block_e0(self, ret);
+  shake128_squeeze_next_block_e0(self, ret);
 }
 
 /**
@@ -8339,7 +8574,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_890(
           Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
               randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U,
               uint8_t);
-          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+          size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
               uu____0, Eurydice_array_to_subslice2(
                            out[i1], sampled_coefficients[i1],
                            sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -8368,7 +8603,7 @@ generics
 */
 static libcrux_ml_kem_polynomial_PolynomialRingElement_1d closure_2b1(
     int16_t s[272U]) {
-  return from_i16_array_d6_8c(
+  return from_i16_array_ef_96(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -8387,9 +8622,9 @@ static KRML_MUSTINLINE void sample_from_xof_2b1(
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_seeds[3U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
-  PortableHash_88 xof_state = shake128_init_absorb_f1_e0(copy_of_seeds);
+  PortableHash_88 xof_state = shake128_init_absorb_final_f1_e0(copy_of_seeds);
   uint8_t randomness0[3U][504U];
-  shake128_squeeze_three_blocks_f1_e0(&xof_state, randomness0);
+  shake128_squeeze_first_three_blocks_f1_e0(&xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[3U][504U];
   memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U]));
@@ -8400,7 +8635,7 @@ static KRML_MUSTINLINE void sample_from_xof_2b1(
       break;
     } else {
       uint8_t randomness[3U][168U];
-      shake128_squeeze_block_f1_e0(&xof_state, randomness);
+      shake128_squeeze_next_block_f1_e0(&xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[3U][168U];
       memcpy(copy_of_randomness, randomness,
@@ -8517,16 +8752,15 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b1(
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   PRFxN_f1_41(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
       re_as_ntt[i0] = sample_from_binomial_distribution_a0(
           Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t));
-      ntt_binomially_sampled_ring_element_8c(&re_as_ntt[i0]););
+      ntt_binomially_sampled_ring_element_96(&re_as_ntt[i0]););
   return domain_separator;
 }
 
@@ -8554,7 +8788,7 @@ static KRML_MUSTINLINE tuple_230 sample_vector_cbd_then_ntt_out_3b1(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  re_as_ntt[i] = ZERO_d6_8c(););
+                  re_as_ntt[i] = ZERO_ef_96(););
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
   memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -8578,34 +8812,46 @@ static KRML_MUSTINLINE tuple_230 sample_vector_cbd_then_ntt_out_3b1(
  sum of their constituent coefficients.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
-static KRML_MUSTINLINE void add_to_ring_element_d6_1b(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void add_to_ring_element_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void add_to_ring_element_ef_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  add_to_ring_element_1b(self, rhs);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -8629,7 +8875,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b(
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0];
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_8c();
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_ef_96();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -8642,10 +8888,10 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b(
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(matrix_element, &s_as_ntt[j]);
-      add_to_ring_element_d6_1b(&t_as_ntt[i0], &product);
+          ntt_multiply_ef_96(matrix_element, &s_as_ntt[j]);
+      add_to_ring_element_ef_1b(&t_as_ntt[i0], &product);
     }
-    add_standard_error_reduce_d6_8c(&t_as_ntt[i0], &error_as_ntt[i0]);
+    add_standard_error_reduce_ef_96(&t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
 
@@ -8852,9 +9098,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_d6(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
@@ -8888,7 +9131,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -8917,13 +9160,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f8(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -8944,35 +9187,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_9c(Eurydice_slice randomness,
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1152
-- K= 3
-*/
-static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b3(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_reduced_ring_element_8c(ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
-}
-
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -8981,12 +9195,12 @@ generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static void build_unpacked_public_key_mut_3f1(
+static KRML_MUSTINLINE void build_unpacked_public_key_mut_3f1(
     Eurydice_slice public_key,
     IndCpaPublicKeyUnpacked_a0 *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t);
-  deserialize_ring_elements_reduced_b3(uu____0, unpacked_public_key->t_as_ntt);
+  deserialize_ring_elements_reduced_1b(uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] =
@@ -9004,8 +9218,8 @@ generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static IndCpaPublicKeyUnpacked_a0 build_unpacked_public_key_3f(
-    Eurydice_slice public_key) {
+static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_a0
+build_unpacked_public_key_3f(Eurydice_slice public_key) {
   IndCpaPublicKeyUnpacked_a0 unpacked_public_key = default_8d_1b();
   build_unpacked_public_key_mut_3f1(public_key, &unpacked_public_key);
   return unpacked_public_key;
@@ -9027,7 +9241,7 @@ static KRML_MUSTINLINE tuple_230
 sample_ring_element_cbd_3b1(uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  error_1[i] = ZERO_d6_8c(););
+                  error_1[i] = ZERO_ef_96(););
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
@@ -9035,9 +9249,8 @@ sample_ring_element_cbd_3b1(uint8_t prf_input[33U], uint8_t domain_separator) {
   KRML_MAYBE_FOR3(
       i, (size_t)0U, (size_t)3U, (size_t)1U,
       memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)););
-  KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
-                  prf_inputs[i0][32U] = domain_separator;
-                  domain_separator = (uint32_t)domain_separator + 1U;);
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   PRFxN_f1_41(prf_inputs, prf_outputs);
   KRML_MAYBE_FOR3(
@@ -9084,14 +9297,14 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i =
       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  invert_ntt_at_layer_1_8c(&zeta_i, re);
-  invert_ntt_at_layer_2_8c(&zeta_i, re);
-  invert_ntt_at_layer_3_8c(&zeta_i, re);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U);
-  invert_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U);
-  poly_barrett_reduce_d6_8c(re);
+  invert_ntt_at_layer_1_96(&zeta_i, re);
+  invert_ntt_at_layer_2_96(&zeta_i, re);
+  invert_ntt_at_layer_3_96(&zeta_i, re);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U);
+  invert_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U);
+  poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -9110,7 +9323,7 @@ static KRML_MUSTINLINE void compute_vector_u_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  result[i] = ZERO_d6_8c(););
+                  result[i] = ZERO_ef_96(););
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
                 Eurydice_array_to_slice(
@@ -9130,11 +9343,11 @@ static KRML_MUSTINLINE void compute_vector_u_1b(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          ntt_multiply_d6_8c(a_element, &r_as_ntt[j]);
-      add_to_ring_element_d6_1b(&result[i1], &product);
+          ntt_multiply_ef_96(a_element, &r_as_ntt[j]);
+      add_to_ring_element_ef_1b(&result[i1], &product);
     }
     invert_ntt_montgomery_1b(&result[i1]);
-    add_error_reduce_d6_8c(&result[i1], &error_1[i1]);
+    add_error_reduce_ef_96(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -9156,13 +9369,13 @@ compute_ring_element_v_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&t_as_ntt[i0], &r_as_ntt[i0]);
-                  add_to_ring_element_d6_1b(&result, &product););
+                      ntt_multiply_ef_96(&t_as_ntt[i0], &r_as_ntt[i0]);
+                  add_to_ring_element_ef_1b(&result, &product););
   invert_ntt_montgomery_1b(&result);
-  result = add_message_error_reduce_d6_8c(error_2, message, result);
+  result = add_message_error_reduce_ef_96(error_2, message, result);
   return result;
 }
 
@@ -9200,6 +9413,19 @@ static KRML_MUSTINLINE void compress_then_serialize_u_43(
   }
 }
 
+/**
+A monomorphic instance of
+libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
+libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 3
+- COMPRESSION_FACTOR= 4
+- OUT_LEN= 128
+*/
+static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_6c(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) {
+  compress_then_serialize_4_96(re, out);
+}
+
 /**
  This function implements <strong>Algorithm 13</strong> of the
  NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm.
@@ -9297,7 +9523,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a1(
   uint8_t copy_of_message[32U];
   memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element =
-      deserialize_then_decompress_message_8c(copy_of_message);
+      deserialize_then_decompress_message_96(copy_of_message);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
       compute_ring_element_v_1b(public_key->t_as_ntt, r_as_ntt, &error_2,
                                 &message_as_ring_element);
@@ -9310,7 +9536,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_2a1(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____6 = v;
-  compress_then_serialize_ring_element_v_ff0(
+  compress_then_serialize_ring_element_v_6c(
       uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                                (size_t)960U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t));
@@ -9381,7 +9607,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -9401,7 +9627,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
       size_t);
   uint8_t ret[32U];
   H_f1_e0(Eurydice_array_to_slice(
-              (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+              (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key),
               uint8_t),
           ret);
   Eurydice_slice_copy(
@@ -9415,7 +9641,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -9425,7 +9651,7 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   kdf_d8_d6(shared_secret, shared_secret_array);
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0;
@@ -9453,7 +9679,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  secret_as_ntt[i] = ZERO_d6_8c(););
+                  secret_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
@@ -9465,7 +9691,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_1b(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        deserialize_to_uncompressed_ring_element_8c(secret_bytes);
+        deserialize_to_uncompressed_ring_element_96(secret_bytes);
     secret_as_ntt[i0] = uu____0;
   }
   memcpy(
@@ -9490,7 +9716,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U];
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U,
-                  u_as_ntt[i] = ZERO_d6_8c(););
+                  u_as_ntt[i] = ZERO_ef_96(););
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t),
@@ -9516,6 +9742,18 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c(
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
 }
 
+/**
+A monomorphic instance of
+libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
+libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 3
+- COMPRESSION_FACTOR= 4
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+deserialize_then_decompress_ring_element_v_89(Eurydice_slice serialized) {
+  return deserialize_then_decompress_4_96(serialized);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -9533,13 +9771,13 @@ compute_message_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) {
-  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_8c();
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ef_96();
   KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i;
                   libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-                      ntt_multiply_d6_8c(&secret_as_ntt[i0], &u_as_ntt[i0]);
-                  add_to_ring_element_d6_1b(&result, &product););
+                      ntt_multiply_ef_96(&secret_as_ntt[i0], &u_as_ntt[i0]);
+                  add_to_ring_element_ef_1b(&result, &product););
   invert_ntt_montgomery_1b(&result);
-  result = subtract_reduce_d6_8c(v, result);
+  result = subtract_reduce_ef_96(v, result);
   return result;
 }
 
@@ -9583,13 +9821,13 @@ static KRML_MUSTINLINE void decrypt_unpacked_42(
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U];
   deserialize_then_decompress_u_6c(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
-      deserialize_then_decompress_ring_element_v_d0(
+      deserialize_then_decompress_ring_element_v_89(
           Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                           (size_t)960U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message =
       compute_message_1b(&v, secret_key->secret_as_ntt, u_as_ntt);
   uint8_t ret0[32U];
-  compress_then_serialize_message_8c(message, ret0);
+  compress_then_serialize_message_96(message, ret0);
   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
 }
 
@@ -9635,6 +9873,9 @@ static KRML_MUSTINLINE void PRF_f1_41(Eurydice_slice input, uint8_t ret[32U]) {
   PRF_9e(input, ret);
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -9690,7 +9931,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_62(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   PRF_f1_41(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t),
@@ -9709,7 +9950,7 @@ void libcrux_ml_kem_ind_cca_decapsulate_62(
   kdf_d8_d6(shared_secret0, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
index 594c2bd30..fe8972889 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem_portable_H
@@ -48,10 +48,10 @@ libcrux_ml_kem_vector_portable_vector_type_from_i16_array(Eurydice_slice array);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array);
+libcrux_ml_kem_vector_portable_from_i16_array_2c(Eurydice_slice array);
 
 typedef struct uint8_t_x11_s {
   uint8_t fst;
@@ -74,11 +74,15 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_11(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[22U]);
 
+void libcrux_ml_kem_vector_portable_serialize_11(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[22U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_11_0d(
+void libcrux_ml_kem_vector_portable_serialize_11_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[22U]);
 
@@ -97,17 +101,17 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
     Eurydice_slice bytes);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_vector_type_zero(void);
+libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes);
+libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_11_2c(Eurydice_slice a);
 
 void libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
@@ -115,9 +119,9 @@ void libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_to_i16_array_0d(
+void libcrux_ml_kem_vector_portable_to_i16_array_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
     int16_t ret[16U]);
 
@@ -125,12 +129,15 @@ extern const uint8_t
     libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[256U]
                                                                          [16U];
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_vector_type_zero(void);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ZERO_0d(void);
+libcrux_ml_kem_vector_portable_ZERO_2c(void);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_add(
@@ -139,10 +146,10 @@ libcrux_ml_kem_vector_portable_arithmetic_add(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_add_0d(
+libcrux_ml_kem_vector_portable_add_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs);
 
@@ -153,57 +160,60 @@ libcrux_ml_kem_vector_portable_arithmetic_sub(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_sub_0d(
+libcrux_ml_kem_vector_portable_sub_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c);
+libcrux_ml_kem_vector_portable_multiply_by_constant_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
+libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c);
 
+/**
+ Note: This function is not secret independent
+ Only use with public values.
+*/
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
+libcrux_ml_kem_vector_portable_cond_subtract_3329_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
 
 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \
   ((int32_t)20159)
 
-#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26)
+#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT ((int32_t)26)
 
-#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \
-  ((int32_t)1 << (uint32_t)                                 \
-       LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT)
+#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R \
+  ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT)
 
 /**
  Signed Barrett Reduction
@@ -216,21 +226,23 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
 
  `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
 
- In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
+ Note: The input bound is 28296 to prevent overflow in the multiplication of
+ quotient by FIELD_MODULUS
+
 */
 int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
     int16_t value);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_barrett_reduce_0d(
+libcrux_ml_kem_vector_portable_barrett_reduce_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
 
 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U)
@@ -248,10 +260,12 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d(
  - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
  - the absolute value of `o` is bound as follows:
 
- `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
+ `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665
+
+ In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS + 1664
 
- In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 ·
- FIELD_MODULUS) / 2`.
 */
 int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
     int32_t value);
@@ -272,14 +286,14 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r);
 
 /**
@@ -309,15 +323,15 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_1_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v);
+libcrux_ml_kem_vector_portable_compress_1_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a);
 
 uint32_t libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits(
     uint8_t n, uint32_t value);
@@ -326,91 +340,93 @@ int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
     uint8_t coefficient_bits, uint16_t fe);
 
 void libcrux_ml_kem_vector_portable_ntt_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta);
 
 void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta);
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta);
 
 /**
@@ -438,8 +454,7 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
 void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *a,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta,
-    size_t i, size_t j,
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *out);
+    size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_multiply(
@@ -449,10 +464,10 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_multiply_0d(
+libcrux_ml_kem_vector_portable_ntt_multiply_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3);
@@ -461,23 +476,30 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_1(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[2U]);
 
+void libcrux_ml_kem_vector_portable_serialize_1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[2U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_1_0d(
+void libcrux_ml_kem_vector_portable_serialize_1_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[2U]);
 
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v);
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_1_2c(Eurydice_slice a);
 
 typedef struct uint8_t_x4_s {
   uint8_t fst;
@@ -493,11 +515,15 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_4(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[8U]);
 
+void libcrux_ml_kem_vector_portable_serialize_4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[8U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_4_0d(
+void libcrux_ml_kem_vector_portable_serialize_4_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[8U]);
 
@@ -507,12 +533,15 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes);
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_4_2c(Eurydice_slice a);
 
 typedef struct uint8_t_x5_s {
   uint8_t fst;
@@ -529,11 +558,15 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_5(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[10U]);
 
+void libcrux_ml_kem_vector_portable_serialize_5(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[10U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_5_0d(
+void libcrux_ml_kem_vector_portable_serialize_5_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[10U]);
 
@@ -543,12 +576,15 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes);
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_5_2c(Eurydice_slice a);
 
 uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
     Eurydice_slice v);
@@ -557,11 +593,15 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_10(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[20U]);
 
+void libcrux_ml_kem_vector_portable_serialize_10(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[20U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_10_0d(
+void libcrux_ml_kem_vector_portable_serialize_10_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[20U]);
 
@@ -571,12 +611,15 @@ int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes);
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_10_2c(Eurydice_slice a);
 
 typedef struct uint8_t_x3_s {
   uint8_t fst;
@@ -591,11 +634,15 @@ void libcrux_ml_kem_vector_portable_serialize_serialize_12(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[24U]);
 
+void libcrux_ml_kem_vector_portable_serialize_12(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[24U]);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-void libcrux_ml_kem_vector_portable_serialize_12_0d(
+void libcrux_ml_kem_vector_portable_serialize_12_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[24U]);
 
@@ -610,21 +657,24 @@ int16_t_x2 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes);
 
+libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a);
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a);
+libcrux_ml_kem_vector_portable_deserialize_12_2c(Eurydice_slice a);
 
 size_t libcrux_ml_kem_vector_portable_sampling_rej_sample(
     Eurydice_slice a, Eurydice_slice result);
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-size_t libcrux_ml_kem_vector_portable_rej_sample_0d(Eurydice_slice a,
+size_t libcrux_ml_kem_vector_portable_rej_sample_2c(Eurydice_slice a,
                                                     Eurydice_slice out);
 
 /**
@@ -635,6 +685,14 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_vector_type_clone_3b(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *self);
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+*/
+void libcrux_ml_kem_vector_portable_repr_94(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
+    int16_t ret[16U]);
+
 #if defined(__cplusplus)
 }
 #endif
diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h
index a930941d7..5b00b2050 100644
--- a/libcrux-ml-kem/c/libcrux_sha3.h
+++ b/libcrux-ml-kem/c/libcrux_sha3.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
index a9b3b3f77..86cd49d43 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "internal/libcrux_sha3_avx2.h"
@@ -2084,37 +2084,27 @@ static KRML_MUSTINLINE void store_block_ef_3a(__m256i (*a)[5U],
 }
 
 /**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
 with types core_core_arch_x86___m256i
 with const generics
 - N= 4
 - RATE= 168
 */
-static KRML_MUSTINLINE void squeeze_next_block_970(
+static KRML_MUSTINLINE void squeeze_first_block_970(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
-  keccakf1600_a6(s);
   store_block_ef_3a(s->st, out);
 }
 
 /**
- Squeeze another block
-*/
-void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
-    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
-    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
-  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
-  squeeze_next_block_970(s, buf);
-}
-
-/**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
 with types core_core_arch_x86___m256i
 with const generics
 - N= 4
 - RATE= 168
 */
-static KRML_MUSTINLINE void squeeze_first_block_970(
+static KRML_MUSTINLINE void squeeze_next_block_970(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  keccakf1600_a6(s);
   store_block_ef_3a(s->st, out);
 }
 
@@ -2154,6 +2144,16 @@ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
   squeeze_first_three_blocks_97(s, buf);
 }
 
+/**
+ Squeeze another block
+*/
+void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  squeeze_next_block_970(s, buf);
+}
+
 /**
 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks
 with types core_core_arch_x86___m256i
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
index 7b0eb2132..8cf00fb6d 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_avx2_H
@@ -55,16 +55,16 @@ void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3);
 
 /**
- Squeeze another block
+ Squeeze three blocks
 */
-void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3);
 
 /**
- Squeeze three blocks
+ Squeeze another block
 */
-void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
+void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3);
 
diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h
index 1e69eabe2..16c7766a0 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_internal_H
@@ -1425,27 +1425,27 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a(
 }
 
 /**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
 with types uint64_t
 with const generics
 - N= 1
 - RATE= 168
 */
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
-  libcrux_sha3_generic_keccak_keccakf1600_04(s);
   libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
 }
 
 /**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
 with types uint64_t
 with const generics
 - N= 1
 - RATE= 168
 */
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
   libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
 }
 
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c
index a56ecfbd8..fb6b2e649 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #include "libcrux_sha3_neon.h"
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h
index 7567bc4ae..62eca860c 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_neon_H
diff --git a/libcrux-ml-kem/cg/boring/eurydice_glue.h b/libcrux-ml-kem/cg/boring/eurydice_glue.h
index 79cf1285b..fc3ff07c2 100644
--- a/libcrux-ml-kem/cg/boring/eurydice_glue.h
+++ b/libcrux-ml-kem/cg/boring/eurydice_glue.h
@@ -165,7 +165,7 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) {
 // ITERATORS
 
 #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \
-  (((iter_ptr)->start == (iter_ptr)->end)            \
+  (((iter_ptr)->start >= (iter_ptr)->end)            \
        ? (CLITERAL(ret_t){.tag = None})              \
        : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++}))
 
diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt
index 3bbff9516..f79583aac 100644
--- a/libcrux-ml-kem/cg/code_gen.txt
+++ b/libcrux-ml-kem/cg/code_gen.txt
@@ -1,6 +1,6 @@
 This code was generated with the following revisions:
 Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
-Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
 Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
-F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
-Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+Libcrux: da72c141597b1db012f3bc23a96330f6de112770
diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h
index 3f9b35cc2..85c126615 100644
--- a/libcrux-ml-kem/cg/eurydice_glue.h
+++ b/libcrux-ml-kem/cg/eurydice_glue.h
@@ -20,6 +20,8 @@ extern "C" {
 #include "karamel/endianness.h"
 #include "karamel/target.h"
 
+#define LowStar_Ignore_ignore(e, t, _ret_t) ((void)e)
+
 // SLICES, ARRAYS, ETC.
 
 // The MSVC C++ compiler does not support compound literals.
@@ -160,7 +162,7 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) {
 // ITERATORS
 
 #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \
-  (((iter_ptr)->start == (iter_ptr)->end)            \
+  (((iter_ptr)->start >= (iter_ptr)->end)            \
        ? (CLITERAL(ret_t){.tag = None, .f0 = 0})     \
        : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++}))
 
diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h
index 797299a5e..1536ceb2d 100644
--- a/libcrux-ml-kem/cg/libcrux_core.h
+++ b/libcrux-ml-kem/cg/libcrux_core.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_core_H
@@ -220,15 +220,15 @@ typedef struct libcrux_ml_kem_types_MlKemPrivateKey_d9_s {
 
 /**
 This function found in impl {(core::default::Default for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#8}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#7}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.default_9e
+A monomorphic instance of libcrux_ml_kem.types.default_24
 with const generics
 - SIZE= 2400
 */
 static inline libcrux_ml_kem_types_MlKemPrivateKey_d9
-libcrux_ml_kem_types_default_9e_28(void) {
+libcrux_ml_kem_types_default_24_28(void) {
   libcrux_ml_kem_types_MlKemPrivateKey_d9 lit;
   lit.value[0U] = 0U;
   lit.value[1U] = 0U;
@@ -2638,17 +2638,14 @@ typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s {
 } libcrux_ml_kem_mlkem768_MlKem768Ciphertext;
 
 /**
- A reference to the raw byte slice.
+This function found in impl {libcrux_ml_kem::types::MlKemCiphertext<SIZE>#6}
 */
 /**
-This function found in impl {libcrux_ml_kem::types::MlKemCiphertext<SIZE>#7}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_07
+A monomorphic instance of libcrux_ml_kem.types.as_slice_d4
 with const generics
 - SIZE= 1088
 */
-static inline uint8_t *libcrux_ml_kem_types_as_slice_07_80(
+static inline uint8_t *libcrux_ml_kem_types_as_slice_d4_80(
     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) {
   return self->value;
 }
@@ -2664,15 +2661,15 @@ typedef struct libcrux_ml_kem_types_MlKemPublicKey_30_s {
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#17}
+libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#19}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_40
+A monomorphic instance of libcrux_ml_kem.types.from_5f
 with const generics
 - SIZE= 1184
 */
 static inline libcrux_ml_kem_types_MlKemPublicKey_30
-libcrux_ml_kem_types_from_40_d0(uint8_t value[1184U]) {
+libcrux_ml_kem_types_from_5f_d0(uint8_t value[1184U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1184U];
   memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t));
@@ -2686,21 +2683,18 @@ typedef struct libcrux_ml_kem_mlkem768_MlKem768KeyPair_s {
   libcrux_ml_kem_types_MlKemPublicKey_30 pk;
 } libcrux_ml_kem_mlkem768_MlKem768KeyPair;
 
-/**
- Create a new [`MlKemKeyPair`] from the secret and public key.
-*/
 /**
 This function found in impl
-{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
+{libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>#21}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_17
+A monomorphic instance of libcrux_ml_kem.types.from_3a
 with const generics
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
 */
 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
-libcrux_ml_kem_types_from_17_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk,
+libcrux_ml_kem_types_from_3a_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk,
                                 libcrux_ml_kem_types_MlKemPublicKey_30 pk) {
   return (
       CLITERAL(libcrux_ml_kem_mlkem768_MlKem768KeyPair){.sk = sk, .pk = pk});
@@ -2708,15 +2702,15 @@ libcrux_ml_kem_types_from_17_74(libcrux_ml_kem_types_MlKemPrivateKey_d9 sk,
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#10}
+libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#12}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_88
+A monomorphic instance of libcrux_ml_kem.types.from_9a
 with const generics
 - SIZE= 2400
 */
 static inline libcrux_ml_kem_types_MlKemPrivateKey_d9
-libcrux_ml_kem_types_from_88_28(uint8_t value[2400U]) {
+libcrux_ml_kem_types_from_9a_28(uint8_t value[2400U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[2400U];
   memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t));
@@ -2772,15 +2766,15 @@ typedef struct tuple_c2_s {
 
 /**
 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#3}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#5}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.from_fc
+A monomorphic instance of libcrux_ml_kem.types.from_00
 with const generics
 - SIZE= 1088
 */
 static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext
-libcrux_ml_kem_types_from_fc_80(uint8_t value[1088U]) {
+libcrux_ml_kem_types_from_00_80(uint8_t value[1088U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_value[1088U];
   memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t));
@@ -2790,21 +2784,37 @@ libcrux_ml_kem_types_from_fc_80(uint8_t value[1088U]) {
 }
 
 /**
- A reference to the raw byte slice.
-*/
-/**
-This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#21}
+This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#20}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_slice_ba
+A monomorphic instance of libcrux_ml_kem.types.as_slice_fd
 with const generics
 - SIZE= 1184
 */
-static inline uint8_t *libcrux_ml_kem_types_as_slice_ba_d0(
+static inline uint8_t *libcrux_ml_kem_types_as_slice_fd_d0(
     libcrux_ml_kem_types_MlKemPublicKey_30 *self) {
   return self->value;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE uint8_t libcrux_ml_kem_utils_prf_input_inc_e0(
+    uint8_t (*prf_inputs)[33U], uint8_t domain_separator) {
+  uint8_t ret[3U][33U];
+  core_array___core__clone__Clone_for__Array_T__N___20__clone(
+      (size_t)3U, prf_inputs, ret, uint8_t[33U], void *);
+  LowStar_Ignore_ignore(ret, uint8_t[3U][33U], void *);
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
+    size_t i0 = i;
+    prf_inputs[i0][32U] = domain_separator;
+    domain_separator = (uint32_t)domain_separator + 1U;
+  }
+  return domain_separator;
+}
+
 /**
  Pad the `slice` with `0`s at the end.
 */
@@ -2845,14 +2855,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_b6(
 
 /**
 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
-libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
+libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.types.as_ref_fd
+A monomorphic instance of libcrux_ml_kem.types.as_ref_43
 with const generics
 - SIZE= 1088
 */
-static inline Eurydice_slice libcrux_ml_kem_types_as_ref_fd_80(
+static inline Eurydice_slice libcrux_ml_kem_types_as_ref_43_80(
     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) {
   return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t);
 }
diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h
index d29deded9..515fb6146 100644
--- a/libcrux-ml-kem/cg/libcrux_ct_ops.h
+++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_ct_ops_H
@@ -26,12 +26,9 @@ extern "C" {
 */
 static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) {
   uint16_t value0 = (uint16_t)value;
-  uint16_t result = (((uint32_t)value0 |
-                      (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
-                     0xFFFFU) >>
-                        8U &
-                    1U;
-  return (uint8_t)result;
+  uint8_t result =
+      (uint8_t)((uint32_t)core_num__u16_7__wrapping_add(~value0, 1U) >> 8U);
+  return (uint32_t)result & 1U;
 }
 
 static KRML_NOINLINE uint8_t
@@ -48,9 +45,10 @@ static inline uint8_t libcrux_ml_kem_constant_time_ops_compare(
   uint8_t r = 0U;
   for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) {
     size_t i0 = i;
-    r = (uint32_t)r |
-        ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^
-         (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *));
+    uint8_t nr = (uint32_t)r |
+                 ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^
+                  (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *));
+    r = nr;
   }
   return libcrux_ml_kem_constant_time_ops_is_non_zero(r);
 }
@@ -74,10 +72,12 @@ static inline void libcrux_ml_kem_constant_time_ops_select_ct(
   for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE;
        i++) {
     size_t i0 = i;
-    out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) &
-               (uint32_t)mask) |
-              ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) &
-               (uint32_t)~mask);
+    uint8_t outi =
+        ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) &
+         (uint32_t)mask) |
+        ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) &
+         (uint32_t)~mask);
+    out[i0] = outi;
   }
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
index 09c5ec2f6..0ed56b579 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
@@ -47,37 +47,37 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H(
 typedef __m256i libcrux_ml_kem_vector_avx2_SIMD256Vector;
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) {
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_vec_zero(void) {
   return libcrux_intrinsics_avx2_mm256_setzero_si256();
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void) {
-  return libcrux_ml_kem_vector_avx2_zero();
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_9a(void) {
+  return libcrux_ml_kem_vector_avx2_vec_zero();
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) {
+libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) {
   return libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array) {
-  return libcrux_ml_kem_vector_avx2_from_i16_array(array);
+libcrux_ml_kem_vector_avx2_from_i16_array_9a(Eurydice_slice array) {
+  return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_to_i16_array(
     __m256i v, int16_t ret[16U]) {
   int16_t output[16U] = {0U};
   libcrux_intrinsics_avx2_mm256_storeu_si256_i16(
@@ -87,12 +87,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_9a(
     __m256i x, int16_t ret[16U]) {
-  libcrux_ml_kem_vector_avx2_to_i16_array(x, ret);
+  libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -103,10 +103,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs,
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_9a(__m256i lhs,
                                                                  __m256i *rhs) {
   return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]);
 }
@@ -119,10 +119,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs,
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_9a(__m256i lhs,
                                                                  __m256i *rhs) {
   return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]);
 }
@@ -131,35 +131,35 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector,
                                                            int16_t constant) {
-  return libcrux_intrinsics_avx2_mm256_mullo_epi16(
-      vector, libcrux_intrinsics_avx2_mm256_set1_epi16(constant));
+  __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant);
+  return libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, cv);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v, int16_t c) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(v, c);
+libcrux_ml_kem_vector_avx2_multiply_by_constant_9a(__m256i vec, int16_t c) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
     __m256i vector, int16_t constant) {
-  return libcrux_intrinsics_avx2_mm256_and_si256(
-      vector, libcrux_intrinsics_avx2_mm256_set1_epi16(constant));
+  __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant);
+  return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(__m256i vector,
+libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(__m256i vector,
                                                         int16_t constant) {
   return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant(
       vector, constant);
@@ -180,14 +180,20 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) {
                                                  conditional_add_field_modulus);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector);
+libcrux_ml_kem_vector_avx2_cond_subtract_3329_9a(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector);
 }
 
 #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \
@@ -200,13 +206,13 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) {
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) {
-  __m256i t = libcrux_intrinsics_avx2_mm256_mulhi_epi16(
+  __m256i t0 = libcrux_intrinsics_avx2_mm256_mulhi_epi16(
       vector, libcrux_intrinsics_avx2_mm256_set1_epi16(
                   LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER));
-  __m256i t0 = libcrux_intrinsics_avx2_mm256_add_epi16(
-      t, libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512));
+  __m256i t512 = libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512);
+  __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16(t0, t512);
   __m256i quotient =
-      libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)10, t0, __m256i);
+      libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)10, t1, __m256i);
   __m256i quotient_times_field_modulus =
       libcrux_intrinsics_avx2_mm256_mullo_epi16(
           quotient, libcrux_intrinsics_avx2_mm256_set1_epi16(
@@ -217,11 +223,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector) {
+libcrux_ml_kem_vector_avx2_barrett_reduce_9a(__m256i vector) {
   return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector);
 }
 
@@ -229,29 +235,30 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(
     __m256i vector, int16_t constant) {
-  __m256i constant0 = libcrux_intrinsics_avx2_mm256_set1_epi16(constant);
+  __m256i vec_constant = libcrux_intrinsics_avx2_mm256_set1_epi16(constant);
   __m256i value_low =
-      libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, constant0);
+      libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, vec_constant);
   __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16(
       value_low,
       libcrux_intrinsics_avx2_mm256_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16(
-      k, libcrux_intrinsics_avx2_mm256_set1_epi16(
-             LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
+  __m256i modulus = libcrux_intrinsics_avx2_mm256_set1_epi16(
+      LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m256i k_times_modulus =
+      libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus);
   __m256i value_high =
-      libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, constant0);
+      libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, vec_constant);
   return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
     __m256i vector, int16_t constant) {
   return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(
       vector, constant);
@@ -278,15 +285,21 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
       (int32_t)15, shifted_to_positive_in_range, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_1_9a(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_1(vector);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -305,17 +318,19 @@ libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs,
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants(
-    __m256i v, __m256i c) {
-  __m256i value_low = libcrux_intrinsics_avx2_mm256_mullo_epi16(v, c);
+    __m256i vec, __m256i constants) {
+  __m256i value_low = libcrux_intrinsics_avx2_mm256_mullo_epi16(vec, constants);
   __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16(
       value_low,
       libcrux_intrinsics_avx2_mm256_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16(
-      k, libcrux_intrinsics_avx2_mm256_set1_epi16(
-             LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m256i value_high = libcrux_intrinsics_avx2_mm256_mulhi_epi16(v, c);
+  __m256i modulus = libcrux_intrinsics_avx2_mm256_set1_epi16(
+      LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m256i k_times_modulus =
+      libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus);
+  __m256i value_high =
+      libcrux_intrinsics_avx2_mm256_mulhi_epi16(vec, constants);
   return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus);
 }
 
@@ -336,16 +351,24 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(
   return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea(
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1,
-                                                         zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                     zeta2, zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -364,30 +387,36 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(
   return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_9a(
     __m256i vector, int16_t zeta0, int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1);
+  return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m128i
 libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants(
-    __m128i v, __m128i c) {
-  __m128i value_low = libcrux_intrinsics_avx2_mm_mullo_epi16(v, c);
+    __m128i vec, __m128i constants) {
+  __m128i value_low = libcrux_intrinsics_avx2_mm_mullo_epi16(vec, constants);
   __m128i k = libcrux_intrinsics_avx2_mm_mullo_epi16(
       value_low,
       libcrux_intrinsics_avx2_mm_set1_epi16(
           (int16_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
-  __m128i k_times_modulus = libcrux_intrinsics_avx2_mm_mulhi_epi16(
-      k, libcrux_intrinsics_avx2_mm_set1_epi16(
-             LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
-  __m128i value_high = libcrux_intrinsics_avx2_mm_mulhi_epi16(v, c);
+  __m128i modulus = libcrux_intrinsics_avx2_mm_set1_epi16(
+      LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
+  __m128i k_times_modulus = libcrux_intrinsics_avx2_mm_mulhi_epi16(k, modulus);
+  __m128i value_high = libcrux_intrinsics_avx2_mm_mulhi_epi16(vec, constants);
   return libcrux_intrinsics_avx2_mm_sub_epi16(value_high, k_times_modulus);
 }
 
@@ -408,14 +437,20 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) {
       (int32_t)1, combined, upper_coefficients, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector, int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta);
+libcrux_ml_kem_vector_avx2_ntt_layer_3_step_9a(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -447,18 +482,26 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(__m256i vector,
                                                    sum_times_zetas, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
+      vector, zeta0, zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(__m256i vector,
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_9a(__m256i vector,
                                                    int16_t zeta0, int16_t zeta1,
                                                    int16_t zeta2,
                                                    int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(
-      vector, zeta0, zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1,
+                                                         zeta2, zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -487,17 +530,23 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector,
                                                    sum_times_zetas, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(
+    __m256i vector, int16_t zeta0, int16_t zeta1) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
+                                                             zeta1);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(__m256i vector,
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_9a(__m256i vector,
                                                    int16_t zeta0,
                                                    int16_t zeta1) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0,
-                                                             zeta1);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -518,22 +567,28 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector,
       (int32_t)1, combined, upper_coefficients0, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) {
+  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(__m256i vector,
+libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_9a(__m256i vector,
                                                    int16_t zeta) {
-  return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta);
+  return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v) {
+libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) {
   __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16(
-      v,
+      vec,
       libcrux_intrinsics_avx2_mm256_set1_epi32(
           (int32_t)
               LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R));
@@ -541,7 +596,7 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v) {
       k, libcrux_intrinsics_avx2_mm256_set1_epi32(
              (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS));
   __m256i value_high =
-      libcrux_intrinsics_avx2_mm256_srli_epi32((int32_t)16, v, __m256i);
+      libcrux_intrinsics_avx2_mm256_srli_epi32((int32_t)16, vec, __m256i);
   __m256i result =
       libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus);
   __m256i result0 =
@@ -616,16 +671,24 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(
                                                    products_right1, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply(
+    __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
+    int16_t zeta3) {
+  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
+                                                     zeta1, zeta2, zeta3);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea(
+static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_9a(
     __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2,
     int16_t zeta3) {
-  return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0,
-                                                     zeta1, zeta2, zeta3);
+  return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2,
+                                                 zeta3);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -638,73 +701,99 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1(
       (int32_t)1, lsb_to_msb, __m128i);
   __m128i msbs = libcrux_intrinsics_avx2_mm_packs_epi16(low_msbs, high_msbs);
   int32_t bits_packed = libcrux_intrinsics_avx2_mm_movemask_epi8(msbs);
-  uint8_t serialized[2U] = {0U};
-  serialized[0U] = (uint8_t)bits_packed;
-  serialized[1U] = (uint8_t)(bits_packed >> 8U);
-  memcpy(ret, serialized, (size_t)2U * sizeof(uint8_t));
+  uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)};
+  memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1(
+    __m256i vector, uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_9a(
     __m256i vector, uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_1(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s(
+    int16_t a, int16_t b) {
   __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
-  __m256i shift_lsb_to_msb = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
-      (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768,
-      (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
-      (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768);
-  __m256i coefficients_in_msb =
-      libcrux_intrinsics_avx2_mm256_mullo_epi16(coefficients, shift_lsb_to_msb);
+      b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a);
+  __m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi16(
+                        (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U,
+                        (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U,
+                        (int16_t)1 << 14U, (int16_t)-32768, (int16_t)1 << 8U,
+                        (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U,
+                        (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U,
+                        (int16_t)-32768));
   return libcrux_intrinsics_avx2_mm256_srli_epi16((int32_t)15,
                                                   coefficients_in_msb, __m256i);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
+    uint8_t a, uint8_t b) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s(
+      (int16_t)a, (int16_t)b);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s(
+      Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_1_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_1(bytes);
+}
+
+/**
+ `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets
+ of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of
+ 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last
+ `n` bits are non-zero).
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n,
+                                                          __m256i x) {
+  int16_t n0 = (int16_t)1 << (uint32_t)n;
+  return libcrux_intrinsics_avx2_mm256_madd_epi16(
+      x, libcrux_intrinsics_avx2_mm256_set_epi16(
+             n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0,
+             (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1));
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
     __m256i vector, uint8_t ret[8U]) {
   uint8_t serialized[16U] = {0U};
-  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16(
-      vector, libcrux_intrinsics_avx2_mm256_set_epi16(
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1,
-                  (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1));
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector);
   __m256i adjacent_8_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
       adjacent_2_combined,
       libcrux_intrinsics_avx2_mm256_set_epi8(
@@ -731,43 +820,37 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4(
   memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4(
+    __m256i vector, uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_9a(
     __m256i vector, uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_4(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s(
+    int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5,
+    int16_t b6, int16_t b7) {
   __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
-      (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
-  __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U);
+      b7, b7, b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0);
   __m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16(
-      coefficients, shift_lsbs_to_msbs);
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi16(
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U));
   __m256i coefficients_in_lsb = libcrux_intrinsics_avx2_mm256_srli_epi16(
       (int32_t)4, coefficients_in_msb, __m256i);
   return libcrux_intrinsics_avx2_mm256_and_si256(
@@ -775,14 +858,44 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
                                ((int16_t)1 << 4U) - (int16_t)1));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
+    uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5,
+    uint8_t b6, uint8_t b7) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s(
+      (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4,
+      (int16_t)b5, (int16_t)b6, (int16_t)b7);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s(
+      Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *),
+      Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_4_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_4(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -833,14 +946,32 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_9a(
     __m256i vector, uint8_t ret[10U]) {
   libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret);
 }
 
+/**
+ We cannot model `mm256_inserti128_si256` on its own: it produces a
+ Vec256 where the upper 128 bits are undefined. Thus
+ `mm256_inserti128_si256` is not pure.
+
+ Luckily, we always call `mm256_castsi128_si256` right after
+ `mm256_inserti128_si256`: this composition sets the upper bits,
+ making the whole computation pure again.
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower,
+                                                                __m128i upper) {
+  return libcrux_intrinsics_avx2_mm256_inserti128_si256(
+      (int32_t)1, libcrux_intrinsics_avx2_mm256_castsi128_si256(lower), upper,
+      __m256i);
+}
+
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
@@ -862,11 +993,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
       Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *),
       Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *));
   __m256i coefficients_loaded =
-      libcrux_intrinsics_avx2_mm256_castsi128_si256(coefficients);
-  __m256i coefficients_loaded0 = libcrux_intrinsics_avx2_mm256_inserti128_si256(
-      (int32_t)1, coefficients_loaded, coefficients, __m256i);
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          coefficients, coefficients);
   __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_shuffle_epi8(
-      coefficients_loaded0,
+      coefficients_loaded,
       libcrux_intrinsics_avx2_mm256_set_epi8(
           (int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13,
           (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10,
@@ -888,25 +1018,25 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_deserialize_5_9a(Eurydice_slice bytes) {
   return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes);
 }
 
+typedef struct core_core_arch_x86___m128i_x2_s {
+  __m128i fst;
+  __m128i snd;
+} core_core_arch_x86___m128i_x2;
+
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
-    __m256i vector, uint8_t ret[20U]) {
-  uint8_t serialized[32U] = {0U};
-  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16(
-      vector,
-      libcrux_intrinsics_avx2_mm256_set_epi16(
-          (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1,
-          (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1,
-          (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1,
-          (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1));
+static inline core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
+    __m256i vector) {
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(10U, vector);
   __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
       adjacent_2_combined,
       libcrux_intrinsics_avx2_mm256_set_epi32(
@@ -925,11 +1055,24 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
           (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0));
   __m128i lower_8 =
       libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined);
+  __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
+      (int32_t)1, adjacent_8_combined, __m128i);
+  return (
+      CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
+    __m256i vector, uint8_t ret[20U]) {
+  core_core_arch_x86___m128i_x2 uu____0 =
+      libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec(
+          vector);
+  __m128i lower_8 = uu____0.fst;
+  __m128i upper_8 = uu____0.snd;
+  uint8_t serialized[32U] = {0U};
   libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
       Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
       lower_8);
-  __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
-      (int32_t)1, adjacent_8_combined, __m128i);
   libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
       Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U,
                                   uint8_t),
@@ -944,57 +1087,78 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10(
   memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10(
+    __m256i vector, uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_9a(
     __m256i vector, uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_10(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
-  __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
-      (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U);
-  __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t));
-  __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
-      lower_coefficients,
+libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0) {
+  __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      lower_coefficients0,
       libcrux_intrinsics_avx2_mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U,
                                           3U, 3U, 2U, 2U, 1U, 1U, 0U));
-  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t));
-  __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
-      upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(
-                              15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U,
-                              9U, 8U, 8U, 7U, 7U, 6U));
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      upper_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8(
+                               15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U,
+                               9U, 8U, 8U, 7U, 7U, 6U));
   __m256i coefficients =
-      libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0);
-  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256(
-      (int32_t)1, coefficients, upper_coefficients0, __m256i);
-  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16(
-      coefficients0, shift_lsbs_to_msbs);
-  __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16(
-      (int32_t)6, coefficients1, __m256i);
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          lower_coefficients, upper_coefficients);
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi16(
+                        (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U,
+                        (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U,
+                        (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U,
+                        (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U,
+                        (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U,
+                        (int16_t)1 << 6U));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16(
+      (int32_t)6, coefficients0, __m256i);
   return libcrux_intrinsics_avx2_mm256_and_si256(
-      coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16(
+      coefficients1, libcrux_intrinsics_avx2_mm256_set1_epi16(
                          ((int16_t)1 << 10U) - (int16_t)1));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) {
+  Eurydice_slice lower_coefficients =
+      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t);
+  Eurydice_slice upper_coefficients =
+      Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t);
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec(
+      libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients),
+      libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients));
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_10_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_10(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1004,19 +1168,19 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11(
   libcrux_intrinsics_avx2_mm256_storeu_si256_i16(
       Eurydice_array_to_slice((size_t)16U, array, int16_t), vector);
   libcrux_ml_kem_vector_portable_vector_type_PortableVector input =
-      libcrux_ml_kem_vector_portable_from_i16_array_0d(
+      libcrux_ml_kem_vector_portable_from_i16_array_2c(
           Eurydice_array_to_slice((size_t)16U, array, int16_t));
   uint8_t ret0[22U];
-  libcrux_ml_kem_vector_portable_serialize_11_0d(input, ret0);
+  libcrux_ml_kem_vector_portable_serialize_11_2c(input, ret0);
   memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t));
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_9a(
     __m256i vector, uint8_t ret[22U]) {
   libcrux_ml_kem_vector_avx2_serialize_serialize_11(vector, ret);
 }
@@ -1025,34 +1189,29 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector output =
-      libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes);
+      libcrux_ml_kem_vector_portable_deserialize_11_2c(bytes);
   int16_t array[16U];
-  libcrux_ml_kem_vector_portable_to_i16_array_0d(output, array);
+  libcrux_ml_kem_vector_portable_to_i16_array_2c(output, array);
   return libcrux_intrinsics_avx2_mm256_loadu_si256_i16(
       Eurydice_array_to_slice((size_t)16U, array, int16_t));
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes) {
+libcrux_ml_kem_vector_avx2_deserialize_11_9a(Eurydice_slice bytes) {
   return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
-    __m256i vector, uint8_t ret[24U]) {
-  uint8_t serialized[32U] = {0U};
-  __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16(
-      vector,
-      libcrux_intrinsics_avx2_mm256_set_epi16(
-          (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1,
-          (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1,
-          (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1,
-          (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1));
+static KRML_MUSTINLINE core_core_arch_x86___m128i_x2
+libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
+    __m256i vector) {
+  __m256i adjacent_2_combined =
+      libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector);
   __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32(
       adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi32(
                                (int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8,
@@ -1072,6 +1231,19 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
       libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined);
   __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256(
       (int32_t)1, adjacent_8_combined, __m128i);
+  return (
+      CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8});
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
+    __m256i vector, uint8_t ret[24U]) {
+  uint8_t serialized[32U] = {0U};
+  core_core_arch_x86___m128i_x2 uu____0 =
+      libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec(
+          vector);
+  __m128i lower_8 = uu____0.fst;
+  __m128i upper_8 = uu____0.snd;
   libcrux_intrinsics_avx2_mm_storeu_bytes_si128(
       Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t),
       lower_8);
@@ -1089,57 +1261,77 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12(
   memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12(
+    __m256i vector, uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_ea(
+static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_9a(
     __m256i vector, uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret);
+  libcrux_ml_kem_vector_avx2_serialize_12(vector, ret);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) {
-  __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16(
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
-      (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U);
-  __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t));
-  __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
-      lower_coefficients,
+libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
+    __m128i lower_coefficients0, __m128i upper_coefficients0) {
+  __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      lower_coefficients0,
       libcrux_intrinsics_avx2_mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U,
                                           4U, 4U, 3U, 2U, 1U, 1U, 0U));
-  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
-      Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t));
-  __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8(
-      upper_coefficients,
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8(
+      upper_coefficients0,
       libcrux_intrinsics_avx2_mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U,
                                           10U, 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U));
   __m256i coefficients =
-      libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0);
-  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256(
-      (int32_t)1, coefficients, upper_coefficients0, __m256i);
-  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16(
-      coefficients0, shift_lsbs_to_msbs);
-  __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16(
-      (int32_t)4, coefficients1, __m256i);
+      libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(
+          lower_coefficients, upper_coefficients);
+  __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16(
+      coefficients, libcrux_intrinsics_avx2_mm256_set_epi16(
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U,
+                        (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U,
+                        (int16_t)1 << 4U));
+  __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16(
+      (int32_t)4, coefficients0, __m256i);
   return libcrux_intrinsics_avx2_mm256_and_si256(
-      coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16(
+      coefficients1, libcrux_intrinsics_avx2_mm256_set1_epi16(
                          ((int16_t)1 << 12U) - (int16_t)1));
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) {
+  __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t));
+  __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128(
+      Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t));
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec(
+      lower_coefficients, upper_coefficients);
+}
+
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes) {
-  return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes);
+libcrux_ml_kem_vector_avx2_deserialize_12_9a(Eurydice_slice bytes) {
+  return libcrux_ml_kem_vector_avx2_deserialize_12(bytes);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
@@ -1190,10 +1382,10 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input,
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_ea(
+static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_9a(
     Eurydice_slice input, Eurydice_slice output) {
   return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output);
 }
@@ -1210,34 +1402,34 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_f6_s {
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_ZERO_d6_79(void) {
+libcrux_ml_kem_polynomial_ZERO_ef_79(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
-  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
-  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_ea();
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
   return lit;
 }
 
@@ -1250,7 +1442,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_ab(size_t _) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
@@ -1264,13 +1456,13 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
-    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes);
+    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_9a(bytes);
   }
   return re;
 }
@@ -1290,7 +1482,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
@@ -1333,7 +1525,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_ed(size_t _) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
@@ -1386,17 +1578,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 10
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_ef(
+libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_ef(
     __m256i vector) {
   return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef(
       vector);
@@ -1413,15 +1605,15 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_then_decompress_10_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_ef(
+        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_ef(
             coefficient);
   }
   return re;
@@ -1477,17 +1669,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_c4(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 11
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_c4(
+libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_c4(
     __m256i vector) {
   return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_c4(
       vector);
@@ -1504,15 +1696,15 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_then_decompress_11_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_c4(
+        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_c4(
             coefficient);
   }
   return re;
@@ -1545,7 +1737,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(__m256i v, int16_t fer) {
-  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(v, fer);
+  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(v, fer);
 }
 
 /**
@@ -1559,8 +1751,8 @@ static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2
 libcrux_ml_kem_ntt_ntt_layer_int_vec_step_79(__m256i a, __m256i b,
                                              int16_t zeta_r) {
   __m256i t = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(b, zeta_r);
-  b = libcrux_ml_kem_vector_avx2_sub_ea(a, &t);
-  a = libcrux_ml_kem_vector_avx2_add_ea(a, &t);
+  b = libcrux_ml_kem_vector_avx2_sub_9a(a, &t);
+  a = libcrux_ml_kem_vector_avx2_add_9a(a, &t);
   return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a,
                                                                 .snd = b});
 }
@@ -1587,7 +1779,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(
       libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 =
           libcrux_ml_kem_ntt_ntt_layer_int_vec_step_79(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       __m256i x = uu____0.fst;
       __m256i y = uu____0.snd;
       re->coefficients[j] = x;
@@ -1605,13 +1797,12 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_79(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(
-        re->coefficients[round],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_9a(
+        re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
   }
 }
 
@@ -1624,15 +1815,13 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_79(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(
-        re->coefficients[round],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                           (size_t)1U]);
+    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_9a(
+        re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+        libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U));
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
   }
 }
@@ -1646,43 +1835,51 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_79(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea(
-        re->coefficients[round],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                           (size_t)1U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                           (size_t)2U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                           (size_t)3U]);
+    re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_9a(
+        re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+        libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U),
+        libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U),
+        libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U));
     zeta_i[0U] = zeta_i[0U] + (size_t)3U;
   }
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
+    size_t i0 = i;
+    myself->coefficients[i0] =
+        libcrux_ml_kem_vector_avx2_barrett_reduce_9a(myself->coefficients[i0]);
+  }
+}
+
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_79(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) {
-  for (size_t i = (size_t)0U;
-       i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
-    size_t i0 = i;
-    self->coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_ea(self->coefficients[i0]);
-  }
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_79(self);
 }
 
 /**
@@ -1698,15 +1895,15 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_ee(
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U,
                                             (size_t)3328U);
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U,
-                                            (size_t)3328U);
+                                            (size_t)2U * (size_t)3328U);
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U,
-                                            (size_t)3328U);
+                                            (size_t)3U * (size_t)3328U);
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U,
-                                            (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U, (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U, (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U, (size_t)3328U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re);
+                                            (size_t)4U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_3_79(&zeta_i, re, (size_t)5U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_2_79(&zeta_i, re, (size_t)6U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_1_79(&zeta_i, re, (size_t)7U * (size_t)3328U);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -1728,7 +1925,7 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
@@ -1807,17 +2004,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 4
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_d1(
+libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_d1(
     __m256i vector) {
   return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1(
       vector);
@@ -1834,15 +2031,15 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_then_decompress_4_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_d1(
+        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_d1(
             coefficient);
   }
   return re;
@@ -1898,17 +2095,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const
+libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_9a with const
 generics
 - COEFFICIENT_BITS= 5
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_f4(
+libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_f4(
     __m256i vector) {
   return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4(
       vector);
@@ -1925,15 +2122,15 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_then_decompress_5_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t);
-    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes);
+    re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_f4(
+        libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_9a_f4(
             re.coefficients[i0]);
   }
   return re;
@@ -1943,15 +2140,45 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_5_79(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_42(
+libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed(
     Eurydice_slice serialized) {
   return libcrux_ml_kem_serialize_deserialize_then_decompress_4_79(serialized);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_ZERO_79(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  return lit;
+}
+
 /**
  Given two `KyberPolynomialRingElement`s in their NTT representations,
  compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
@@ -1980,73 +2207,96 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_42(
  <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_ntt_multiply_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_ntt_multiply_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_79();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_ea(
-        &self->coefficients[i0], &rhs->coefficients[i0],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)1U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)2U],
-        libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                           (size_t)4U * i0 +
-                                                           (size_t)3U]);
+    out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_9a(
+        &myself->coefficients[i0], &rhs->coefficients[i0],
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)1U),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)2U),
+        libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                       (size_t)3U));
   }
   return out;
 }
 
-/**
- Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
- sum of their constituent coefficients.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
-- K= 3
+
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_ntt_multiply_ef_79(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  return libcrux_ml_kem_polynomial_ntt_multiply_79(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(Eurydice_array_to_slice(
-                                  (size_t)16U, self->coefficients, __m256i),
+                                  (size_t)16U, myself->coefficients, __m256i),
                               __m256i);
        i++) {
     size_t i0 = i;
-    self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea(
-        self->coefficients[i0], &rhs->coefficients[i0]);
+    myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_9a(
+        myself->coefficients[i0], &rhs->coefficients[i0]);
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) {
+  libcrux_ml_kem_polynomial_add_to_ring_element_ab(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_1
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
@@ -2055,21 +2305,16 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_79(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer) {
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)1U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)2U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)3U]);
+        libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_9a(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U));
     zeta_i[0U] = zeta_i[0U] - (size_t)3U;
   }
 }
@@ -2082,17 +2327,14 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_79(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer) {
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)1U]);
+        libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_9a(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U));
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
   }
 }
@@ -2105,15 +2347,14 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_79(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re,
-    size_t _layer) {
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(
+        libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_9a(
             re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
   }
 }
 
@@ -2128,9 +2369,9 @@ static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2
 libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_79(__m256i a,
                                                                __m256i b,
                                                                int16_t zeta_r) {
-  __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_ea(b, &a);
-  a = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-      libcrux_ml_kem_vector_avx2_add_ea(a, &b));
+  __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_9a(b, &a);
+  a = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+      libcrux_ml_kem_vector_avx2_add_9a(a, &b));
   b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(a_minus_b, zeta_r);
   return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a,
                                                                 .snd = b});
@@ -2161,7 +2402,7 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(
       libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 =
           libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_79(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       __m256i x = uu____0.fst;
       __m256i y = uu____0.snd;
       re->coefficients[j] = x;
@@ -2181,9 +2422,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) {
   size_t zeta_i =
       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_79(&zeta_i, re);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_79(&zeta_i, re);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_79(&zeta_i, re);
   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re,
                                                           (size_t)4U);
   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re,
@@ -2192,38 +2433,52 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(
                                                           (size_t)6U);
   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re,
                                                           (size_t)7U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_79(re);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_subtract_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_subtract_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
             b.coefficients[i0], (int16_t)1441);
-    b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_sub_ea(self->coefficients[i0],
+    b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_sub_9a(myself->coefficients[i0],
                                           &coefficient_normal_form));
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_subtract_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) {
+  return libcrux_ml_kem_polynomial_subtract_reduce_79(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -2243,16 +2498,16 @@ libcrux_ml_kem_matrix_compute_message_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-        libcrux_ml_kem_polynomial_ntt_multiply_d6_79(&secret_as_ntt[i0],
+        libcrux_ml_kem_polynomial_ntt_multiply_ef_79(&secret_as_ntt[i0],
                                                      &u_as_ntt[i0]);
-    libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product);
+    libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result, &product);
   }
   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result);
-  result = libcrux_ml_kem_polynomial_subtract_reduce_d6_79(v, result);
+  result = libcrux_ml_kem_polynomial_subtract_reduce_ef_79(v, result);
   return result;
 }
 
@@ -2269,16 +2524,16 @@ libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(__m256i vector) {
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_9a
 with const generics
 - SHIFT_BY= 15
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_shift_right_ea_ef(__m256i vector) {
+libcrux_ml_kem_vector_avx2_shift_right_9a_ef(__m256i vector) {
   return libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(vector);
 }
 
@@ -2291,10 +2546,22 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_traits_to_unsigned_representative_79(__m256i a) {
-  __m256i t = libcrux_ml_kem_vector_avx2_shift_right_ea_ef(a);
-  __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
+  __m256i t = libcrux_ml_kem_vector_avx2_shift_right_9a_ef(a);
+  __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(
       t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
-  return libcrux_ml_kem_vector_avx2_add_ea(a, &fm);
+  return libcrux_ml_kem_vector_avx2_add_9a(a, &fm);
+}
+
+/**
+A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_serialize_to_unsigned_field_modulus_79(__m256i a) {
+  return libcrux_ml_kem_vector_traits_to_unsigned_representative_79(a);
 }
 
 /**
@@ -2310,13 +2577,12 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_79(
   uint8_t serialized[32U] = {0U};
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t i0 = i;
-    __m256i coefficient =
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
-            re.coefficients[i0]);
+    __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_79(
+        re.coefficients[i0]);
     __m256i coefficient_compressed =
-        libcrux_ml_kem_vector_avx2_compress_1_ea(coefficient);
+        libcrux_ml_kem_vector_avx2_compress_1_9a(coefficient);
     uint8_t bytes[2U];
-    libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_1_9a(coefficient_compressed, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t);
     Eurydice_slice_copy(
@@ -2366,7 +2632,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f(
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U];
   libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v =
-      libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_42(
+      libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed(
           Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                           (size_t)960U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message =
@@ -2481,7 +2747,7 @@ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
 libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    uu____0[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   uint8_t uu____1[32U] = {0U};
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit;
@@ -2489,15 +2755,15 @@ libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) {
       lit.t_as_ntt, uu____0,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+  lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   return lit;
 }
 
@@ -2518,15 +2784,15 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes);
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_9a(bytes);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(coefficient);
+        libcrux_ml_kem_vector_avx2_cond_subtract_3329_9a(coefficient);
   }
   return re;
 }
@@ -2538,12 +2804,11 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1152
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -2568,12 +2833,13 @@ typedef libcrux_sha3_avx2_x4_incremental_KeccakState
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const
+generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0(
     uint8_t input[3U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_55 state =
       libcrux_sha3_avx2_x4_incremental_init();
@@ -2591,29 +2857,30 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_a9 with const
+generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState
-libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_a9_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_e0(
     uint8_t input[3U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[3U][34U];
   memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U]));
-  return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_e0(
+  return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0(
       copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with
+const generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][504U]) {
   uint8_t out[3U][504U] = {{0U}};
   uint8_t out0[504U] = {0U};
@@ -2643,16 +2910,16 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_three_blocks_a9 with const
-generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_a9 with
+const generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_a9_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) {
-  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_e0(self,
-                                                                      ret);
+  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0(
+      self, ret);
 }
 
 /**
@@ -2717,7 +2984,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed(
         Eurydice_slice uu____0 =
             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
                                         r * (size_t)24U + (size_t)24U, uint8_t);
-        size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+        size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
             uu____0, Eurydice_array_to_subslice2(
                          out[i1], sampled_coefficients[i1],
                          sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -2742,12 +3009,13 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const
+generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *st, uint8_t ret[3U][168U]) {
   uint8_t out[3U][168U] = {{0U}};
   uint8_t out0[168U] = {0U};
@@ -2777,14 +3045,15 @@ libcrux_ml_kem::hash_functions::avx2::Simd256Hash)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_block_a9 with const generics
+libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_a9 with const
+generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_a9_e0(
+libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_e0(
     libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) {
-  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_e0(self, ret);
+  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0(self, ret);
 }
 
 /**
@@ -2849,7 +3118,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0(
         Eurydice_slice uu____0 =
             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
                                         r * (size_t)24U + (size_t)24U, uint8_t);
-        size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea(
+        size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_9a(
             uu____0, Eurydice_array_to_subslice2(
                          out[i1], sampled_coefficients[i1],
                          sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -2873,31 +3142,43 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_from_i16_array_d6_79(Eurydice_slice a) {
+libcrux_ml_kem_polynomial_from_i16_array_79(Eurydice_slice a) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_79();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     result.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2(
+        libcrux_ml_kem_vector_avx2_from_i16_array_9a(Eurydice_slice_subslice2(
             a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t));
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_from_i16_array_ef_79(Eurydice_slice a) {
+  return libcrux_ml_kem_polynomial_from_i16_array_79(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -2907,7 +3188,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_sampling_sample_from_xof_closure_6c(int16_t s[272U]) {
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_79(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_79(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -2927,10 +3208,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c(
   uint8_t copy_of_seeds[3U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
   libcrux_sha3_avx2_x4_incremental_KeccakState xof_state =
-      libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_a9_e0(
+      libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_e0(
           copy_of_seeds);
   uint8_t randomness0[3U][504U];
-  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_three_blocks_a9_e0(
+  libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_e0(
       &xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[3U][504U];
@@ -2942,7 +3223,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c(
       break;
     } else {
       uint8_t randomness[3U][168U];
-      libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_block_a9_e0(
+      libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_e0(
           &xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[3U][168U];
@@ -3020,13 +3301,14 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa(
+static KRML_MUSTINLINE void
+libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa(
     Eurydice_slice public_key,
     libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
         *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t);
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab(
       uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
@@ -3045,8 +3327,10 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
-libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa(Eurydice_slice public_key) {
+static KRML_MUSTINLINE
+    libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
+    libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa(
+        Eurydice_slice public_key) {
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
       unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab();
   libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa(public_key,
@@ -3077,7 +3361,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_closure_b4(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
@@ -3223,7 +3507,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_79(
       sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_79(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_79(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -3269,7 +3553,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_79(
       sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_79(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_79(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -3299,12 +3583,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_79(
   size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U;
   for (size_t i = (size_t)0U; i < step; i++) {
     size_t j = i;
-    __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(
+    __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_9a(
         re->coefficients[j + step], (int16_t)-1600);
     re->coefficients[j + step] =
-        libcrux_ml_kem_vector_avx2_sub_ea(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_avx2_sub_9a(re->coefficients[j], &t);
     re->coefficients[j] =
-        libcrux_ml_kem_vector_avx2_add_ea(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_avx2_add_9a(re->coefficients[j], &t);
   }
 }
 
@@ -3321,15 +3605,18 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_79(
   libcrux_ml_kem_ntt_ntt_at_layer_7_79(re);
   size_t zeta_i = (size_t)1U;
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U,
-                                            (size_t)3U);
+                                            (size_t)11207U);
   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U,
-                                            (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U,
-                                            (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U, (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U, (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U, (size_t)3U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re);
+                                            (size_t)11207U + (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(
+      &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_3_79(
+      &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_2_79(
+      &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_1_79(
+      &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_79(re);
 }
 
 /**
@@ -3356,11 +3643,8 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4(
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
   }
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    size_t i0 = i;
-    prf_inputs[i0][32U] = domain_separator;
-    domain_separator = (uint32_t)domain_separator + 1U;
-  }
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   libcrux_ml_kem_hash_functions_avx2_PRFxN_a9_41(prf_inputs, prf_outputs);
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
@@ -3387,7 +3671,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_b4(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
@@ -3418,7 +3702,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_b4(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
@@ -3438,7 +3722,7 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4(uint8_t prf_input[33U],
                                                   uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    error_1[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
@@ -3447,11 +3731,8 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4(uint8_t prf_input[33U],
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
   }
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    size_t i0 = i;
-    prf_inputs[i0][32U] = domain_separator;
-    domain_separator = (uint32_t)domain_separator + 1U;
-  }
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   libcrux_ml_kem_hash_functions_avx2_PRFxN_a9_41(prf_inputs, prf_outputs);
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
@@ -3513,36 +3794,49 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_matrix_compute_vector_u_closure_ab(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
-            self->coefficients[j], (int16_t)1441);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form,
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
+            myself->coefficients[j], (int16_t)1441);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  libcrux_ml_kem_polynomial_add_error_reduce_79(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -3560,7 +3854,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    result[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    result[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
@@ -3581,12 +3875,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          libcrux_ml_kem_polynomial_ntt_multiply_d6_79(a_element, &r_as_ntt[j]);
-      libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result[i1],
+          libcrux_ml_kem_polynomial_ntt_multiply_ef_79(a_element, &r_as_ntt[j]);
+      libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result[i1],
                                                           &product);
     }
     libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result[i1]);
-    libcrux_ml_kem_polynomial_add_error_reduce_d6_79(&result[i1], &error_1[i1]);
+    libcrux_ml_kem_polynomial_add_error_reduce_ef_79(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -3601,11 +3895,11 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_traits_decompress_1_79(__m256i v) {
-  return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(
-      libcrux_ml_kem_vector_avx2_sub_ea(libcrux_ml_kem_vector_avx2_ZERO_ea(),
-                                        &v),
-      (int16_t)1665);
+libcrux_ml_kem_vector_traits_decompress_1_79(__m256i vec) {
+  __m256i z = libcrux_ml_kem_vector_avx2_ZERO_9a();
+  __m256i s = libcrux_ml_kem_vector_avx2_sub_9a(z, &vec);
+  return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_9a(s,
+                                                                 (int16_t)1665);
 }
 
 /**
@@ -3619,11 +3913,11 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_serialize_deserialize_then_decompress_message_79(
     uint8_t serialized[32U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t i0 = i;
     __m256i coefficient_compressed =
-        libcrux_ml_kem_vector_avx2_deserialize_1_ea(
+        libcrux_ml_kem_vector_avx2_deserialize_1_9a(
             Eurydice_array_to_subslice2(serialized, (size_t)2U * i0,
                                         (size_t)2U * i0 + (size_t)2U, uint8_t));
     re.coefficients[i0] =
@@ -3633,38 +3927,54 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_79(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_add_message_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     __m256i coefficient_normal_form =
-        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+        libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
             result.coefficients[i0], (int16_t)1441);
-    __m256i tmp = libcrux_ml_kem_vector_avx2_add_ea(self->coefficients[i0],
+    __m256i tmp = libcrux_ml_kem_vector_avx2_add_9a(myself->coefficients[i0],
                                                     &message->coefficients[i0]);
     __m256i tmp0 =
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, &tmp);
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form, &tmp);
     result.coefficients[i0] =
-        libcrux_ml_kem_vector_avx2_barrett_reduce_ea(tmp0);
+        libcrux_ml_kem_vector_avx2_barrett_reduce_9a(tmp0);
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6
+libcrux_ml_kem_polynomial_add_message_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) {
+  return libcrux_ml_kem_polynomial_add_message_error_reduce_79(self, message,
+                                                               result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -3682,16 +3992,16 @@ libcrux_ml_kem_matrix_compute_ring_element_v_ab(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result =
-      libcrux_ml_kem_polynomial_ZERO_d6_79();
+      libcrux_ml_kem_polynomial_ZERO_ef_79();
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-        libcrux_ml_kem_polynomial_ntt_multiply_d6_79(&t_as_ntt[i0],
+        libcrux_ml_kem_polynomial_ntt_multiply_ef_79(&t_as_ntt[i0],
                                                      &r_as_ntt[i0]);
-    libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product);
+    libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&result, &product);
   }
   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result);
-  result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79(
+  result = libcrux_ml_kem_polynomial_add_message_error_reduce_ef_79(
       error_2, message, result);
   return result;
 }
@@ -3749,20 +4059,31 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 10
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_ef(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 10
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_ea_ef(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_9a_ef(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_ef(vector);
 }
 
 /**
@@ -3779,11 +4100,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_0e(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_ef(
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_9a_ef(
+        libcrux_ml_kem_serialize_to_unsigned_field_modulus_79(
             re->coefficients[i0]));
     uint8_t bytes[20U];
-    libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_10_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t);
     Eurydice_slice_copy(
@@ -3845,20 +4166,31 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 11
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_c4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 11
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_ea_c4(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_9a_c4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_c4(vector);
 }
 
 /**
@@ -3875,11 +4207,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_0e(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_c4(
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_9a_c4(
         libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
             re->coefficients[i0]));
     uint8_t bytes[22U];
-    libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_11_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t);
     Eurydice_slice_copy(
@@ -3993,20 +4325,31 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 4
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_d1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 4
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_ea_d1(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_9a_d1(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_d1(vector);
 }
 
 /**
@@ -4023,11 +4366,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_79(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_d1(
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
+    __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_9a_d1(
+        libcrux_ml_kem_serialize_to_unsigned_field_modulus_79(
             re.coefficients[i0]));
     uint8_t bytes[8U];
-    libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_4_9a(coefficient, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)8U * i0,
                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
@@ -4088,20 +4431,31 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
                                                          compressed, __m256i);
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress
+with const generics
+- COEFFICIENT_BITS= 5
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE __m256i
+libcrux_ml_kem_vector_avx2_compress_f4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
+      vector);
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+libcrux_ml_kem::vector::avx2::SIMD256Vector)#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea
+A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_9a
 with const generics
 - COEFFICIENT_BITS= 5
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
-libcrux_ml_kem_vector_avx2_compress_ea_f4(__m256i vector) {
-  return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4(
-      vector);
+libcrux_ml_kem_vector_avx2_compress_9a_f4(__m256i vector) {
+  return libcrux_ml_kem_vector_avx2_compress_f4(vector);
 }
 
 /**
@@ -4118,11 +4472,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_79(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_ea_f4(
+    __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_9a_f4(
         libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
             re.coefficients[i0]));
     uint8_t bytes[10U];
-    libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_5_9a(coefficients, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)10U * i0,
                                  (size_t)10U * i0 + (size_t)10U, uint8_t),
@@ -4134,12 +4488,13 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_79(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 - OUT_LEN= 128
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_78(
+libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) {
   libcrux_ml_kem_serialize_compress_then_serialize_4_79(re, out);
 }
@@ -4256,7 +4611,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_74(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____6 = v;
-  libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_78(
+  libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed(
       uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                                (size_t)960U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t));
@@ -4318,6 +4673,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_d8_ae(
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -4376,7 +4734,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   libcrux_ml_kem_hash_functions_avx2_PRF_a9_41(
@@ -4398,7 +4756,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1(
   libcrux_ml_kem_variant_kdf_d8_ae(shared_secret0, ciphertext, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -4525,7 +4883,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -4547,7 +4905,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70(
   uint8_t ret[32U];
   libcrux_ml_kem_hash_functions_avx2_H_a9_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       ret);
   Eurydice_slice_copy(
@@ -4562,7 +4920,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -4573,7 +4931,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   libcrux_ml_kem_variant_kdf_d8_ae(shared_secret, &ciphertext0,
                                    shared_secret_array);
@@ -4681,9 +5039,9 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63
 libcrux_ml_kem_ind_cpa_unpacked_default_1a_ab(void) {
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 lit;
-  lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
-  lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+  lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
+  lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   return lit;
 }
 
@@ -4723,38 +5081,52 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i
 libcrux_ml_kem_vector_traits_to_standard_domain_79(__m256i v) {
-  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(
+  return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_9a(
       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_79(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+libcrux_ml_kem_polynomial_add_standard_error_reduce_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     __m256i coefficient_normal_form =
         libcrux_ml_kem_vector_traits_to_standard_domain_79(
-            self->coefficients[j]);
-    self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea(
-        libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form,
+            myself->coefficients[j]);
+    myself->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_9a(
+        libcrux_ml_kem_vector_avx2_add_9a(coefficient_normal_form,
                                           &error->coefficients[j]));
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_79(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) {
+  libcrux_ml_kem_polynomial_add_standard_error_reduce_79(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -4780,7 +5152,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab(
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0];
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-        libcrux_ml_kem_polynomial_ZERO_d6_79();
+        libcrux_ml_kem_polynomial_ZERO_ef_79();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -4793,12 +5165,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab(
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product =
-          libcrux_ml_kem_polynomial_ntt_multiply_d6_79(matrix_element,
+          libcrux_ml_kem_polynomial_ntt_multiply_ef_79(matrix_element,
                                                        &s_as_ntt[j]);
-      libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&t_as_ntt[i0],
+      libcrux_ml_kem_polynomial_add_to_ring_element_ef_ab(&t_as_ntt[i0],
                                                           &product);
     }
-    libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_79(
+    libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_79(
         &t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
@@ -4915,11 +5287,10 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_79(
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
-    __m256i coefficient =
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_79(
-            re->coefficients[i0]);
+    __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_79(
+        re->coefficients[i0]);
     uint8_t bytes[24U];
-    libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes);
+    libcrux_ml_kem_vector_avx2_serialize_12_9a(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t);
     Eurydice_slice_copy(
@@ -5131,9 +5502,6 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash
@@ -5168,7 +5536,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -5198,13 +5566,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d6(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -5290,7 +5658,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_ae(
   uint8_t ret0[32U];
   libcrux_ml_kem_hash_functions_avx2_H_a9_e0(
       Eurydice_array_to_slice((size_t)1088U,
-                              libcrux_ml_kem_types_as_slice_07_80(ciphertext),
+                              libcrux_ml_kem_types_as_slice_d4_80(ciphertext),
                               uint8_t),
       ret0);
   Eurydice_slice_copy(
@@ -5301,6 +5669,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_ae(
   memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t));
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector,
@@ -5359,7 +5730,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a10(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   libcrux_ml_kem_hash_functions_avx2_PRF_a9_41(
@@ -5381,7 +5752,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a10(
   libcrux_ml_kem_variant_kdf_33_ae(shared_secret0, ciphertext, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -5492,7 +5863,7 @@ with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -5514,7 +5885,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700(
   uint8_t ret[32U];
   libcrux_ml_kem_hash_functions_avx2_H_a9_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       ret);
   Eurydice_slice_copy(
@@ -5529,7 +5900,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -5540,7 +5911,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_700(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   libcrux_ml_kem_variant_kdf_33_ae(shared_secret, &ciphertext0,
                                    shared_secret_array);
@@ -5792,7 +6163,7 @@ with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -5822,13 +6193,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_d60(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -6019,46 +6390,13 @@ static inline bool libcrux_ml_kem_mlkem768_avx2_validate_private_key_only(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.closure with
 types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_b1(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_ab(
     size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
-}
-
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1184
-- K= 3
-*/
-KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-        libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79(
-            ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
@@ -6071,19 +6409,18 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_b1(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab(
       public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
@@ -6109,7 +6446,7 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_ed(
     uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U];
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_b1(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab(
       Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -6251,7 +6588,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret[32U];
   libcrux_ml_kem_hash_functions_avx2_PRF_a9_41(
@@ -6267,7 +6604,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12(
       uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext);
   uint8_t selector =
       libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
-          libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+          libcrux_ml_kem_types_as_ref_43_80(ciphertext),
           Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t));
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
@@ -6412,7 +6749,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_shared_secret_array[32U];
   memcpy(copy_of_shared_secret_array, shared_secret_array,
@@ -6513,60 +6850,44 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure.closure with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector,
-libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem
-with const generics
+libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.closure with types
+libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 - K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_closure_d6(size_t _j) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_79();
+libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_ab(size_t _j) {
+  return libcrux_ml_kem_polynomial_ZERO_ef_79();
 }
 
 /**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure with types
-libcrux_ml_kem_vector_avx2_SIMD256Vector,
-libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_d6(
+static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_ab(
     size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) {
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_79();
+    ret[i] = libcrux_ml_kem_polynomial_ZERO_ef_79();
   }
 }
 
 /**
 This function found in impl {(core::clone::Clone for
 libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@2])#1}
+TraitClause@2])}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.clone_17
+A monomorphic instance of libcrux_ml_kem.polynomial.clone_8d
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
-libcrux_ml_kem_polynomial_clone_17_79(
+libcrux_ml_kem_polynomial_clone_8d_79(
     libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit;
   __m256i ret[16U];
@@ -6576,6 +6897,38 @@ libcrux_ml_kem_polynomial_clone_17_79(
   return lit;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a
+with types libcrux_ml_kem_vector_avx2_SIMD256Vector
+with const generics
+- K= 3
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ind_cpa_a[3U][3U],
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
+    libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_ab(i, A[i]);
+  }
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
+    size_t i0 = i;
+    libcrux_ml_kem_polynomial_PolynomialRingElement_f6 _a_i[3U][3U];
+    memcpy(_a_i, A,
+           (size_t)3U *
+               sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]));
+    for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) {
+      size_t j = i1;
+      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
+          libcrux_ml_kem_polynomial_clone_8d_79(&ind_cpa_a[j][i0]);
+      A[i0][j] = uu____0;
+    }
+  }
+  memcpy(ret, A,
+         (size_t)3U *
+             sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]));
+}
+
 /**
  Generate Unpacked Keys
 */
@@ -6606,20 +6959,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_d6(
   libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22(
       ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key,
       &out->public_key.ind_cpa_public_key);
+  libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U][3U];
+  memcpy(uu____0, out->public_key.ind_cpa_public_key.A,
+         (size_t)3U *
+             sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]));
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_d6(i, A[i]);
-  }
-  for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) {
-    size_t i1 = i0;
-    for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-      size_t j = i;
-      libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 =
-          libcrux_ml_kem_polynomial_clone_17_79(
-              &out->public_key.ind_cpa_public_key.A[j][i1]);
-      A[i1][j] = uu____0;
-    }
-  }
+  libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab(uu____0, A);
   libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____1[3U][3U];
   memcpy(uu____1, A,
          (size_t)3U *
@@ -6714,17 +7059,17 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut(
 /**
 This function found in impl {(core::default::Default for
 libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1])#1}
+K>[TraitClause@0, TraitClause@1])}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_1c
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_09
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63
-libcrux_ml_kem_ind_cca_unpacked_default_1c_ab(void) {
+libcrux_ml_kem_ind_cca_unpacked_default_09_ab(void) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit;
   lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab();
   lit.public_key_hash[0U] = 0U;
@@ -6765,10 +7110,10 @@ libcrux_ml_kem_ind_cca_unpacked_default_1c_ab(void) {
 /**
 This function found in impl {(core::default::Default for
 libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1])#3}
+K>[TraitClause@0, TraitClause@1])#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_07
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_53
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
@@ -6776,7 +7121,7 @@ with const generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked
-    libcrux_ml_kem_ind_cca_unpacked_default_07_ab(void) {
+    libcrux_ml_kem_ind_cca_unpacked_default_53_ab(void) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 uu____0;
   uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_ab();
   uu____0.implicit_rejection_value[0U] = 0U;
@@ -6814,7 +7159,7 @@ static KRML_MUSTINLINE
   return (
       CLITERAL(libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked){
           .private_key = uu____0,
-          .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_ab()});
+          .public_key = libcrux_ml_kem_ind_cca_unpacked_default_09_ab()});
 }
 
 /**
@@ -6825,7 +7170,7 @@ static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked
 libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair(
     uint8_t randomness[64U]) {
   libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked key_pair =
-      libcrux_ml_kem_ind_cca_unpacked_default_07_ab();
+      libcrux_ml_kem_ind_cca_unpacked_default_53_ab();
   uint8_t uu____0[64U];
   memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut(uu____0,
@@ -6839,7 +7184,7 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair(
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked
 libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) {
-  return libcrux_ml_kem_ind_cca_unpacked_default_07_ab();
+  return libcrux_ml_kem_ind_cca_unpacked_default_53_ab();
 }
 
 /**
@@ -6848,7 +7193,7 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) {
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63
 libcrux_ml_kem_mlkem768_avx2_unpacked_init_public_key(void) {
-  return libcrux_ml_kem_ind_cca_unpacked_default_1c_ab();
+  return libcrux_ml_kem_ind_cca_unpacked_default_09_ab();
 }
 
 /**
@@ -6861,7 +7206,7 @@ generics
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6
 libcrux_ml_kem_sampling_sample_from_xof_closure_b3(int16_t s[272U]) {
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_79(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_79(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -6882,10 +7227,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b3(
   uint8_t copy_of_seeds[3U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
   libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state =
-      libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_e0(
+      libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_e0(
           copy_of_seeds);
   uint8_t randomness0[3U][504U];
-  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_e0(
+  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_e0(
       &xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[3U][504U];
@@ -6897,7 +7242,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b3(
       break;
     } else {
       uint8_t randomness[3U][168U];
-      libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_e0(
+      libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_e0(
           &xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[3U][168U];
@@ -6977,13 +7322,14 @@ generics
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf(
+static KRML_MUSTINLINE void
+libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf(
     Eurydice_slice public_key,
     libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63
         *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t);
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab(
       uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
@@ -7083,17 +7429,14 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_from_private_mut(
       private_key, key_pair);
 }
 
-/**
- Get the serialized private key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_fc with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 - K= 3
 - CPA_PRIVATE_KEY_SIZE= 1152
@@ -7103,7 +7446,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_2f(
+libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_2f(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self,
     libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) {
   libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 =
@@ -7122,17 +7465,14 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_2f(
       serialized->value);
 }
 
-/**
- Get the serialized private key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_fc with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 - K= 3
 - CPA_PRIVATE_KEY_SIZE= 1152
@@ -7142,11 +7482,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9
-libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_de_2f(
+libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_fc_2f(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) {
   libcrux_ml_kem_types_MlKemPrivateKey_d9 sk =
-      libcrux_ml_kem_types_default_9e_28();
-  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_2f(self, &sk);
+      libcrux_ml_kem_types_default_24_28();
+  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_2f(self, &sk);
   return sk;
 }
 
@@ -7157,7 +7497,7 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_types_MlKemPrivateKey_d9
 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_de_2f(key_pair);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_fc_2f(key_pair);
 }
 
 /**
@@ -7168,20 +7508,17 @@ static inline void
 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key_mut(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_2f(key_pair,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_2f(key_pair,
                                                                    serialized);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]}
+K>[TraitClause@0, TraitClause@1]#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_30
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
@@ -7190,7 +7527,7 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30
-libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed(
+libcrux_ml_kem_ind_cca_unpacked_serialized_30_ed(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) {
   uint8_t ret[1184U];
   libcrux_ml_kem_ind_cpa_serialize_public_key_ed(
@@ -7198,20 +7535,17 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed(
       Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A,
                               uint8_t),
       ret);
-  return libcrux_ml_kem_types_from_40_d0(ret);
+  return libcrux_ml_kem_types_from_5f_d0(ret);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_fc with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 - K= 3
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
@@ -7219,9 +7553,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30
-libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_de_ed(
+libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_fc_ed(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed(&self->public_key);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_30_ed(&self->public_key);
 }
 
 /**
@@ -7231,19 +7565,16 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_types_MlKemPublicKey_30
 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_de_ed(key_pair);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_fc_ed(key_pair);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]}
+K>[TraitClause@0, TraitClause@1]#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_30
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
@@ -7252,7 +7583,7 @@ with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(
+libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_ed(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
   libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed(
@@ -7262,17 +7593,14 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(
       serialized->value);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_fc with types
 libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 - K= 3
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
@@ -7280,10 +7608,10 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_ed(
+libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_ed(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(&self->public_key,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_ed(&self->public_key,
                                                        serialized);
 }
 
@@ -7295,7 +7623,7 @@ static inline void
 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key_mut(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_ed(key_pair,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_ed(key_pair,
                                                                   serialized);
 }
 
@@ -7339,17 +7667,17 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_ef_ab(
 /**
 This function found in impl {(core::clone::Clone for
 libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@2])#4}
+K>[TraitClause@0, TraitClause@2])#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_28
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_dd
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63
-libcrux_ml_kem_ind_cca_unpacked_clone_28_ab(
+libcrux_ml_kem_ind_cca_unpacked_clone_dd_ab(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit;
   lit.ind_cpa_public_key =
@@ -7361,23 +7689,20 @@ libcrux_ml_kem_ind_cca_unpacked_clone_28_ab(
   return lit;
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_de
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_fc
 with types libcrux_ml_kem_vector_avx2_SIMD256Vector
 with const generics
 - K= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *
-libcrux_ml_kem_ind_cca_unpacked_public_key_de_ab(
+libcrux_ml_kem_ind_cca_unpacked_public_key_fc_ab(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) {
   return &self->public_key;
 }
@@ -7390,8 +7715,8 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key(
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *pk) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 uu____0 =
-      libcrux_ml_kem_ind_cca_unpacked_clone_28_ab(
-          libcrux_ml_kem_ind_cca_unpacked_public_key_de_ab(key_pair));
+      libcrux_ml_kem_ind_cca_unpacked_clone_dd_ab(
+          libcrux_ml_kem_ind_cca_unpacked_public_key_fc_ab(key_pair));
   pk[0U] = uu____0;
 }
 
@@ -7402,7 +7727,7 @@ KRML_ATTRIBUTE_TARGET("avx2")
 static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_serialized_public_key(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(public_key, serialized);
+  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_ed(public_key, serialized);
 }
 
 /**
@@ -7425,7 +7750,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d(
         *unpacked_public_key) {
   Eurydice_slice uu____0 = Eurydice_array_to_subslice_to(
       (size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t);
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab(
       uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt);
   uint8_t uu____1[32U];
   libcrux_ml_kem_utils_into_padded_array_9e(
@@ -7445,7 +7770,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d(
   uint8_t uu____3[32U];
   libcrux_ml_kem_hash_functions_avx2_H_a9_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       uu____3);
   memcpy(unpacked_public_key->public_key_hash, uu____3,
@@ -7517,6 +7842,16 @@ static inline __m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self) {
   return self[0U];
 }
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::avx2::SIMD256Vector)}
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline void libcrux_ml_kem_vector_avx2_repr_11(__m256i x,
+                                                      int16_t ret[16U]) {
+  libcrux_ml_kem_vector_avx2_vec_to_i16_array(x, ret);
+}
+
 typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63
     libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768PublicKeyUnpacked;
 
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
index 0ef93f4c2..1b133f2eb 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_mlkem768_portable_H
@@ -87,6 +87,10 @@ static const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] =
      (int16_t)-108,  (int16_t)-308,  (int16_t)996,   (int16_t)991,
      (int16_t)958,   (int16_t)-1460, (int16_t)1522,  (int16_t)1628};
 
+static KRML_MUSTINLINE int16_t libcrux_ml_kem_polynomial_zeta(size_t i) {
+  return libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[i];
+}
+
 #define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U)
 
 #define LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT  \
@@ -121,10 +125,10 @@ libcrux_ml_kem_vector_portable_vector_type_from_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array) {
+libcrux_ml_kem_vector_portable_from_i16_array_2c(Eurydice_slice array) {
   return libcrux_ml_kem_vector_portable_vector_type_from_i16_array(array);
 }
 
@@ -225,40 +229,44 @@ libcrux_ml_kem_vector_portable_serialize_serialize_11(
       libcrux_ml_kem_vector_portable_serialize_serialize_11_int(
           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                       int16_t));
-  uint8_t result[22U] = {0U};
-  result[0U] = r0_10.fst;
-  result[1U] = r0_10.snd;
-  result[2U] = r0_10.thd;
-  result[3U] = r0_10.f3;
-  result[4U] = r0_10.f4;
-  result[5U] = r0_10.f5;
-  result[6U] = r0_10.f6;
-  result[7U] = r0_10.f7;
-  result[8U] = r0_10.f8;
-  result[9U] = r0_10.f9;
-  result[10U] = r0_10.f10;
-  result[11U] = r11_21.fst;
-  result[12U] = r11_21.snd;
-  result[13U] = r11_21.thd;
-  result[14U] = r11_21.f3;
-  result[15U] = r11_21.f4;
-  result[16U] = r11_21.f5;
-  result[17U] = r11_21.f6;
-  result[18U] = r11_21.f7;
-  result[19U] = r11_21.f8;
-  result[20U] = r11_21.f9;
-  result[21U] = r11_21.f10;
-  memcpy(ret, result, (size_t)22U * sizeof(uint8_t));
+  ret[0U] = r0_10.fst;
+  ret[1U] = r0_10.snd;
+  ret[2U] = r0_10.thd;
+  ret[3U] = r0_10.f3;
+  ret[4U] = r0_10.f4;
+  ret[5U] = r0_10.f5;
+  ret[6U] = r0_10.f6;
+  ret[7U] = r0_10.f7;
+  ret[8U] = r0_10.f8;
+  ret[9U] = r0_10.f9;
+  ret[10U] = r0_10.f10;
+  ret[11U] = r11_21.fst;
+  ret[12U] = r11_21.snd;
+  ret[13U] = r11_21.thd;
+  ret[14U] = r11_21.f3;
+  ret[15U] = r11_21.f4;
+  ret[16U] = r11_21.f5;
+  ret[17U] = r11_21.f6;
+  ret[18U] = r11_21.f7;
+  ret[19U] = r11_21.f8;
+  ret[20U] = r11_21.f9;
+  ret[21U] = r11_21.f10;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_11(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[22U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_11_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_11_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[22U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_11(a, ret);
 }
 
 typedef struct int16_t_x8_s {
@@ -335,28 +343,6 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
                                .f7 = r7});
 }
 
-static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_vector_type_zero(void) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
-  lit.elements[0U] = (int16_t)0;
-  lit.elements[1U] = (int16_t)0;
-  lit.elements[2U] = (int16_t)0;
-  lit.elements[3U] = (int16_t)0;
-  lit.elements[4U] = (int16_t)0;
-  lit.elements[5U] = (int16_t)0;
-  lit.elements[6U] = (int16_t)0;
-  lit.elements[7U] = (int16_t)0;
-  lit.elements[8U] = (int16_t)0;
-  lit.elements[9U] = (int16_t)0;
-  lit.elements[10U] = (int16_t)0;
-  lit.elements[11U] = (int16_t)0;
-  lit.elements[12U] = (int16_t)0;
-  lit.elements[13U] = (int16_t)0;
-  lit.elements[14U] = (int16_t)0;
-  lit.elements[15U] = (int16_t)0;
-  return lit;
-}
-
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) {
   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
@@ -364,34 +350,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) {
   int16_t_x8 v8_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
           Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a);
+libcrux_ml_kem_vector_portable_deserialize_11_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_11(a);
 }
 
 static KRML_MUSTINLINE void
@@ -403,9 +393,9 @@ libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_to_i16_array_0d(
+static inline void libcrux_ml_kem_vector_portable_to_i16_array_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
     int16_t ret[16U]) {
   libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret);
@@ -926,12 +916,34 @@ static const uint8_t
                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U,
                         13U, 14U, 15U}};
 
+static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_vector_type_zero(void) {
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = (int16_t)0;
+  lit.elements[1U] = (int16_t)0;
+  lit.elements[2U] = (int16_t)0;
+  lit.elements[3U] = (int16_t)0;
+  lit.elements[4U] = (int16_t)0;
+  lit.elements[5U] = (int16_t)0;
+  lit.elements[6U] = (int16_t)0;
+  lit.elements[7U] = (int16_t)0;
+  lit.elements[8U] = (int16_t)0;
+  lit.elements[9U] = (int16_t)0;
+  lit.elements[10U] = (int16_t)0;
+  lit.elements[11U] = (int16_t)0;
+  lit.elements[12U] = (int16_t)0;
+  lit.elements[13U] = (int16_t)0;
+  lit.elements[14U] = (int16_t)0;
+  lit.elements[15U] = (int16_t)0;
+  return lit;
+}
+
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ZERO_0d(void) {
+libcrux_ml_kem_vector_portable_ZERO_2c(void) {
   return libcrux_ml_kem_vector_portable_vector_type_zero();
 }
 
@@ -950,10 +962,10 @@ libcrux_ml_kem_vector_portable_arithmetic_add(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_add_0d(
+libcrux_ml_kem_vector_portable_add_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
   return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs);
@@ -974,10 +986,10 @@ libcrux_ml_kem_vector_portable_arithmetic_sub(
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_sub_0d(
+libcrux_ml_kem_vector_portable_sub_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
   return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs);
@@ -985,80 +997,73 @@ libcrux_ml_kem_vector_portable_sub_0d(
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     size_t uu____0 = i0;
-    v.elements[uu____0] = v.elements[uu____0] * c;
+    vec.elements[uu____0] = vec.elements[uu____0] * c;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
-  return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c);
+libcrux_ml_kem_vector_portable_multiply_by_constant_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
+  return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c);
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     size_t uu____0 = i0;
-    v.elements[uu____0] = v.elements[uu____0] & c;
+    vec.elements[uu____0] = vec.elements[uu____0] & c;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
+libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
   return libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(v,
                                                                              c);
 }
 
+/**
+ Note: This function is not secret independent
+ Only use with public values.
+*/
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  core_ops_range_Range_08 iter =
-      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
-          (CLITERAL(core_ops_range_Range_08){
-              .start = (size_t)0U,
-              .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}),
-          core_ops_range_Range_08, core_ops_range_Range_08);
-  while (true) {
-    Option_08 uu____0 =
-        core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
-            &iter, size_t, Option_08);
-    if (uu____0.tag == None) {
-      return v;
-    } else {
-      size_t i = uu____0.f0;
-      if (v.elements[i] >= (int16_t)3329) {
-        size_t uu____1 = i;
-        v.elements[uu____1] = v.elements[uu____1] - (int16_t)3329;
-      }
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
+  for (size_t i = (size_t)0U;
+       i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
+    size_t i0 = i;
+    if (vec.elements[i0] >= (int16_t)3329) {
+      size_t uu____0 = i0;
+      vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329;
     }
   }
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
+libcrux_ml_kem_vector_portable_cond_subtract_3329_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v);
 }
@@ -1066,11 +1071,10 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \
   ((int32_t)20159)
 
-#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26)
+#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT ((int32_t)26)
 
-#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \
-  ((int32_t)1 << (uint32_t)                                 \
-       LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT)
+#define LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R \
+  ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT)
 
 /**
  Signed Barrett Reduction
@@ -1083,40 +1087,41 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
 
  `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
 
- In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
+ Note: The input bound is 28296 to prevent overflow in the multiplication of
+ quotient by FIELD_MODULUS
+
 */
 static inline int16_t
 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
     int16_t value) {
   int32_t t = (int32_t)value *
                   LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER +
-              (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U);
+              (LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_R >> 1U);
   int16_t quotient =
-      (int16_t)(t >>
-                (uint32_t)
-                    LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT);
+      (int16_t)(t >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_BARRETT_SHIFT);
   return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] =
+    int16_t vi =
         libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
-            v.elements[i0]);
+            vec.elements[i0]);
+    vec.elements[i0] = vi;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_barrett_reduce_0d(
+libcrux_ml_kem_vector_portable_barrett_reduce_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v);
 }
@@ -1136,10 +1141,12 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d(
  - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
  - the absolute value of `o` is bound as follows:
 
- `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
+ `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665
+
+ In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS-1`. And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <=
+ FIELD_MODULUS + 1664
 
- In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 ·
- FIELD_MODULUS) / 2`.
 */
 static inline int16_t
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
@@ -1174,29 +1181,30 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
 static KRML_MUSTINLINE int16_t
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
     int16_t fe, int16_t fer) {
+  int32_t product = (int32_t)fe * (int32_t)fer;
   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-      (int32_t)fe * (int32_t)fer);
+      product);
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] =
+    vec.elements[i0] =
         libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
-            v.elements[i0], c);
+            vec.elements[i0], c);
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r) {
   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
       v, r);
@@ -1231,30 +1239,32 @@ libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
   int16_t mask = shifted >> 15U;
   int16_t shifted_to_positive = mask ^ shifted;
   int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832;
-  return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1);
+  int16_t r0 = shifted_positive_in_range >> 15U;
+  int16_t r1 = r0 & (int16_t)1;
+  return (uint8_t)r1;
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] = (int16_t)
+    a.elements[i0] = (int16_t)
         libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
-            (uint16_t)v.elements[i0]);
+            (uint16_t)a.elements[i0]);
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_1_0d(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_1(v);
+libcrux_ml_kem_vector_portable_compress_1_2c(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_1(a);
 }
 
 static KRML_MUSTINLINE uint32_t
@@ -1276,44 +1286,46 @@ libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
 }
 
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j) {
   int16_t t =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
-          v->elements[j], zeta);
-  v->elements[j] = v->elements[i] - t;
-  v->elements[i] = v->elements[i] + t;
+          vec->elements[j], zeta);
+  int16_t a_minus_t = vec->elements[i] - t;
+  int16_t a_plus_t = vec->elements[i] + t;
+  vec->elements[j] = a_minus_t;
+  vec->elements[i] = a_plus_t;
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U,
                                               (size_t)2U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U,
                                               (size_t)3U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U,
                                               (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U,
                                               (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U,
                                               (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U,
                                               (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1,
@@ -1322,33 +1334,33 @@ libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U,
                                               (size_t)4U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U,
                                               (size_t)5U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U,
                                               (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U,
                                               (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U,
                                               (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U,
                                               (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1);
@@ -1356,75 +1368,80 @@ libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta) {
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U,
+                                              (size_t)8U);
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U,
+                                              (size_t)9U);
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U,
                                               (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U,
                                               (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U,
                                               (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U,
                                               (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U,
                                               (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U,
+  libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U,
                                               (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta);
 }
 
 static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
-    size_t i, size_t j) {
-  int16_t a_minus_b = v->elements[j] - v->elements[i];
-  v->elements[i] =
-      libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
-          v->elements[i] + v->elements[j]);
-  v->elements[j] =
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec,
+    int16_t zeta, size_t i, size_t j) {
+  int16_t a_minus_b = vec->elements[j] - vec->elements[i];
+  int16_t a_plus_b = vec->elements[j] + vec->elements[i];
+  int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
+      a_plus_b);
+  int16_t o1 =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
           a_minus_b, zeta);
+  vec->elements[i] = o0;
+  vec->elements[j] = o1;
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1, int16_t zeta2, int16_t zeta3) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U,
                                                   (size_t)2U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U,
                                                   (size_t)3U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U,
                                                   (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U,
                                                   (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U,
                                                   (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U,
                                                   (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)12U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)13U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
@@ -1433,33 +1450,33 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
-    int16_t zeta1) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta0, int16_t zeta1) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U,
                                                   (size_t)4U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U,
                                                   (size_t)5U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U,
                                                   (size_t)6U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U,
                                                   (size_t)7U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)8U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U,
                                                   (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)9U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U,
                                                   (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)10U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)11U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
     int16_t zeta1) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0,
@@ -1468,32 +1485,33 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)0U,
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec,
+    int16_t zeta) {
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U,
                                                   (size_t)8U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)1U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U,
                                                   (size_t)9U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)2U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U,
                                                   (size_t)10U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)3U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U,
                                                   (size_t)11U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)4U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U,
                                                   (size_t)12U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)5U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U,
                                                   (size_t)13U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)6U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U,
                                                   (size_t)14U);
-  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)7U,
+  libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U,
                                                   (size_t)15U);
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
+libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta);
 }
@@ -1524,20 +1542,31 @@ static KRML_MUSTINLINE void
 libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *a,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta,
-    size_t i, size_t j,
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) {
-  int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-      (int32_t)a->elements[i] * (int32_t)b->elements[i] +
-      (int32_t)
-              libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-                  (int32_t)a->elements[j] * (int32_t)b->elements[j]) *
-          (int32_t)zeta);
+    size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) {
+  int16_t ai = a->elements[(size_t)2U * i];
+  int16_t bi = b->elements[(size_t)2U * i];
+  int16_t aj = a->elements[(size_t)2U * i + (size_t)1U];
+  int16_t bj = b->elements[(size_t)2U * i + (size_t)1U];
+  int32_t ai_bi = (int32_t)ai * (int32_t)bi;
+  int32_t aj_bj_ = (int32_t)aj * (int32_t)bj;
+  int16_t aj_bj =
+      libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
+          aj_bj_);
+  int32_t aj_bj_zeta = (int32_t)aj_bj * (int32_t)zeta;
+  int32_t ai_bi_aj_bj = ai_bi + aj_bj_zeta;
+  int16_t o0 =
+      libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
+          ai_bi_aj_bj);
+  int32_t ai_bj = (int32_t)ai * (int32_t)bj;
+  int32_t aj_bi = (int32_t)aj * (int32_t)bi;
+  int32_t ai_bj_aj_bi = ai_bj + aj_bi;
   int16_t o1 =
       libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
-          (int32_t)a->elements[i] * (int32_t)b->elements[j] +
-          (int32_t)a->elements[j] * (int32_t)b->elements[i]);
-  out->elements[i] = o0;
-  out->elements[j] = o1;
+          ai_bj_aj_bi);
+  int16_t _out0[16U];
+  memcpy(_out0, out->elements, (size_t)16U * sizeof(int16_t));
+  out->elements[(size_t)2U * i] = o0;
+  out->elements[(size_t)2U * i + (size_t)1U] = o1;
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -1545,33 +1574,37 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
+  int16_t nzeta0 = -zeta0;
+  int16_t nzeta1 = -zeta1;
+  int16_t nzeta2 = -zeta2;
+  int16_t nzeta3 = -zeta3;
   libcrux_ml_kem_vector_portable_vector_type_PortableVector out =
       libcrux_ml_kem_vector_portable_vector_type_zero();
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out);
-  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
-      lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta0,
+                                                            (size_t)0U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta0,
+                                                            (size_t)1U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta1,
+                                                            (size_t)2U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta1,
+                                                            (size_t)3U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta2,
+                                                            (size_t)4U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta2,
+                                                            (size_t)5U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, zeta3,
+                                                            (size_t)6U, &out);
+  libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lhs, rhs, nzeta3,
+                                                            (size_t)7U, &out);
   return out;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_ntt_multiply_0d(
+libcrux_ml_kem_vector_portable_ntt_multiply_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
@@ -1583,62 +1616,138 @@ static KRML_MUSTINLINE void
 libcrux_ml_kem_vector_portable_serialize_serialize_1(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
     uint8_t ret[2U]) {
-  uint8_t result[2U] = {0U};
-  for (size_t i = (size_t)0U; i < (size_t)8U; i++) {
-    size_t i0 = i;
-    size_t uu____0 = (size_t)0U;
-    result[uu____0] = (uint32_t)result[uu____0] |
-                      (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0;
-  }
-  for (size_t i = (size_t)8U; i < (size_t)16U; i++) {
-    size_t i0 = i;
-    size_t uu____1 = (size_t)1U;
-    result[uu____1] =
-        (uint32_t)result[uu____1] | (uint32_t)(uint8_t)v.elements[i0]
-                                        << (uint32_t)(i0 - (size_t)8U);
-  }
-  memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
+  uint8_t result0 = (((((((uint32_t)(uint8_t)v.elements[0U] |
+                          (uint32_t)(uint8_t)v.elements[1U] << 1U) |
+                         (uint32_t)(uint8_t)v.elements[2U] << 2U) |
+                        (uint32_t)(uint8_t)v.elements[3U] << 3U) |
+                       (uint32_t)(uint8_t)v.elements[4U] << 4U) |
+                      (uint32_t)(uint8_t)v.elements[5U] << 5U) |
+                     (uint32_t)(uint8_t)v.elements[6U] << 6U) |
+                    (uint32_t)(uint8_t)v.elements[7U] << 7U;
+  uint8_t result1 = (((((((uint32_t)(uint8_t)v.elements[8U] |
+                          (uint32_t)(uint8_t)v.elements[9U] << 1U) |
+                         (uint32_t)(uint8_t)v.elements[10U] << 2U) |
+                        (uint32_t)(uint8_t)v.elements[11U] << 3U) |
+                       (uint32_t)(uint8_t)v.elements[12U] << 4U) |
+                      (uint32_t)(uint8_t)v.elements[13U] << 5U) |
+                     (uint32_t)(uint8_t)v.elements[14U] << 6U) |
+                    (uint32_t)(uint8_t)v.elements[15U] << 7U;
+  ret[0U] = result0;
+  ret[1U] = result1;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[2U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_1_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_1_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[2U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_1(a, ret);
 }
 
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector result =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  for (size_t i = (size_t)0U; i < (size_t)8U; i++) {
-    size_t i0 = i;
-    result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
-                                        v, (size_t)0U, uint8_t, uint8_t *) >>
-                                        (uint32_t)i0 &
-                                    1U);
-  }
-  for (size_t i = (size_t)8U;
-       i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
-    size_t i0 = i;
-    result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
-                                        v, (size_t)1U, uint8_t, uint8_t *) >>
-                                        (uint32_t)(i0 - (size_t)8U) &
-                                    1U);
-  }
-  return result;
+  int16_t result0 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) &
+                              1U);
+  int16_t result1 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  1U &
+                              1U);
+  int16_t result2 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  2U &
+                              1U);
+  int16_t result3 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  3U &
+                              1U);
+  int16_t result4 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  4U &
+                              1U);
+  int16_t result5 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  5U &
+                              1U);
+  int16_t result6 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  6U &
+                              1U);
+  int16_t result7 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)0U, uint8_t, uint8_t *) >>
+                                  7U &
+                              1U);
+  int16_t result8 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)1U, uint8_t, uint8_t *) &
+                              1U);
+  int16_t result9 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                  v, (size_t)1U, uint8_t, uint8_t *) >>
+                                  1U &
+                              1U);
+  int16_t result10 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   2U &
+                               1U);
+  int16_t result11 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   3U &
+                               1U);
+  int16_t result12 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   4U &
+                               1U);
+  int16_t result13 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   5U &
+                               1U);
+  int16_t result14 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   6U &
+                               1U);
+  int16_t result15 = (int16_t)((uint32_t)Eurydice_slice_index(
+                                   v, (size_t)1U, uint8_t, uint8_t *) >>
+                                   7U &
+                               1U);
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = result0;
+  lit.elements[1U] = result1;
+  lit.elements[2U] = result2;
+  lit.elements[3U] = result3;
+  lit.elements[4U] = result4;
+  lit.elements[5U] = result5;
+  lit.elements[6U] = result6;
+  lit.elements[7U] = result7;
+  lit.elements[8U] = result8;
+  lit.elements[9U] = result9;
+  lit.elements[10U] = result10;
+  lit.elements[11U] = result11;
+  lit.elements[12U] = result12;
+  lit.elements[13U] = result13;
+  lit.elements[14U] = result14;
+  lit.elements[15U] = result15;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a);
+libcrux_ml_kem_vector_portable_deserialize_1_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_1(a);
 }
 
 typedef struct uint8_t_x4_s {
@@ -1686,26 +1795,30 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4(
       libcrux_ml_kem_vector_portable_serialize_serialize_4_int(
           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                       int16_t));
-  uint8_t result[8U] = {0U};
-  result[0U] = result0_3.fst;
-  result[1U] = result0_3.snd;
-  result[2U] = result0_3.thd;
-  result[3U] = result0_3.f3;
-  result[4U] = result4_7.fst;
-  result[5U] = result4_7.snd;
-  result[6U] = result4_7.thd;
-  result[7U] = result4_7.f3;
-  memcpy(ret, result, (size_t)8U * sizeof(uint8_t));
+  ret[0U] = result0_3.fst;
+  ret[1U] = result0_3.snd;
+  ret[2U] = result0_3.thd;
+  ret[3U] = result0_3.f3;
+  ret[4U] = result4_7.fst;
+  ret[5U] = result4_7.snd;
+  ret[6U] = result4_7.thd;
+  ret[7U] = result4_7.f3;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[8U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_4_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_4_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[8U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_4(a, ret);
 }
 
 static KRML_MUSTINLINE int16_t_x8
@@ -1755,34 +1868,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) {
       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t));
   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
       Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a);
+libcrux_ml_kem_vector_portable_deserialize_4_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_4(a);
 }
 
 typedef struct uint8_t_x5_s {
@@ -1827,28 +1944,32 @@ libcrux_ml_kem_vector_portable_serialize_serialize_5(
   uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
                                   int16_t));
-  uint8_t result[10U] = {0U};
-  result[0U] = r0_4.fst;
-  result[1U] = r0_4.snd;
-  result[2U] = r0_4.thd;
-  result[3U] = r0_4.f3;
-  result[4U] = r0_4.f4;
-  result[5U] = r5_9.fst;
-  result[6U] = r5_9.snd;
-  result[7U] = r5_9.thd;
-  result[8U] = r5_9.f3;
-  result[9U] = r5_9.f4;
-  memcpy(ret, result, (size_t)10U * sizeof(uint8_t));
+  ret[0U] = r0_4.fst;
+  ret[1U] = r0_4.snd;
+  ret[2U] = r0_4.thd;
+  ret[3U] = r0_4.f3;
+  ret[4U] = r0_4.f4;
+  ret[5U] = r5_9.fst;
+  ret[6U] = r5_9.snd;
+  ret[7U] = r5_9.thd;
+  ret[8U] = r5_9.f3;
+  ret[9U] = r5_9.f4;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_5(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[10U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_5_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_5_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[10U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_5(a, ret);
 }
 
 static KRML_MUSTINLINE int16_t_x8
@@ -1909,34 +2030,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) {
       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t));
   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
       Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a);
+libcrux_ml_kem_vector_portable_deserialize_5_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_5(a);
 }
 
 static KRML_MUSTINLINE uint8_t_x5
@@ -1989,38 +2114,42 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10(
   uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U,
                                   int16_t));
-  uint8_t result[20U] = {0U};
-  result[0U] = r0_4.fst;
-  result[1U] = r0_4.snd;
-  result[2U] = r0_4.thd;
-  result[3U] = r0_4.f3;
-  result[4U] = r0_4.f4;
-  result[5U] = r5_9.fst;
-  result[6U] = r5_9.snd;
-  result[7U] = r5_9.thd;
-  result[8U] = r5_9.f3;
-  result[9U] = r5_9.f4;
-  result[10U] = r10_14.fst;
-  result[11U] = r10_14.snd;
-  result[12U] = r10_14.thd;
-  result[13U] = r10_14.f3;
-  result[14U] = r10_14.f4;
-  result[15U] = r15_19.fst;
-  result[16U] = r15_19.snd;
-  result[17U] = r15_19.thd;
-  result[18U] = r15_19.f3;
-  result[19U] = r15_19.f4;
-  memcpy(ret, result, (size_t)20U * sizeof(uint8_t));
+  ret[0U] = r0_4.fst;
+  ret[1U] = r0_4.snd;
+  ret[2U] = r0_4.thd;
+  ret[3U] = r0_4.f3;
+  ret[4U] = r0_4.f4;
+  ret[5U] = r5_9.fst;
+  ret[6U] = r5_9.snd;
+  ret[7U] = r5_9.thd;
+  ret[8U] = r5_9.f3;
+  ret[9U] = r5_9.f4;
+  ret[10U] = r10_14.fst;
+  ret[11U] = r10_14.snd;
+  ret[12U] = r10_14.thd;
+  ret[13U] = r10_14.f3;
+  ret[14U] = r10_14.f4;
+  ret[15U] = r15_19.fst;
+  ret[16U] = r15_19.snd;
+  ret[17U] = r15_19.thd;
+  ret[18U] = r15_19.f3;
+  ret[19U] = r15_19.f4;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_10(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[20U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_10_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_10_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[20U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_10(a, ret);
 }
 
 static KRML_MUSTINLINE int16_t_x8
@@ -2089,34 +2218,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) {
   int16_t_x8 v8_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
           Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  v.elements[0U] = v0_7.fst;
-  v.elements[1U] = v0_7.snd;
-  v.elements[2U] = v0_7.thd;
-  v.elements[3U] = v0_7.f3;
-  v.elements[4U] = v0_7.f4;
-  v.elements[5U] = v0_7.f5;
-  v.elements[6U] = v0_7.f6;
-  v.elements[7U] = v0_7.f7;
-  v.elements[8U] = v8_15.fst;
-  v.elements[9U] = v8_15.snd;
-  v.elements[10U] = v8_15.thd;
-  v.elements[11U] = v8_15.f3;
-  v.elements[12U] = v8_15.f4;
-  v.elements[13U] = v8_15.f5;
-  v.elements[14U] = v8_15.f6;
-  v.elements[15U] = v8_15.f7;
-  return v;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_7.fst;
+  lit.elements[1U] = v0_7.snd;
+  lit.elements[2U] = v0_7.thd;
+  lit.elements[3U] = v0_7.f3;
+  lit.elements[4U] = v0_7.f4;
+  lit.elements[5U] = v0_7.f5;
+  lit.elements[6U] = v0_7.f6;
+  lit.elements[7U] = v0_7.f7;
+  lit.elements[8U] = v8_15.fst;
+  lit.elements[9U] = v8_15.snd;
+  lit.elements[10U] = v8_15.thd;
+  lit.elements[11U] = v8_15.f3;
+  lit.elements[12U] = v8_15.f4;
+  lit.elements[13U] = v8_15.f5;
+  lit.elements[14U] = v8_15.f6;
+  lit.elements[15U] = v8_15.f7;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a);
+libcrux_ml_kem_vector_portable_deserialize_10_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_10(a);
 }
 
 typedef struct uint8_t_x3_s {
@@ -2165,42 +2298,46 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12(
   uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
       Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U,
                                   int16_t));
-  uint8_t result[24U] = {0U};
-  result[0U] = r0_2.fst;
-  result[1U] = r0_2.snd;
-  result[2U] = r0_2.thd;
-  result[3U] = r3_5.fst;
-  result[4U] = r3_5.snd;
-  result[5U] = r3_5.thd;
-  result[6U] = r6_8.fst;
-  result[7U] = r6_8.snd;
-  result[8U] = r6_8.thd;
-  result[9U] = r9_11.fst;
-  result[10U] = r9_11.snd;
-  result[11U] = r9_11.thd;
-  result[12U] = r12_14.fst;
-  result[13U] = r12_14.snd;
-  result[14U] = r12_14.thd;
-  result[15U] = r15_17.fst;
-  result[16U] = r15_17.snd;
-  result[17U] = r15_17.thd;
-  result[18U] = r18_20.fst;
-  result[19U] = r18_20.snd;
-  result[20U] = r18_20.thd;
-  result[21U] = r21_23.fst;
-  result[22U] = r21_23.snd;
-  result[23U] = r21_23.thd;
-  memcpy(ret, result, (size_t)24U * sizeof(uint8_t));
+  ret[0U] = r0_2.fst;
+  ret[1U] = r0_2.snd;
+  ret[2U] = r0_2.thd;
+  ret[3U] = r3_5.fst;
+  ret[4U] = r3_5.snd;
+  ret[5U] = r3_5.thd;
+  ret[6U] = r6_8.fst;
+  ret[7U] = r6_8.snd;
+  ret[8U] = r6_8.thd;
+  ret[9U] = r9_11.fst;
+  ret[10U] = r9_11.snd;
+  ret[11U] = r9_11.thd;
+  ret[12U] = r12_14.fst;
+  ret[13U] = r12_14.snd;
+  ret[14U] = r12_14.thd;
+  ret[15U] = r15_17.fst;
+  ret[16U] = r15_17.snd;
+  ret[17U] = r15_17.thd;
+  ret[18U] = r18_20.fst;
+  ret[19U] = r18_20.snd;
+  ret[20U] = r18_20.thd;
+  ret[21U] = r21_23.fst;
+  ret[22U] = r21_23.snd;
+  ret[23U] = r21_23.thd;
+}
+
+static inline void libcrux_ml_kem_vector_portable_serialize_12(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
+    uint8_t ret[24U]) {
+  libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline void libcrux_ml_kem_vector_portable_serialize_12_0d(
+static inline void libcrux_ml_kem_vector_portable_serialize_12_2c(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
     uint8_t ret[24U]) {
-  libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret);
+  libcrux_ml_kem_vector_portable_serialize_12(a, ret);
 }
 
 typedef struct int16_t_x2_s {
@@ -2243,34 +2380,38 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) {
   int16_t_x2 v14_15 =
       libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
           Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t));
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector re =
-      libcrux_ml_kem_vector_portable_vector_type_zero();
-  re.elements[0U] = v0_1.fst;
-  re.elements[1U] = v0_1.snd;
-  re.elements[2U] = v2_3.fst;
-  re.elements[3U] = v2_3.snd;
-  re.elements[4U] = v4_5.fst;
-  re.elements[5U] = v4_5.snd;
-  re.elements[6U] = v6_7.fst;
-  re.elements[7U] = v6_7.snd;
-  re.elements[8U] = v8_9.fst;
-  re.elements[9U] = v8_9.snd;
-  re.elements[10U] = v10_11.fst;
-  re.elements[11U] = v10_11.snd;
-  re.elements[12U] = v12_13.fst;
-  re.elements[13U] = v12_13.snd;
-  re.elements[14U] = v14_15.fst;
-  re.elements[15U] = v14_15.snd;
-  return re;
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
+  lit.elements[0U] = v0_1.fst;
+  lit.elements[1U] = v0_1.snd;
+  lit.elements[2U] = v2_3.fst;
+  lit.elements[3U] = v2_3.snd;
+  lit.elements[4U] = v4_5.fst;
+  lit.elements[5U] = v4_5.snd;
+  lit.elements[6U] = v6_7.fst;
+  lit.elements[7U] = v6_7.snd;
+  lit.elements[8U] = v8_9.fst;
+  lit.elements[9U] = v8_9.snd;
+  lit.elements[10U] = v10_11.fst;
+  lit.elements[11U] = v10_11.snd;
+  lit.elements[12U] = v12_13.fst;
+  lit.elements[13U] = v12_13.snd;
+  lit.elements[14U] = v14_15.fst;
+  lit.elements[15U] = v14_15.snd;
+  return lit;
+}
+
+static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a);
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) {
-  return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a);
+libcrux_ml_kem_vector_portable_deserialize_12_2c(Eurydice_slice a) {
+  return libcrux_ml_kem_vector_portable_deserialize_12(a);
 }
 
 static KRML_MUSTINLINE size_t
@@ -2336,9 +2477,9 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a,
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
-static inline size_t libcrux_ml_kem_vector_portable_rej_sample_0d(
+static inline size_t libcrux_ml_kem_vector_portable_rej_sample_2c(
     Eurydice_slice a, Eurydice_slice out) {
   return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out);
 }
@@ -2418,33 +2559,33 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_1d_s {
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_ef
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_ZERO_d6_8c(void) {
+libcrux_ml_kem_polynomial_ZERO_ef_96(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
-  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d();
-  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d();
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_2c();
   return lit;
 }
 
@@ -2456,7 +2597,7 @@ with const generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_1b(size_t _) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
@@ -2466,17 +2607,17 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_8c(
+libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_12_2c(bytes);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -2496,7 +2637,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(secret_key, uint8_t) /
@@ -2509,7 +2650,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_1b(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_8c(
+        libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_96(
             secret_bytes);
     secret_as_ntt[i0] = uu____0;
   }
@@ -2538,7 +2679,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_6c(size_t _) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
@@ -2549,34 +2690,34 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10);
     decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 10
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_ef(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef(
-      v);
+      a);
 }
 
 /**
@@ -2586,19 +2727,19 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_10_8c(
+libcrux_ml_kem_serialize_deserialize_then_decompress_10_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_10_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_10_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_ef(
+        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_ef(
             coefficient);
     re.coefficients[i0] = uu____0;
   }
@@ -2613,34 +2754,34 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11);
     decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 11
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_c4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_c4(
-      v);
+      a);
 }
 
 /**
@@ -2650,19 +2791,19 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_11_8c(
+libcrux_ml_kem_serialize_deserialize_then_decompress_11_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_11_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_c4(
+        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_c4(
             coefficient);
     re.coefficients[i0] = uu____0;
   }
@@ -2678,7 +2819,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a(
     Eurydice_slice serialized) {
-  return libcrux_ml_kem_serialize_deserialize_then_decompress_10_8c(serialized);
+  return libcrux_ml_kem_serialize_deserialize_then_decompress_10_96(serialized);
 }
 
 typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s {
@@ -2693,9 +2834,9 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_traits_montgomery_multiply_fe_8c(
+libcrux_ml_kem_vector_traits_montgomery_multiply_fe_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t fer) {
-  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(v,
+  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(v,
                                                                            fer);
 }
 
@@ -2707,14 +2848,14 @@ with const generics
 */
 static KRML_MUSTINLINE
     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
-    libcrux_ml_kem_ntt_ntt_layer_int_vec_step_8c(
+    libcrux_ml_kem_ntt_ntt_layer_int_vec_step_96(
         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
         int16_t zeta_r) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-      libcrux_ml_kem_vector_traits_montgomery_multiply_fe_8c(b, zeta_r);
-  b = libcrux_ml_kem_vector_portable_sub_0d(a, &t);
-  a = libcrux_ml_kem_vector_portable_add_0d(a, &t);
+      libcrux_ml_kem_vector_traits_montgomery_multiply_fe_96(b, zeta_r);
+  b = libcrux_ml_kem_vector_portable_sub_2c(a, &t);
+  a = libcrux_ml_kem_vector_portable_add_2c(a, &t);
   return (
       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
           .fst = a, .snd = b});
@@ -2726,7 +2867,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(
+static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
     size_t layer, size_t _initial_coefficient_bound) {
   size_t step = (size_t)1U << (uint32_t)layer;
@@ -2739,9 +2880,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(
     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
       size_t j = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
-          libcrux_ml_kem_ntt_ntt_layer_int_vec_step_8c(
+          libcrux_ml_kem_ntt_ntt_layer_int_vec_step_96(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
       re->coefficients[j] = x;
@@ -2756,16 +2897,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_8c(
+static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
+        libcrux_ml_kem_vector_portable_ntt_layer_3_step_2c(
             re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
     re->coefficients[round] = uu____0;
   }
 }
@@ -2776,18 +2917,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_8c(
+static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                               (size_t)1U]);
+        libcrux_ml_kem_vector_portable_ntt_layer_2_step_2c(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U));
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
   }
 }
@@ -2798,49 +2937,56 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_8c(
+static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer, size_t _initial_coefficient_bound) {
+    size_t _initial_coefficient_bound) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                               (size_t)1U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                               (size_t)2U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
-                                                               (size_t)3U]);
+        libcrux_ml_kem_vector_portable_ntt_layer_1_step_2c(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U));
     zeta_i[0U] = zeta_i[0U] + (size_t)3U;
   }
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            self->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            myself->coefficients[i0]);
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_96(self);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.ntt.ntt_vector_u
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
@@ -2850,18 +2996,18 @@ with const generics
 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_0a(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i = (size_t)0U;
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)7U,
-                                            (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U,
-                                            (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U,
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)7U,
                                             (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U,
-                                            (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U, (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U, (size_t)3328U);
-  libcrux_ml_kem_ntt_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U, (size_t)3328U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U,
+                                            (size_t)2U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U,
+                                            (size_t)3U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)4U,
+                                            (size_t)4U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_3_96(&zeta_i, re, (size_t)5U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_2_96(&zeta_i, re, (size_t)6U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_1_96(&zeta_i, re, (size_t)7U * (size_t)3328U);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -2882,7 +3028,7 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
@@ -2919,34 +3065,34 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4);
     decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 4
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_d1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1(
-      v);
+      a);
 }
 
 /**
@@ -2956,19 +3102,19 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_4_8c(
+libcrux_ml_kem_serialize_deserialize_then_decompress_4_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_4_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_4_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_d1(
+        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_d1(
             coefficient);
     re.coefficients[i0] = uu____0;
   }
@@ -2983,34 +3129,34 @@ const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    int32_t decompressed = (int32_t)v.elements[i0] *
+    int32_t decompressed = (int32_t)a.elements[i0] *
                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5);
     decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1);
-    v.elements[i0] = (int16_t)decompressed;
+    a.elements[i0] = (int16_t)decompressed;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
+libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_2c with const
 generics
 - COEFFICIENT_BITS= 5
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_f4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_f4(
-      v);
+      a);
 }
 
 /**
@@ -3020,19 +3166,19 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_5_8c(
+libcrux_ml_kem_serialize_deserialize_then_decompress_5_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t);
     re.coefficients[i0] =
-        libcrux_ml_kem_vector_portable_deserialize_5_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_5_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
-        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_f4(
+        libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_2c_f4(
             re.coefficients[i0]);
     re.coefficients[i0] = uu____1;
   }
@@ -3043,12 +3189,41 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_5_8c(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_d0(
+libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89(
     Eurydice_slice serialized) {
-  return libcrux_ml_kem_serialize_deserialize_then_decompress_4_8c(serialized);
+  return libcrux_ml_kem_serialize_deserialize_then_decompress_4_96(serialized);
+}
+
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.ZERO
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_ZERO_96(void) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
+  lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_2c();
+  return lit;
 }
 
 /**
@@ -3079,99 +3254,115 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_d0(
  <https://csrc.nist.gov/pubs/fips/203/ipd>.
 */
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_ntt_multiply_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d out =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_96();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_ntt_multiply_0d(
-            &self->coefficients[i0], &rhs->coefficients[i0],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)1U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)2U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
-                                                               (size_t)4U * i0 +
-                                                               (size_t)3U]);
+        libcrux_ml_kem_vector_portable_ntt_multiply_2c(
+            &myself->coefficients[i0], &rhs->coefficients[i0],
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)1U),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)2U),
+            libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 +
+                                           (size_t)3U));
     out.coefficients[i0] = uu____0;
   }
   return out;
 }
 
-/**
- Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
- sum of their constituent coefficients.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
+TraitClause@1]#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_ef
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
-- K= 3
+
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_ntt_multiply_ef_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  return libcrux_ml_kem_polynomial_ntt_multiply_96(self, rhs);
+}
+
+/**
+ Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+ sum of their constituent coefficients.
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(
                Eurydice_array_to_slice(
-                   (size_t)16U, self->coefficients,
+                   (size_t)16U, myself->coefficients,
                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
        i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &rhs->coefficients[i0]);
-    self->coefficients[i0] = uu____0;
+    myself->coefficients[i0] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) {
+  libcrux_ml_kem_polynomial_add_to_ring_element_1b(self, rhs);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_1
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_8c(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer) {
+static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_96(
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)1U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)2U],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)3U]);
+        libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_2c(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U));
     zeta_i[0U] = zeta_i[0U] - (size_t)3U;
   }
 }
@@ -3182,18 +3373,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_8c(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer) {
+static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_96(
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     re->coefficients[round] =
-        libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
-            re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
-                                                               (size_t)1U]);
+        libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_2c(
+            re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]),
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U));
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
   }
 }
@@ -3204,16 +3392,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_8c(
-    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
-    size_t _layer) {
+static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_96(
+    size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t round = i;
     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
+        libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_2c(
             re->coefficients[round],
-            libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+            libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
     re->coefficients[round] = uu____0;
   }
 }
@@ -3226,15 +3413,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 */
 static KRML_MUSTINLINE
     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
-    libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_8c(
+    libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_96(
         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
         int16_t zeta_r) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b =
-      libcrux_ml_kem_vector_portable_sub_0d(b, &a);
-  a = libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-      libcrux_ml_kem_vector_portable_add_0d(a, &b));
-  b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_8c(a_minus_b, zeta_r);
+      libcrux_ml_kem_vector_portable_sub_2c(b, &a);
+  a = libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+      libcrux_ml_kem_vector_portable_add_2c(a, &b));
+  b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_96(a_minus_b, zeta_r);
   return (
       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
           .fst = a, .snd = b});
@@ -3247,7 +3434,7 @@ with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(
+libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_96(
     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re,
     size_t layer) {
   size_t step = (size_t)1U << (uint32_t)layer;
@@ -3262,9 +3449,9 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(
     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
       size_t j = i;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
-          libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_8c(
+          libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_96(
               re->coefficients[j], re->coefficients[j + step_vec],
-              libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+              libcrux_ml_kem_polynomial_zeta(zeta_i[0U]));
       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
       re->coefficients[j] = x;
@@ -3283,51 +3470,64 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t zeta_i =
       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(&zeta_i, re,
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_96(&zeta_i, re);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_96(&zeta_i, re);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_96(&zeta_i, re);
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_96(&zeta_i, re,
                                                           (size_t)4U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(&zeta_i, re,
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_96(&zeta_i, re,
                                                           (size_t)5U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(&zeta_i, re,
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_96(&zeta_i, re,
                                                           (size_t)6U);
-  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_8c(&zeta_i, re,
+  libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_96(&zeta_i, re,
                                                           (size_t)7U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_96(re);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_subtract_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_subtract_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
                 b.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_sub_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_sub_2c(myself->coefficients[i0],
                                                   &coefficient_normal_form));
     b.coefficients[i0] = uu____0;
   }
   return b;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_subtract_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) {
+  return libcrux_ml_kem_polynomial_subtract_reduce_96(self, b);
+}
+
 /**
  The following functions compute various expressions involving
  vectors and matrices. The computation of these expressions has been
@@ -3346,16 +3546,16 @@ libcrux_ml_kem_matrix_compute_message_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-        libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(&secret_as_ntt[i0],
+        libcrux_ml_kem_polynomial_ntt_multiply_ef_96(&secret_as_ntt[i0],
                                                      &u_as_ntt[i0]);
-    libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product);
+    libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result, &product);
   }
   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result);
-  result = libcrux_ml_kem_polynomial_subtract_reduce_d6_8c(v, result);
+  result = libcrux_ml_kem_polynomial_subtract_reduce_ef_96(v, result);
   return result;
 }
 
@@ -3366,26 +3566,26 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
-    v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15;
+    vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15;
   }
-  return v;
+  return vec;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.shift_right_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.shift_right_2c
 with const generics
 - SHIFT_BY= 15
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_shift_right_0d_ef(
+libcrux_ml_kem_vector_portable_shift_right_2c_ef(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
   return libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(v);
 }
@@ -3397,14 +3597,26 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+libcrux_ml_kem_vector_traits_to_unsigned_representative_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-      libcrux_ml_kem_vector_portable_shift_right_0d_ef(a);
+      libcrux_ml_kem_vector_portable_shift_right_2c_ef(a);
   libcrux_ml_kem_vector_portable_vector_type_PortableVector fm =
-      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
+      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
           t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
-  return libcrux_ml_kem_vector_portable_add_0d(a, &fm);
+  return libcrux_ml_kem_vector_portable_add_2c(a, &fm);
+}
+
+/**
+A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
+libcrux_ml_kem_serialize_to_unsigned_field_modulus_96(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_traits_to_unsigned_representative_96(a);
 }
 
 /**
@@ -3414,19 +3626,19 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_compress_then_serialize_message_8c(
+libcrux_ml_kem_serialize_compress_then_serialize_message_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, uint8_t ret[32U]) {
   uint8_t serialized[32U] = {0U};
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_serialize_to_unsigned_field_modulus_96(
             re.coefficients[i0]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_compressed =
-            libcrux_ml_kem_vector_portable_compress_1_0d(coefficient);
+            libcrux_ml_kem_vector_portable_compress_1_2c(coefficient);
     uint8_t bytes[2U];
-    libcrux_ml_kem_vector_portable_serialize_1_0d(coefficient_compressed,
+    libcrux_ml_kem_vector_portable_serialize_1_2c(coefficient_compressed,
                                                   bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t);
@@ -3476,14 +3688,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_42(
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U];
   libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c(ciphertext, u_as_ntt);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
-      libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_d0(
+      libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89(
           Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                           (size_t)960U, uint8_t, size_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message =
       libcrux_ml_kem_matrix_compute_message_1b(&v, secret_key->secret_as_ntt,
                                                u_as_ntt);
   uint8_t ret0[32U];
-  libcrux_ml_kem_serialize_compress_then_serialize_message_8c(message, ret0);
+  libcrux_ml_kem_serialize_compress_then_serialize_message_96(message, ret0);
   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
 }
 
@@ -3586,7 +3798,7 @@ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0
 libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(void) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    uu____0[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   uint8_t uu____1[32U] = {0U};
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit;
@@ -3594,15 +3806,15 @@ libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(void) {
       lit.t_as_ntt, uu____0,
       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));
   memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t));
-  lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   return lit;
 }
 
@@ -3619,19 +3831,19 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c(
+libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_96(
     Eurydice_slice serialized) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U;
        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
     size_t i0 = i;
     Eurydice_slice bytes = Eurydice_slice_subslice2(
         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
+        libcrux_ml_kem_vector_portable_deserialize_12_2c(bytes);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(coefficient);
+        libcrux_ml_kem_vector_portable_cond_subtract_3329_2c(coefficient);
     re.coefficients[i0] = uu____0;
   }
   return re;
@@ -3644,11 +3856,10 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1152
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
   for (size_t i = (size_t)0U;
@@ -3662,7 +3873,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3(
             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c(
+        libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_96(
             ring_element);
     deserialized_pk[i0] = uu____0;
   }
@@ -3679,11 +3890,12 @@ typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_88_s {
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const
+generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_88
-libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0(
     uint8_t input[3U][34U]) {
   libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
@@ -3711,28 +3923,28 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_f1 with const
 generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_88
-libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_e0(
     uint8_t input[3U][34U]) {
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_input[3U][34U];
   memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U]));
-  return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_e0(
+  return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0(
       copy_of_input);
 }
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const
-generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with
+const generics
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0(
     libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st,
     uint8_t ret[3U][504U]) {
   uint8_t out[3U][504U] = {{0U}};
@@ -3751,16 +3963,16 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with
-const generics
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_f1
+with const generics
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_e0(
     libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self,
     uint8_t ret[3U][504U]) {
-  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_e0(self,
-                                                                          ret);
+  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0(
+      self, ret);
 }
 
 /**
@@ -3824,7 +4036,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89(
         Eurydice_slice uu____0 =
             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
                                         r * (size_t)24U + (size_t)24U, uint8_t);
-        size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+        size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
             uu____0, Eurydice_array_to_subslice2(
                          out[i1], sampled_coefficients[i1],
                          sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -3849,12 +4061,12 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const
 generics
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0(
     libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st,
     uint8_t ret[3U][168U]) {
   uint8_t out[3U][168U] = {{0U}};
@@ -3873,15 +4085,16 @@ libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const
+libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_f1 with const
 generics
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_e0(
+libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_e0(
     libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self,
     uint8_t ret[3U][168U]) {
-  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_e0(self, ret);
+  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0(self,
+                                                                        ret);
 }
 
 /**
@@ -3945,7 +4158,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890(
         Eurydice_slice uu____0 =
             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
                                         r * (size_t)24U + (size_t)24U, uint8_t);
-        size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
+        size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_2c(
             uu____0, Eurydice_array_to_subslice2(
                          out[i1], sampled_coefficients[i1],
                          sampled_coefficients[i1] + (size_t)16U, int16_t));
@@ -3969,25 +4182,20 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890(
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_from_i16_array_d6_8c(Eurydice_slice a) {
+libcrux_ml_kem_polynomial_from_i16_array_96(Eurydice_slice a) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_96();
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_from_i16_array_0d(
+        libcrux_ml_kem_vector_portable_from_i16_array_2c(
             Eurydice_slice_subslice2(a, i0 * (size_t)16U,
                                      (i0 + (size_t)1U) * (size_t)16U, int16_t));
     result.coefficients[i0] = uu____0;
@@ -3995,6 +4203,22 @@ libcrux_ml_kem_polynomial_from_i16_array_d6_8c(Eurydice_slice a) {
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_from_i16_array_ef_96(Eurydice_slice a) {
+  return libcrux_ml_kem_polynomial_from_i16_array_96(a);
+}
+
 /**
 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -4004,7 +4228,7 @@ generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_sampling_sample_from_xof_closure_2b(int16_t s[272U]) {
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_8c(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_96(
       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
 }
 
@@ -4024,10 +4248,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b(
   uint8_t copy_of_seeds[3U][34U];
   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
   libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state =
-      libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_e0(
+      libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_e0(
           copy_of_seeds);
   uint8_t randomness0[3U][504U];
-  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_e0(
+  libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_e0(
       &xof_state, randomness0);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness0[3U][504U];
@@ -4039,7 +4263,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b(
       break;
     } else {
       uint8_t randomness[3U][168U];
-      libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_e0(
+      libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_e0(
           &xof_state, randomness);
       /* Passing arrays by value in Rust generates a copy in C */
       uint8_t copy_of_randomness[3U][168U];
@@ -4117,13 +4341,14 @@ generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static inline void libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f(
+static KRML_MUSTINLINE void
+libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f(
     Eurydice_slice public_key,
     libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0
         *unpacked_public_key) {
   Eurydice_slice uu____0 =
       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t);
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b(
       uu____0, unpacked_public_key->t_as_ntt);
   Eurydice_slice seed =
       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
@@ -4142,8 +4367,10 @@ generics
 - K= 3
 - T_AS_NTT_ENCODED_SIZE= 1152
 */
-static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0
-libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f(Eurydice_slice public_key) {
+static KRML_MUSTINLINE
+    libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0
+    libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f(
+        Eurydice_slice public_key) {
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0
       unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b();
   libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f(public_key,
@@ -4174,7 +4401,7 @@ generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_closure_3b(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
@@ -4266,7 +4493,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_8c(
+libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_96(
     Eurydice_slice randomness) {
   int16_t sampled_i16s[256U] = {0U};
   for (size_t i0 = (size_t)0U;
@@ -4301,7 +4528,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_8c(
       sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_8c(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_96(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -4312,7 +4539,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_8c(
+libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_96(
     Eurydice_slice randomness) {
   int16_t sampled_i16s[256U] = {0U};
   for (size_t i0 = (size_t)0U;
@@ -4346,7 +4573,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_8c(
       sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
     }
   }
-  return libcrux_ml_kem_polynomial_from_i16_array_d6_8c(
+  return libcrux_ml_kem_polynomial_from_i16_array_ef_96(
       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
 }
 
@@ -4359,7 +4586,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(
     Eurydice_slice randomness) {
-  return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_8c(
+  return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_96(
       randomness);
 }
 
@@ -4369,18 +4596,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_8c(
+static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
   size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U;
   for (size_t i = (size_t)0U; i < step; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
-        libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
+        libcrux_ml_kem_vector_portable_multiply_by_constant_2c(
             re->coefficients[j + step], (int16_t)-1600);
     re->coefficients[j + step] =
-        libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_portable_sub_2c(re->coefficients[j], &t);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
-        libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t);
+        libcrux_ml_kem_vector_portable_add_2c(re->coefficients[j], &t);
     re->coefficients[j] = uu____1;
   }
 }
@@ -4392,20 +4619,23 @@ with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_8c(
+libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) {
-  libcrux_ml_kem_ntt_ntt_at_layer_7_8c(re);
+  libcrux_ml_kem_ntt_ntt_at_layer_7_96(re);
   size_t zeta_i = (size_t)1U;
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)6U,
-                                            (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)5U,
-                                            (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_8c(&zeta_i, re, (size_t)4U,
-                                            (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_3_8c(&zeta_i, re, (size_t)3U, (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_2_8c(&zeta_i, re, (size_t)2U, (size_t)3U);
-  libcrux_ml_kem_ntt_ntt_at_layer_1_8c(&zeta_i, re, (size_t)1U, (size_t)3U);
-  libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)6U,
+                                            (size_t)11207U);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(&zeta_i, re, (size_t)5U,
+                                            (size_t)11207U + (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_4_plus_96(
+      &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_3_96(
+      &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_2_96(
+      &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U);
+  libcrux_ml_kem_ntt_ntt_at_layer_1_96(
+      &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U);
+  libcrux_ml_kem_polynomial_poly_barrett_reduce_ef_96(re);
 }
 
 /**
@@ -4432,11 +4662,8 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
   }
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    size_t i0 = i;
-    prf_inputs[i0][32U] = domain_separator;
-    domain_separator = (uint32_t)domain_separator + 1U;
-  }
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   libcrux_ml_kem_hash_functions_portable_PRFxN_f1_41(prf_inputs, prf_outputs);
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
@@ -4444,7 +4671,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(
     re_as_ntt[i0] =
         libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(
             Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t));
-    libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_8c(&re_as_ntt[i0]);
+    libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_96(&re_as_ntt[i0]);
   }
   return domain_separator;
 }
@@ -4463,7 +4690,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_3b(
     uint8_t prf_input[33U], uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re_as_ntt[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = re_as_ntt;
   uint8_t uu____1[33U];
@@ -4494,7 +4721,7 @@ generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_3b(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
@@ -4514,7 +4741,7 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b(uint8_t prf_input[33U],
                                                   uint8_t domain_separator) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    error_1[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_prf_input[33U];
@@ -4523,11 +4750,8 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b(uint8_t prf_input[33U],
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
   }
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    size_t i0 = i;
-    prf_inputs[i0][32U] = domain_separator;
-    domain_separator = (uint32_t)domain_separator + 1U;
-  }
+  domain_separator =
+      libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator);
   uint8_t prf_outputs[3U][128U];
   libcrux_ml_kem_hash_functions_portable_PRFxN_f1_41(prf_inputs, prf_outputs);
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
@@ -4586,38 +4810,50 @@ with const generics
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
 libcrux_ml_kem_matrix_compute_vector_u_closure_1b(size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
-static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
-                self->coefficients[j], (int16_t)1441);
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
+                myself->coefficients[j], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  libcrux_ml_kem_polynomial_add_error_reduce_96(self, error);
+}
+
 /**
  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 */
@@ -4634,7 +4870,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    result[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    result[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
   for (size_t i0 = (size_t)0U;
        i0 < Eurydice_slice_len(
@@ -4655,12 +4891,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b(
       size_t j = i;
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(a_element, &r_as_ntt[j]);
-      libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result[i1],
+          libcrux_ml_kem_polynomial_ntt_multiply_ef_96(a_element, &r_as_ntt[j]);
+      libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result[i1],
                                                           &product);
     }
     libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result[i1]);
-    libcrux_ml_kem_polynomial_add_error_reduce_d6_8c(&result[i1], &error_1[i1]);
+    libcrux_ml_kem_polynomial_add_error_reduce_ef_96(&result[i1], &error_1[i1]);
   }
   memcpy(
       ret, result,
@@ -4674,12 +4910,16 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_traits_decompress_1_8c(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-      libcrux_ml_kem_vector_portable_ZERO_0d();
-  return libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
-      libcrux_ml_kem_vector_portable_sub_0d(uu____0, &v), (int16_t)1665);
+libcrux_ml_kem_vector_traits_decompress_1_96(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) {
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector z =
+      libcrux_ml_kem_vector_portable_ZERO_2c();
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector s =
+      libcrux_ml_kem_vector_portable_sub_2c(z, &vec);
+  libcrux_ml_kem_vector_portable_vector_type_PortableVector res =
+      libcrux_ml_kem_vector_portable_bitwise_and_with_constant_2c(
+          s, (int16_t)1665);
+  return res;
 }
 
 /**
@@ -4689,39 +4929,34 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_then_decompress_message_8c(
+libcrux_ml_kem_serialize_deserialize_then_decompress_message_96(
     uint8_t serialized[32U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d re =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_compressed =
-            libcrux_ml_kem_vector_portable_deserialize_1_0d(
+            libcrux_ml_kem_vector_portable_deserialize_1_2c(
                 Eurydice_array_to_subslice2(serialized, (size_t)2U * i0,
                                             (size_t)2U * i0 + (size_t)2U,
                                             uint8_t));
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_traits_decompress_1_8c(coefficient_compressed);
+        libcrux_ml_kem_vector_traits_decompress_1_96(coefficient_compressed);
     re.coefficients[i0] = uu____0;
   }
   return re;
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_add_message_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_add_message_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
   for (size_t i = (size_t)0U;
@@ -4729,20 +4964,40 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_d6_8c(
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+            libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
                 result.coefficients[i0], (int16_t)1441);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp =
-        libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
+        libcrux_ml_kem_vector_portable_add_2c(myself->coefficients[i0],
                                               &message->coefficients[i0]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 =
-        libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, &tmp);
+        libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form, &tmp);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(tmp0);
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(tmp0);
     result.coefficients[i0] = uu____0;
   }
   return result;
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d
+libcrux_ml_kem_polynomial_add_message_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) {
+  return libcrux_ml_kem_polynomial_add_message_error_reduce_96(self, message,
+                                                               result);
+}
+
 /**
  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 */
@@ -4759,16 +5014,16 @@ libcrux_ml_kem_matrix_compute_ring_element_v_1b(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d result =
-      libcrux_ml_kem_polynomial_ZERO_d6_8c();
+      libcrux_ml_kem_polynomial_ZERO_ef_96();
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-        libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(&t_as_ntt[i0],
+        libcrux_ml_kem_polynomial_ntt_multiply_ef_96(&t_as_ntt[i0],
                                                      &r_as_ntt[i0]);
-    libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product);
+    libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&result, &product);
   }
   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result);
-  result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_8c(
+  result = libcrux_ml_kem_polynomial_add_message_error_reduce_ef_96(
       error_2, message, result);
   return result;
 }
@@ -4780,31 +5035,31 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)10, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 10
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_0d_ef(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_ef(v);
+libcrux_ml_kem_vector_portable_compress_2c_ef(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_ef(a);
 }
 
 /**
@@ -4821,11 +5076,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_ff(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_compress_0d_ef(
-            libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_vector_portable_compress_2c_ef(
+            libcrux_ml_kem_serialize_to_unsigned_field_modulus_96(
                 re->coefficients[i0]));
     uint8_t bytes[20U];
-    libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_10_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t);
     Eurydice_slice_copy(
@@ -4841,31 +5096,31 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)11, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 11
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_0d_c4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_c4(v);
+libcrux_ml_kem_vector_portable_compress_2c_c4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_c4(a);
 }
 
 /**
@@ -4882,11 +5137,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_ff(
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_compress_0d_c4(
-            libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_vector_portable_compress_2c_c4(
+            libcrux_ml_kem_vector_traits_to_unsigned_representative_96(
                 re->coefficients[i0]));
     uint8_t bytes[22U];
-    libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_11_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t);
     Eurydice_slice_copy(
@@ -4952,31 +5207,31 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)4, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 4
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_0d_d1(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_d1(v);
+libcrux_ml_kem_vector_portable_compress_2c_d1(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_d1(a);
 }
 
 /**
@@ -4986,18 +5241,18 @@ with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_compress_then_serialize_4_8c(
+libcrux_ml_kem_serialize_compress_then_serialize_4_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re,
     Eurydice_slice serialized) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_portable_compress_0d_d1(
-            libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_vector_portable_compress_2c_d1(
+            libcrux_ml_kem_serialize_to_unsigned_field_modulus_96(
                 re.coefficients[i0]));
     uint8_t bytes[8U];
-    libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_4_2c(coefficient, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)8U * i0,
                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
@@ -5012,31 +5267,31 @@ with const generics
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
 libcrux_ml_kem_vector_portable_compress_compress_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
     size_t i0 = i;
     int16_t uu____0 =
         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
-            (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]);
-    v.elements[i0] = uu____0;
+            (uint8_t)(int32_t)5, (uint16_t)a.elements[i0]);
+    a.elements[i0] = uu____0;
   }
-  return v;
+  return a;
 }
 
 /**
 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
-libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
+A monomorphic instance of libcrux_ml_kem.vector.portable.compress_2c
 with const generics
 - COEFFICIENT_BITS= 5
 */
 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_portable_compress_0d_f4(
-    libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_compress_compress_f4(v);
+libcrux_ml_kem_vector_portable_compress_2c_f4(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
+  return libcrux_ml_kem_vector_portable_compress_compress_f4(a);
 }
 
 /**
@@ -5046,18 +5301,18 @@ with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_compress_then_serialize_5_8c(
+libcrux_ml_kem_serialize_compress_then_serialize_5_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re,
     Eurydice_slice serialized) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients =
-        libcrux_ml_kem_vector_portable_compress_0d_f4(
-            libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_vector_portable_compress_2c_f4(
+            libcrux_ml_kem_vector_traits_to_unsigned_representative_96(
                 re.coefficients[i0]));
     uint8_t bytes[10U];
-    libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes);
+    libcrux_ml_kem_vector_portable_serialize_5_2c(coefficients, bytes);
     Eurydice_slice_copy(
         Eurydice_slice_subslice2(serialized, (size_t)10U * i0,
                                  (size_t)10U * i0 + (size_t)10U, uint8_t),
@@ -5069,13 +5324,14 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_8c(
 A monomorphic instance of
 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
+- K= 3
 - COMPRESSION_FACTOR= 4
 - OUT_LEN= 128
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ff(
+libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) {
-  libcrux_ml_kem_serialize_compress_then_serialize_4_8c(re, out);
+  libcrux_ml_kem_serialize_compress_then_serialize_4_96(re, out);
 }
 
 /**
@@ -5176,7 +5432,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(
   uint8_t copy_of_message[32U];
   memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element =
-      libcrux_ml_kem_serialize_deserialize_then_decompress_message_8c(
+      libcrux_ml_kem_serialize_deserialize_then_decompress_message_96(
           copy_of_message);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d v =
       libcrux_ml_kem_matrix_compute_ring_element_v_1b(
@@ -5190,7 +5446,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(
       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U,
                                            uint8_t));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____6 = v;
-  libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ff(
+  libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c(
       uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
                                                (size_t)960U, uint8_t, size_t));
   memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t));
@@ -5251,6 +5507,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_d8_d6(
   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -5308,7 +5567,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   libcrux_ml_kem_hash_functions_portable_PRF_f1_41(
@@ -5330,7 +5589,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62(
   libcrux_ml_kem_variant_kdf_d8_d6(shared_secret0, ciphertext, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -5428,7 +5687,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -5449,7 +5708,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
   uint8_t ret[32U];
   libcrux_ml_kem_hash_functions_portable_H_f1_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       ret);
   Eurydice_slice_copy(
@@ -5464,7 +5723,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -5475,7 +5734,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   libcrux_ml_kem_variant_kdf_d8_d6(shared_secret, &ciphertext0,
                                    shared_secret_array);
@@ -5501,7 +5760,7 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -5550,9 +5809,9 @@ with const generics
 static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0
 libcrux_ml_kem_ind_cpa_unpacked_default_1a_1b(void) {
   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 lit;
-  lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
-  lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+  lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
+  lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   return lit;
 }
 
@@ -5589,42 +5848,55 @@ with const generics
 
 */
 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
-libcrux_ml_kem_vector_traits_to_standard_domain_8c(
+libcrux_ml_kem_vector_traits_to_standard_domain_96(
     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
-  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
+  return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_2c(
       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
 }
 
 /**
-This function found in impl
-{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@1]}
-*/
-/**
-A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_d6
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_8c(
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+libcrux_ml_kem_polynomial_add_standard_error_reduce_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t j = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector
         coefficient_normal_form =
-            libcrux_ml_kem_vector_traits_to_standard_domain_8c(
-                self->coefficients[j]);
+            libcrux_ml_kem_vector_traits_to_standard_domain_96(
+                myself->coefficients[j]);
     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
-        libcrux_ml_kem_vector_portable_barrett_reduce_0d(
-            libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
+        libcrux_ml_kem_vector_portable_barrett_reduce_2c(
+            libcrux_ml_kem_vector_portable_add_2c(coefficient_normal_form,
                                                   &error->coefficients[j]));
-    self->coefficients[j] = uu____0;
+    myself->coefficients[j] = uu____0;
   }
 }
 
+/**
+This function found in impl
+{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
+TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_ef
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+
+*/
+static KRML_MUSTINLINE void
+libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_96(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self,
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) {
+  libcrux_ml_kem_polynomial_add_standard_error_reduce_96(self, error);
+}
+
 /**
  Compute  ◦ ŝ + ê
 */
@@ -5649,7 +5921,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b(
     size_t i0 = i;
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0];
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        libcrux_ml_kem_polynomial_ZERO_d6_8c();
+        libcrux_ml_kem_polynomial_ZERO_ef_96();
     t_as_ntt[i0] = uu____0;
     for (size_t i1 = (size_t)0U;
          i1 < Eurydice_slice_len(
@@ -5662,12 +5934,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b(
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element =
           &row[j];
       libcrux_ml_kem_polynomial_PolynomialRingElement_1d product =
-          libcrux_ml_kem_polynomial_ntt_multiply_d6_8c(matrix_element,
+          libcrux_ml_kem_polynomial_ntt_multiply_ef_96(matrix_element,
                                                        &s_as_ntt[j]);
-      libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&t_as_ntt[i0],
+      libcrux_ml_kem_polynomial_add_to_ring_element_ef_1b(&t_as_ntt[i0],
                                                           &product);
     }
-    libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_8c(
+    libcrux_ml_kem_polynomial_add_standard_error_reduce_ef_96(
         &t_as_ntt[i0], &error_as_ntt[i0]);
   }
 }
@@ -5776,17 +6048,17 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_8c(
+libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[384U]) {
   uint8_t serialized[384U] = {0U};
   for (size_t i = (size_t)0U;
        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
     size_t i0 = i;
     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
-        libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(
+        libcrux_ml_kem_serialize_to_unsigned_field_modulus_96(
             re->coefficients[i0]);
     uint8_t bytes[24U];
-    libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes);
+    libcrux_ml_kem_vector_portable_serialize_12_2c(coefficient, bytes);
     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
         serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t);
     Eurydice_slice_copy(
@@ -5823,7 +6095,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_89(
         (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
         uint8_t);
     uint8_t ret0[384U];
-    libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_8c(&re, ret0);
+    libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_96(&re, ret0);
     Eurydice_slice_copy(
         uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t);
   }
@@ -5992,9 +6264,6 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6(
       implicit_rejection_value, uint8_t);
 }
 
-/**
- Serialize the secret key.
-*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
@@ -6028,7 +6297,7 @@ libcrux_ml_kem_variant_MlKem with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -6057,13 +6326,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f8(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -6077,7 +6346,7 @@ generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -6124,7 +6393,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_d6(
   uint8_t ret0[32U];
   libcrux_ml_kem_hash_functions_portable_H_f1_e0(
       Eurydice_array_to_slice((size_t)1088U,
-                              libcrux_ml_kem_types_as_slice_07_80(ciphertext),
+                              libcrux_ml_kem_types_as_slice_d4_80(ciphertext),
                               uint8_t),
       ret0);
   Eurydice_slice_copy(
@@ -6135,6 +6404,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_d6(
   memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t));
 }
 
+/**
+ This code verifies on some machines, runs out of memory on others
+*/
 /**
 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
@@ -6192,7 +6464,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_620(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret0[32U];
   libcrux_ml_kem_hash_functions_portable_PRF_f1_41(
@@ -6214,7 +6486,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_620(
   libcrux_ml_kem_variant_kdf_33_d6(shared_secret0, ciphertext, shared_secret);
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
-      libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+      libcrux_ml_kem_types_as_ref_43_80(ciphertext),
       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
@@ -6296,7 +6568,7 @@ libcrux_ml_kem_variant_Kyber with const generics
 - C2_SIZE= 128
 - VECTOR_U_COMPRESSION_FACTOR= 10
 - VECTOR_V_COMPRESSION_FACTOR= 4
-- VECTOR_U_BLOCK_LEN= 320
+- C1_BLOCK_SIZE= 320
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 - ETA2= 2
@@ -6317,7 +6589,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0(
   uint8_t ret[32U];
   libcrux_ml_kem_hash_functions_portable_H_f1_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       ret);
   Eurydice_slice_copy(
@@ -6332,7 +6604,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0(
   Eurydice_slice shared_secret = uu____1.fst;
   Eurydice_slice pseudorandomness = uu____1.snd;
   Eurydice_slice uu____2 = Eurydice_array_to_slice(
-      (size_t)1184U, libcrux_ml_kem_types_as_slice_ba_d0(public_key), uint8_t);
+      (size_t)1184U, libcrux_ml_kem_types_as_slice_fd_d0(public_key), uint8_t);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_randomness[32U];
   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
@@ -6343,7 +6615,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca0(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   uint8_t shared_secret_array[32U];
   libcrux_ml_kem_variant_kdf_33_d6(shared_secret, &ciphertext0,
                                    shared_secret_array);
@@ -6563,7 +6835,7 @@ libcrux_ml_kem_variant_Kyber with const generics
 - CPA_PRIVATE_KEY_SIZE= 1152
 - PRIVATE_KEY_SIZE= 2400
 - PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
+- RANKED_BYTES_PER_RING_ELEMENT= 1152
 - ETA1= 2
 - ETA1_RANDOMNESS_SIZE= 128
 */
@@ -6592,13 +6864,13 @@ libcrux_ml_kem_ind_cca_generate_keypair_f80(uint8_t randomness[64U]) {
   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
          (size_t)2400U * sizeof(uint8_t));
   libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key =
-      libcrux_ml_kem_types_from_88_28(copy_of_secret_key_serialized);
+      libcrux_ml_kem_types_from_9a_28(copy_of_secret_key_serialized);
   libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key;
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_public_key[1184U];
   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
-  return libcrux_ml_kem_types_from_17_74(
-      uu____2, libcrux_ml_kem_types_from_40_d0(copy_of_public_key));
+  return libcrux_ml_kem_types_from_3a_74(
+      uu____2, libcrux_ml_kem_types_from_5f_d0(copy_of_public_key));
 }
 
 /**
@@ -6746,44 +7018,12 @@ A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.closure with
 types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const
 generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_c0(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_1b(
     size_t _i) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
-}
-
-/**
- See [deserialize_ring_elements_reduced_out].
-*/
-/**
-A monomorphic instance of
-libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1184
-- K= 3
-*/
-static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_c0(
-    Eurydice_slice public_key,
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) {
-  for (size_t i = (size_t)0U;
-       i < Eurydice_slice_len(public_key, uint8_t) /
-               LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
-       i++) {
-    size_t i0 = i;
-    Eurydice_slice ring_element = Eurydice_slice_subslice2(
-        public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
-            LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
-        uint8_t);
-    libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-        libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c(
-            ring_element);
-    deserialized_pk[i0] = uu____0;
-  }
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
@@ -6796,18 +7036,17 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_c0(
 A monomorphic instance of
 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
-- PUBLIC_KEY_SIZE= 1184
 - K= 3
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_c0(
+libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b(
     Eurydice_slice public_key,
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U];
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_c0(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b(
       public_key, deserialized_pk);
   memcpy(
       ret, deserialized_pk,
@@ -6832,7 +7071,7 @@ with const generics
 static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_6c(
     uint8_t *public_key) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U];
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_c0(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b(
       Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U,
                                     uint8_t, size_t),
       deserialized_pk);
@@ -6963,7 +7202,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51(
   Eurydice_slice uu____2 = Eurydice_array_to_subslice_from(
       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
       uint8_t, size_t);
-  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+  Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_43_80(ciphertext),
                       uint8_t);
   uint8_t implicit_rejection_shared_secret[32U];
   libcrux_ml_kem_hash_functions_portable_PRF_f1_41(
@@ -6979,7 +7218,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51(
       uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext);
   uint8_t selector =
       libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
-          libcrux_ml_kem_types_as_ref_fd_80(ciphertext),
+          libcrux_ml_kem_types_as_ref_43_80(ciphertext),
           Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t));
   uint8_t ret0[32U];
   libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
@@ -7093,7 +7332,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c(
   uint8_t copy_of_ciphertext[1088U];
   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 =
-      libcrux_ml_kem_types_from_fc_80(copy_of_ciphertext);
+      libcrux_ml_kem_types_from_00_80(copy_of_ciphertext);
   /* Passing arrays by value in Rust generates a copy in C */
   uint8_t copy_of_shared_secret_array[32U];
   memcpy(copy_of_shared_secret_array, shared_secret_array,
@@ -7160,57 +7399,41 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate(
 
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure.closure with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector,
-libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
-libcrux_ml_kem_variant_MlKem with const generics
+libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.closure with types
+libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_closure_f8(size_t _j) {
-  return libcrux_ml_kem_polynomial_ZERO_d6_8c();
+libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_1b(size_t _j) {
+  return libcrux_ml_kem_polynomial_ZERO_ef_96();
 }
 
 /**
-A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure with types
-libcrux_ml_kem_vector_portable_vector_type_PortableVector,
-libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
-libcrux_ml_kem_variant_MlKem with const generics
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
 - K= 3
-- CPA_PRIVATE_KEY_SIZE= 1152
-- PRIVATE_KEY_SIZE= 2400
-- PUBLIC_KEY_SIZE= 1184
-- BYTES_PER_RING_ELEMENT= 1152
-- ETA1= 2
-- ETA1_RANDOMNESS_SIZE= 128
 */
-static inline void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_f8(
+static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_1b(
     size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) {
   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c();
+    ret[i] = libcrux_ml_kem_polynomial_ZERO_ef_96();
   }
 }
 
 /**
 This function found in impl {(core::clone::Clone for
 libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0,
-TraitClause@2])#1}
+TraitClause@2])}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.polynomial.clone_17
+A monomorphic instance of libcrux_ml_kem.polynomial.clone_8d
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 
 */
 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d
-libcrux_ml_kem_polynomial_clone_17_8c(
+libcrux_ml_kem_polynomial_clone_8d_96(
     libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) {
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit;
   libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U];
@@ -7223,6 +7446,37 @@ libcrux_ml_kem_polynomial_clone_17_8c(
   return lit;
 }
 
+/**
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a
+with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
+with const generics
+- K= 3
+*/
+static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b(
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d ind_cpa_a[3U][3U],
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]) {
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
+    libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_1b(i, A[i]);
+  }
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
+    size_t i0 = i;
+    libcrux_ml_kem_polynomial_PolynomialRingElement_1d _a_i[3U][3U];
+    memcpy(_a_i, A,
+           (size_t)3U *
+               sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]));
+    for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) {
+      size_t j = i1;
+      libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
+          libcrux_ml_kem_polynomial_clone_8d_96(&ind_cpa_a[j][i0]);
+      A[i0][j] = uu____0;
+    }
+  }
+  memcpy(ret, A,
+         (size_t)3U *
+             sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]));
+}
+
 /**
  Generate Unpacked Keys
 */
@@ -7252,20 +7506,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_f8(
   libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c(
       ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key,
       &out->public_key.ind_cpa_public_key);
+  libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U][3U];
+  memcpy(uu____0, out->public_key.ind_cpa_public_key.A,
+         (size_t)3U *
+             sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]));
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_f8(i, A[i]);
-  }
-  for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) {
-    size_t i1 = i0;
-    for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-      size_t j = i;
-      libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 =
-          libcrux_ml_kem_polynomial_clone_17_8c(
-              &out->public_key.ind_cpa_public_key.A[j][i1]);
-      A[i1][j] = uu____0;
-    }
-  }
+  libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b(uu____0, A);
   libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____1[3U][3U];
   memcpy(uu____1, A,
          (size_t)3U *
@@ -7336,16 +7582,16 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut(
 /**
 This function found in impl {(core::default::Default for
 libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1])#1}
+K>[TraitClause@0, TraitClause@1])}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_1c
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_09
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0
-libcrux_ml_kem_ind_cca_unpacked_default_1c_1b(void) {
+libcrux_ml_kem_ind_cca_unpacked_default_09_1b(void) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit;
   lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b();
   lit.public_key_hash[0U] = 0U;
@@ -7386,17 +7632,17 @@ libcrux_ml_kem_ind_cca_unpacked_default_1c_1b(void) {
 /**
 This function found in impl {(core::default::Default for
 libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1])#3}
+K>[TraitClause@0, TraitClause@1])#1}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_07
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_53
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
 static KRML_MUSTINLINE
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked
-    libcrux_ml_kem_ind_cca_unpacked_default_07_1b(void) {
+    libcrux_ml_kem_ind_cca_unpacked_default_53_1b(void) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____0;
   uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_1b();
   uu____0.implicit_rejection_value[0U] = 0U;
@@ -7434,7 +7680,7 @@ static KRML_MUSTINLINE
   return (CLITERAL(
       libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked){
       .private_key = uu____0,
-      .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_1b()});
+      .public_key = libcrux_ml_kem_ind_cca_unpacked_default_09_1b()});
 }
 
 /**
@@ -7444,7 +7690,7 @@ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked
 libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair(
     uint8_t randomness[64U]) {
   libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked key_pair =
-      libcrux_ml_kem_ind_cca_unpacked_default_07_1b();
+      libcrux_ml_kem_ind_cca_unpacked_default_53_1b();
   uint8_t uu____0[64U];
   memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t));
   libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut(uu____0,
@@ -7457,7 +7703,7 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair(
 */
 static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked
 libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) {
-  return libcrux_ml_kem_ind_cca_unpacked_default_07_1b();
+  return libcrux_ml_kem_ind_cca_unpacked_default_53_1b();
 }
 
 /**
@@ -7465,7 +7711,7 @@ libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) {
 */
 static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0
 libcrux_ml_kem_mlkem768_portable_unpacked_init_public_key(void) {
-  return libcrux_ml_kem_ind_cca_unpacked_default_1c_1b();
+  return libcrux_ml_kem_ind_cca_unpacked_default_09_1b();
 }
 
 /**
@@ -7557,17 +7803,14 @@ libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_from_private_mut(
       private_key, key_pair);
 }
 
-/**
- Get the serialized private key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_fc with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - K= 3
 - CPA_PRIVATE_KEY_SIZE= 1152
@@ -7576,7 +7819,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_42(
+libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_42(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self,
     libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) {
   libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 =
@@ -7595,17 +7838,14 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_42(
       serialized->value);
 }
 
-/**
- Get the serialized private key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_fc with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - K= 3
 - CPA_PRIVATE_KEY_SIZE= 1152
@@ -7614,11 +7854,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
 */
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9
-libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_de_42(
+libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_fc_42(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) {
   libcrux_ml_kem_types_MlKemPrivateKey_d9 sk =
-      libcrux_ml_kem_types_default_9e_28();
-  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_42(self, &sk);
+      libcrux_ml_kem_types_default_24_28();
+  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_42(self, &sk);
   return sk;
 }
 
@@ -7629,7 +7869,7 @@ static inline libcrux_ml_kem_types_MlKemPrivateKey_d9
 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked
         *key_pair) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_de_42(key_pair);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_fc_42(key_pair);
 }
 
 /**
@@ -7639,20 +7879,17 @@ static inline void
 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key_mut(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_de_42(key_pair,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_fc_42(key_pair,
                                                                    serialized);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]}
+K>[TraitClause@0, TraitClause@1]#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_30
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
@@ -7660,7 +7897,7 @@ with const generics
 - PUBLIC_KEY_SIZE= 1184
 */
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30
-libcrux_ml_kem_ind_cca_unpacked_serialized_dd_6c(
+libcrux_ml_kem_ind_cca_unpacked_serialized_30_6c(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) {
   uint8_t ret[1184U];
   libcrux_ml_kem_ind_cpa_serialize_public_key_6c(
@@ -7668,29 +7905,26 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_dd_6c(
       Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A,
                               uint8_t),
       ret);
-  return libcrux_ml_kem_types_from_40_d0(ret);
+  return libcrux_ml_kem_types_from_5f_d0(ret);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_fc with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - K= 3
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
 - PUBLIC_KEY_SIZE= 1184
 */
 static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30
-libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_de_6c(
+libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_fc_6c(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_6c(&self->public_key);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_30_6c(&self->public_key);
 }
 
 /**
@@ -7700,19 +7934,16 @@ static inline libcrux_ml_kem_types_MlKemPublicKey_30
 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked
         *key_pair) {
-  return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_de_6c(key_pair);
+  return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_fc_6c(key_pair);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]}
+K>[TraitClause@0, TraitClause@1]#3}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_30
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
@@ -7720,7 +7951,7 @@ with const generics
 - PUBLIC_KEY_SIZE= 1184
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_6c(
+libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_6c(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
   libcrux_ml_kem_ind_cpa_serialize_public_key_mut_6c(
@@ -7730,27 +7961,24 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_6c(
       serialized->value);
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
 A monomorphic instance of
-libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_de with types
+libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_fc with types
 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
 - K= 3
 - RANKED_BYTES_PER_RING_ELEMENT= 1152
 - PUBLIC_KEY_SIZE= 1184
 */
 static KRML_MUSTINLINE void
-libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_6c(
+libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_6c(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_6c(&self->public_key,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_6c(&self->public_key,
                                                        serialized);
 }
 
@@ -7761,7 +7989,7 @@ static inline void
 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key_mut(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_6c(key_pair,
+  libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_6c(key_pair,
                                                                   serialized);
 }
 
@@ -7804,16 +8032,16 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_ef_1b(
 /**
 This function found in impl {(core::clone::Clone for
 libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked<Vector,
-K>[TraitClause@0, TraitClause@2])#4}
+K>[TraitClause@0, TraitClause@2])#2}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_28
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_dd
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
 static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0
-libcrux_ml_kem_ind_cca_unpacked_clone_28_1b(
+libcrux_ml_kem_ind_cca_unpacked_clone_dd_1b(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit;
   lit.ind_cpa_public_key =
@@ -7825,22 +8053,19 @@ libcrux_ml_kem_ind_cca_unpacked_clone_28_1b(
   return lit;
 }
 
-/**
- Get the serialized public key.
-*/
 /**
 This function found in impl
 {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked<Vector,
-K>[TraitClause@0, TraitClause@1]#2}
+K>[TraitClause@0, TraitClause@1]#4}
 */
 /**
-A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_de
+A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_fc
 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
 with const generics
 - K= 3
 */
 static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *
-libcrux_ml_kem_ind_cca_unpacked_public_key_de_1b(
+libcrux_ml_kem_ind_cca_unpacked_public_key_fc_1b(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) {
   return &self->public_key;
 }
@@ -7852,8 +8077,8 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key(
     libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair,
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *pk) {
   libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 uu____0 =
-      libcrux_ml_kem_ind_cca_unpacked_clone_28_1b(
-          libcrux_ml_kem_ind_cca_unpacked_public_key_de_1b(key_pair));
+      libcrux_ml_kem_ind_cca_unpacked_clone_dd_1b(
+          libcrux_ml_kem_ind_cca_unpacked_public_key_fc_1b(key_pair));
   pk[0U] = uu____0;
 }
 
@@ -7864,7 +8089,7 @@ static inline void
 libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key(
     libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key,
     libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) {
-  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_6c(public_key, serialized);
+  libcrux_ml_kem_ind_cca_unpacked_serialized_mut_30_6c(public_key, serialized);
 }
 
 /**
@@ -7886,7 +8111,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_f9(
         *unpacked_public_key) {
   Eurydice_slice uu____0 = Eurydice_array_to_subslice_to(
       (size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t);
-  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b3(
+  libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b(
       uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt);
   uint8_t uu____1[32U];
   libcrux_ml_kem_utils_into_padded_array_9e(
@@ -7906,7 +8131,7 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_f9(
   uint8_t uu____3[32U];
   libcrux_ml_kem_hash_functions_portable_H_f1_e0(
       Eurydice_array_to_slice((size_t)1184U,
-                              libcrux_ml_kem_types_as_slice_ba_d0(public_key),
+                              libcrux_ml_kem_types_as_slice_fd_d0(public_key),
                               uint8_t),
       uu____3);
   memcpy(unpacked_public_key->public_key_hash, uu____3,
@@ -7956,6 +8181,16 @@ libcrux_ml_kem_vector_portable_vector_type_clone_3b(
   return self[0U];
 }
 
+/**
+This function found in impl {(libcrux_ml_kem::vector::traits::Repr for
+libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
+*/
+static inline void libcrux_ml_kem_vector_portable_repr_94(
+    libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
+    int16_t ret[16U]) {
+  libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret);
+}
+
 typedef int16_t libcrux_ml_kem_vector_portable_vector_type_FieldElement;
 
 typedef int16_t
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
index 412ce26b2..1ae0f9b0f 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_avx2_H
@@ -2395,41 +2395,29 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_3a(
 }
 
 /**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
 with types core_core_arch_x86___m256i
 with const generics
 - N= 4
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
-  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
   libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out);
 }
 
 /**
- Squeeze another block
-*/
-KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
-    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
-    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
-  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
-  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf);
-}
-
-/**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
 with types core_core_arch_x86___m256i
 with const generics
 - N= 4
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_a6(s);
   libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out);
 }
 
@@ -2473,6 +2461,18 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
   libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(s, buf);
 }
 
+/**
+ Squeeze another block
+*/
+KRML_ATTRIBUTE_TARGET("avx2")
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
+    Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
+  Eurydice_slice buf[4U] = {out0, out1, out2, out3};
+  libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf);
+}
+
 /**
 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks
 with types core_core_arch_x86___m256i
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
index 6bed02ce3..242a6e8dc 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
@@ -5,10 +5,10 @@
  *
  * This code was generated with the following revisions:
  * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
- * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c
+ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20
  * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
- * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
- * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c
+ * F*: 8b6fce63ca91b16386d8f76e82ea87a3c109a208
+ * Libcrux: da72c141597b1db012f3bc23a96330f6de112770
  */
 
 #ifndef __libcrux_sha3_portable_H
@@ -2293,37 +2293,27 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a(
 }
 
 /**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
 with types uint64_t
 with const generics
 - N= 1
 - RATE= 168
 */
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
-  libcrux_sha3_generic_keccak_keccakf1600_04(s);
   libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
 }
 
 /**
- Squeeze another block
-*/
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
-    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
-  Eurydice_slice buf[1U] = {out0};
-  libcrux_sha3_generic_keccak_squeeze_next_block_c61(s, buf);
-}
-
-/**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
 with types uint64_t
 with const generics
 - N= 1
 - RATE= 168
 */
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61(
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) {
+  libcrux_sha3_generic_keccak_keccakf1600_04(s);
   libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out);
 }
 
@@ -2364,6 +2354,16 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
   libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf);
 }
 
+/**
+ Squeeze another block
+*/
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
+    libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
+  Eurydice_slice buf[1U] = {out0};
+  libcrux_sha3_generic_keccak_squeeze_next_block_c61(s, buf);
+}
+
 #define libcrux_sha3_Sha224 0
 #define libcrux_sha3_Sha256 1
 #define libcrux_sha3_Sha384 2
@@ -3705,7 +3705,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s {
 } libcrux_sha3_generic_keccak_KeccakXofState_e2;
 
 typedef libcrux_sha3_generic_keccak_KeccakXofState_e2
-    libcrux_sha3_portable_incremental_Shake256Absorb;
+    libcrux_sha3_portable_incremental_Shake256Xof;
 
 /**
  Consume the internal buffer and the required amount of the input to pad to
@@ -3861,19 +3861,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6(
  Shake256 absorb
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
-static inline void libcrux_sha3_portable_incremental_absorb_7d(
+static inline void libcrux_sha3_portable_incremental_absorb_68(
     libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
   libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf);
 }
 
-typedef libcrux_sha3_generic_keccak_KeccakXofState_e2
-    libcrux_sha3_portable_incremental_Shake256Squeeze;
-
 /**
  Absorb a final block.
 
@@ -3939,16 +3935,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e(
  Shake256 absorb final
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
-static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
-libcrux_sha3_portable_incremental_absorb_final_7d(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 self, Eurydice_slice input) {
+static inline void libcrux_sha3_portable_incremental_absorb_final_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
-  libcrux_sha3_generic_keccak_absorb_final_8b_9e(&self, buf);
-  return self;
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf);
 }
 
 /**
@@ -4135,15 +4128,132 @@ libcrux_sha3_generic_keccak_new_8b_c6(void) {
  Shake256 new state
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Absorb)#2}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
 */
 static inline libcrux_sha3_generic_keccak_KeccakXofState_e2
-libcrux_sha3_portable_incremental_new_7d(void) {
+libcrux_sha3_portable_incremental_new_68(void) {
   return libcrux_sha3_generic_keccak_new_8b_c6();
 }
 
+/**
+ `out` has the exact size we want here. It must be less than or equal to `RATE`.
+*/
+/**
+This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
+usize> for u64)}
+*/
+/**
+A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
+with const generics
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b(
+    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
+  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
+  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
+  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
+    size_t i0 = i;
+    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
+        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
+  }
+  if (last_block_len != (size_t)0U) {
+    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
+        out[0U], num_full_blocks * (size_t)8U,
+        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
+    uint8_t ret[8U];
+    core_num__u64_9__to_le_bytes(
+        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
+    Eurydice_slice_copy(
+        uu____1,
+        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
+        uint8_t);
+  }
+}
+
+/**
+ Squeeze `N` x `LEN` bytes.
+*/
+/**
+This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
+PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
+*/
+/**
+A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
+with types uint64_t
+with const generics
+- PARALLEL_LANES= 1
+- RATE= 136
+*/
+static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
+    Eurydice_slice out[1U]) {
+  if (self->sponge) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+  }
+  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
+  size_t blocks = out_len / (size_t)136U;
+  size_t last = out_len - out_len % (size_t)136U;
+  size_t mid;
+  if ((size_t)136U >= out_len) {
+    mid = out_len;
+  } else {
+    mid = (size_t)136U;
+  }
+  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
+      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
+  Eurydice_slice out00[1U];
+  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
+  Eurydice_slice out_rest[1U];
+  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
+  libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00);
+  core_ops_range_Range_08 iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
+          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
+                                             .end = blocks}),
+          core_ops_range_Range_08, core_ops_range_Range_08);
+  while (true) {
+    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
+            &iter, size_t, Option_08)
+            .tag == None) {
+      break;
+    } else {
+      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
+          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
+                                                         (size_t)136U);
+      Eurydice_slice out0[1U];
+      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
+      Eurydice_slice tmp[1U];
+      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
+      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+      libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0);
+      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
+    }
+  }
+  if (last < out_len) {
+    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
+    libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest);
+  }
+  self->sponge = true;
+}
+
+/**
+ Shake256 squeeze
+*/
+/**
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<136:
+usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1}
+*/
+static inline void libcrux_sha3_portable_incremental_squeeze_68(
+    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) {
+  Eurydice_slice buf[1U] = {out};
+  libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf);
+}
+
 /**
 A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
 with types uint64_t
@@ -4159,7 +4269,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s {
 } libcrux_sha3_generic_keccak_KeccakXofState_97;
 
 typedef libcrux_sha3_generic_keccak_KeccakXofState_97
-    libcrux_sha3_portable_incremental_Shake128Absorb;
+    libcrux_sha3_portable_incremental_Shake128Xof;
 
 /**
  Consume the internal buffer and the required amount of the input to pad to
@@ -4312,19 +4422,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60(
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline void libcrux_sha3_portable_incremental_absorb_1c(
+static inline void libcrux_sha3_portable_incremental_absorb_2f(
     libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
   libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf);
 }
 
-typedef libcrux_sha3_generic_keccak_KeccakXofState_97
-    libcrux_sha3_portable_incremental_Shake128Squeeze;
-
 /**
  Absorb a final block.
 
@@ -4387,16 +4493,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0(
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline libcrux_sha3_generic_keccak_KeccakXofState_97
-libcrux_sha3_portable_incremental_absorb_final_1c(
-    libcrux_sha3_generic_keccak_KeccakXofState_97 self, Eurydice_slice input) {
+static inline void libcrux_sha3_portable_incremental_absorb_final_2f(
+    libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) {
   Eurydice_slice buf[1U] = {input};
-  libcrux_sha3_generic_keccak_absorb_final_8b_9e0(&self, buf);
-  return self;
+  libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf);
 }
 
 /**
@@ -4612,134 +4715,14 @@ libcrux_sha3_generic_keccak_new_8b_c60(void) {
 }
 
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Absorb)}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
 static inline libcrux_sha3_generic_keccak_KeccakXofState_97
-libcrux_sha3_portable_incremental_new_1c(void) {
+libcrux_sha3_portable_incremental_new_2f(void) {
   return libcrux_sha3_generic_keccak_new_8b_c60();
 }
 
-/**
- `out` has the exact size we want here. It must be less than or equal to `RATE`.
-*/
-/**
-This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
-usize> for u64)}
-*/
-/**
-A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
-with const generics
-- RATE= 136
-*/
-static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b(
-    uint64_t (*state)[5U], Eurydice_slice out[1U]) {
-  size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
-  size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
-  for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
-    size_t i0 = i;
-    Eurydice_slice uu____0 = Eurydice_slice_subslice2(
-        out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
-    uint8_t ret[8U];
-    core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
-    Eurydice_slice_copy(
-        uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
-  }
-  if (last_block_len != (size_t)0U) {
-    Eurydice_slice uu____1 = Eurydice_slice_subslice2(
-        out[0U], num_full_blocks * (size_t)8U,
-        num_full_blocks * (size_t)8U + last_block_len, uint8_t);
-    uint8_t ret[8U];
-    core_num__u64_9__to_le_bytes(
-        state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
-    Eurydice_slice_copy(
-        uu____1,
-        Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
-        uint8_t);
-  }
-}
-
-/**
- Squeeze `N` x `LEN` bytes.
-*/
-/**
-This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
-PARALLEL_LANES, RATE>[TraitClause@0, TraitClause@1]#2}
-*/
-/**
-A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b
-with types uint64_t
-with const generics
-- PARALLEL_LANES= 1
-- RATE= 136
-*/
-static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self,
-    Eurydice_slice out[1U]) {
-  if (self->sponge) {
-    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-  }
-  size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
-  size_t blocks = out_len / (size_t)136U;
-  size_t last = out_len - out_len % (size_t)136U;
-  size_t mid;
-  if ((size_t)136U >= out_len) {
-    mid = out_len;
-  } else {
-    mid = (size_t)136U;
-  }
-  Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
-      libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
-  Eurydice_slice out00[1U];
-  memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
-  Eurydice_slice out_rest[1U];
-  memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
-  libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00);
-  core_ops_range_Range_08 iter =
-      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
-          (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U,
-                                             .end = blocks}),
-          core_ops_range_Range_08, core_ops_range_Range_08);
-  while (true) {
-    if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next(
-            &iter, size_t, Option_08)
-            .tag == None) {
-      break;
-    } else {
-      Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
-          libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
-                                                         (size_t)136U);
-      Eurydice_slice out0[1U];
-      memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
-      Eurydice_slice tmp[1U];
-      memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
-      libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-      libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0);
-      memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
-    }
-  }
-  if (last < out_len) {
-    libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner);
-    libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest);
-  }
-  self->sponge = true;
-}
-
-/**
- Shake256 squeeze
-*/
-/**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofSqueeze<136: usize> for
-libcrux_sha3::portable::incremental::Shake256Squeeze)#3}
-*/
-static inline void libcrux_sha3_portable_incremental_squeeze_8a(
-    libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) {
-  Eurydice_slice buf[1U] = {out};
-  libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf);
-}
-
 /**
  `out` has the exact size we want here. It must be less than or equal to `RATE`.
 */
@@ -4849,11 +4832,10 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60(
  Shake128 squeeze
 */
 /**
-This function found in impl
-{(libcrux_sha3::portable::incremental::XofSqueeze<168: usize> for
-libcrux_sha3::portable::incremental::Shake128Squeeze)#1}
+This function found in impl {(libcrux_sha3::portable::incremental::Xof<168:
+usize> for libcrux_sha3::portable::incremental::Shake128Xof)}
 */
-static inline void libcrux_sha3_portable_incremental_squeeze_10(
+static inline void libcrux_sha3_portable_incremental_squeeze_2f(
     libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
   libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf);
diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py
index b95b864ab..d7bbc38aa 100755
--- a/libcrux-ml-kem/hax.py
+++ b/libcrux-ml-kem/hax.py
@@ -85,18 +85,20 @@ def __call__(self, parser, args, values, option_string=None) -> None:
             "+:libcrux_ml_kem::hash_functions::*::*",
         ]
         include_str = " ".join(includes)
-        interface_include = "+**"
+        interface_include = "+** -libcrux_ml_kem::types"
         cargo_hax_into = [
             "cargo",
             "hax",
             "-C",
             "--features",
-            "simd128,simd256,pre-verification",
+            "simd128,simd256",
             ";",
             "into",
             "-i",
             include_str,
             "fstar",
+            "--z3rlimit",
+            "80",
             "--interfaces",
             interface_include,
         ]
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
index 018593ecd..184d21930 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
@@ -1,15 +1,46 @@
 module Libcrux_ml_kem.Constant_time_ops
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 let inz (value: u8) =
+  let v__orig_value:u8 = value in
   let value:u16 = cast (value <: u8) <: u16 in
-  let result:u16 =
-    ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &.
-    1us
+  let result:u8 =
+    cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8
   in
-  cast (result <: u16) <: u8
+  let res:u8 = result &. 1uy in
+  let _:Prims.unit =
+    if v v__orig_value = 0
+    then
+      (assert (value == zero);
+        lognot_lemma value;
+        assert ((~.value +. 1us) == zero);
+        assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero);
+        logor_lemma value zero;
+        assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) ==
+            value);
+        assert (v result == v ((value >>! 8l)));
+        assert ((v value / pow2 8) == 0);
+        assert (result == 0uy);
+        logand_lemma 1uy result;
+        assert (res == 0uy))
+    else
+      (assert (v value <> 0);
+        lognot_lemma value;
+        assert (v (~.value) = pow2 16 - 1 - v value);
+        assert (v (~.value) + 1 = pow2 16 - v value);
+        assert (v (value) <= pow2 8 - 1);
+        assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value));
+        assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value));
+        assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1));
+        assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) =
+            pow2 8 - 1);
+        assert (result = ones);
+        logand_lemma 1uy result;
+        assert (res = 1uy))
+  in
+  res
 
 let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8)
 
@@ -18,43 +49,143 @@ let compare (lhs rhs: t_Slice u8) =
   let r:u8 =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #u8 lhs <: usize)
-      (fun r temp_1_ ->
+      (fun r i ->
           let r:u8 = r in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          v i <= Seq.length lhs /\
+          (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy)))
       r
       (fun r i ->
           let r:u8 = r in
           let i:usize = i in
-          r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8)
+          let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in
+          let _:Prims.unit =
+            if r =. 0uy
+            then
+              (if (Seq.index lhs (v i) = Seq.index rhs (v i))
+                then
+                  (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i));
+                    assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero);
+                    logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8);
+                    assert (nr = r);
+                    assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j);
+                    assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j);
+                    eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1)))
+                else
+                  (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i));
+                    assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero);
+                    logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8);
+                    assert (v nr > 0);
+                    assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <>
+                        Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i));
+                    assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1))))
+            else
+              (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8);
+                assert (v nr >= v r);
+                assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i));
+                if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1))
+                then
+                  (assert (forall j.
+                          j < (v i) + 1 ==>
+                          Seq.index (Seq.slice lhs 0 ((v i) + 1)) j ==
+                          Seq.index (Seq.slice rhs 0 ((v i) + 1)) j);
+                    eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i));
+                    assert (False)))
+          in
+          let r:u8 = nr in
+          r)
   in
   is_non_zero r
 
 let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) =
   Core.Hint.black_box #u8 (compare lhs rhs <: u8)
 
+#push-options "--ifuel 0 --z3rlimit 50"
+
 let select_ct (lhs rhs: t_Slice u8) (selector: u8) =
   let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in
+  let _:Prims.unit =
+    assert (if selector = 0uy then mask = ones else mask = zero);
+    lognot_lemma mask;
+    assert (if selector = 0uy then ~.mask = zero else ~.mask = ones)
+  in
   let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
   let out:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-      (fun out temp_1_ ->
+      (fun out i ->
           let out:t_Array u8 (sz 32) = out in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\
+          (forall j.
+              j < v i ==>
+              (if (selector =. 0uy)
+                then Seq.index out j == Seq.index lhs j
+                else Seq.index out j == Seq.index rhs j)) /\
+          (forall j. j >= v i ==> Seq.index out j == 0uy))
       out
       (fun out i ->
           let out:t_Array u8 (sz 32) = out in
           let i:usize = i in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
-            i
-            (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8)
-          <:
-          t_Array u8 (sz 32))
+          let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in
+          let outi:u8 =
+            ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)
+          in
+          let _:Prims.unit =
+            if (selector = 0uy)
+            then
+              (logand_lemma (lhs.[ i ] <: u8) mask;
+                assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8));
+                logand_lemma (rhs.[ i ] <: u8) (~.mask);
+                assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero);
+                logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8)
+                  ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8);
+                assert ((((lhs.[ i ] <: u8) &. mask <: u8) |.
+                      ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)
+                      <:
+                      u8) ==
+                    (lhs.[ i ] <: u8));
+                logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8);
+                assert (((out.[ i ] <: u8) |.
+                      (((lhs.[ i ] <: u8) &. mask <: u8) |.
+                        ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)
+                        <:
+                        u8)
+                      <:
+                      u8) ==
+                    (lhs.[ i ] <: u8));
+                assert (outi = (lhs.[ i ] <: u8)))
+            else
+              (logand_lemma (lhs.[ i ] <: u8) mask;
+                assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero);
+                logand_lemma (rhs.[ i ] <: u8) (~.mask);
+                assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8));
+                logor_lemma (rhs.[ i ] <: u8) zero;
+                assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8));
+                assert ((((lhs.[ i ] <: u8) &. mask <: u8) |.
+                      ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) ==
+                    (rhs.[ i ] <: u8));
+                logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8);
+                assert (((out.[ i ] <: u8) |.
+                      (((lhs.[ i ] <: u8) &. mask <: u8) |.
+                        ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)
+                        <:
+                        u8)
+                      <:
+                      u8) ==
+                    (rhs.[ i ] <: u8));
+                assert (outi = (rhs.[ i ] <: u8)))
+          in
+          let out:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi
+          in
+          out)
   in
+  let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in
   out
 
+#pop-options
+
 let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) =
   Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32))
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
index 0d28bb910..981aa5aa1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
@@ -1,24 +1,42 @@
 module Libcrux_ml_kem.Constant_time_ops
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 /// Return 1 if `value` is not zero and 0 otherwise.
-val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val inz (value: u8)
+    : Prims.Pure u8
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:u8 = result in
+          (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy))
 
-val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val is_non_zero (value: u8)
+    : Prims.Pure u8
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:u8 = result in
+          (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy))
 
 /// Return 1 if the bytes of `lhs` and `rhs` do not exactly
 /// match and 0 otherwise.
 val compare (lhs rhs: t_Slice u8)
     : Prims.Pure u8
       (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize))
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:u8 = result in
+          (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy))
 
 val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8)
     : Prims.Pure u8
       (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize))
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:u8 = result in
+          (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy))
 
 /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in
 /// `lhs` otherwise.
@@ -27,14 +45,20 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8)
       (requires
         (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) &&
         (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE)
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs))
 
 val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8)
     : Prims.Pure (t_Array u8 (sz 32))
       (requires
         (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) &&
         (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE)
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs))
 
 val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8)
     : Prims.Pure (t_Array u8 (sz 32))
@@ -42,4 +66,8 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s
         (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) &&
         (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) &&
         (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE)
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          let selector = if lhs_c =. rhs_c then 0uy else 1uy in
+          ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
index 76d143aad..1c3fdf673 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Constants
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst
new file mode 100644
index 000000000..e5d447350
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst
@@ -0,0 +1,81 @@
+module Libcrux_ml_kem.Hash_functions.Avx2
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val t_Simd256Hash': eqtype
+
+let t_Simd256Hash = t_Simd256Hash'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
+
+let impl (v_K: usize) = impl' v_K
+
+assume
+val v_G': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
+
+let v_G = v_G'
+
+assume
+val v_H': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
+
+let v_H = v_H'
+
+assume
+val v_PRF': v_LEN: usize -> input: t_Slice u8
+  -> Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
+
+let v_PRF (v_LEN: usize) = v_PRF' v_LEN
+
+assume
+val v_PRFxN': v_K: usize -> v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K
+  -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+let v_PRFxN (v_K v_LEN: usize) = v_PRFxN' v_K v_LEN
+
+assume
+val shake128_init_absorb_final': v_K: usize -> input: t_Array (t_Array u8 (sz 34)) v_K
+  -> Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True)
+
+let shake128_init_absorb_final (v_K: usize) = shake128_init_absorb_final' v_K
+
+assume
+val shake128_squeeze_first_three_blocks': v_K: usize -> st: t_Simd256Hash
+  -> Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_first_three_blocks (v_K: usize) = shake128_squeeze_first_three_blocks' v_K
+
+assume
+val shake128_squeeze_next_block': v_K: usize -> st: t_Simd256Hash
+  -> Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
index 637523b1a..c830bb8f6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
@@ -1,91 +1,57 @@
 module Libcrux_ml_kem.Hash_functions.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True)
+/// The state.
+/// It\'s only used for SHAKE128.
+/// All other functions don\'t actually use any members.
+val t_Simd256Hash:eqtype
 
-val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
 
-val v_PRF (v_LEN: usize) (input: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True)
+val v_G (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
 
-val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
-    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True)
+val v_H (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
 
-/// The state.
-/// It\'s only used for SHAKE128.
-/// All other functions don\'t actually use any members.
-val t_Simd256Hash:Type0
+val v_PRF (v_LEN: usize) (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
 
-val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
+val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
+    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
     : Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True)
 
-val shake128_squeeze_block (v_K: usize) (st: t_Simd256Hash)
-    : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)
+val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd256Hash)
+    : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd256Hash)
-    : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)
+val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash)
+    : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K =
-  {
-    f_G_pre = (fun (input: t_Slice u8) -> true);
-    f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true);
-    f_G = (fun (input: t_Slice u8) -> v_G input);
-    f_H_pre = (fun (input: t_Slice u8) -> true);
-    f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true);
-    f_H = (fun (input: t_Slice u8) -> v_H input);
-    f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true);
-    f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true);
-    f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input);
-    f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true);
-    f_PRFxN_post
-    =
-    (fun
-        (v_LEN: usize)
-        (input: t_Array (t_Array u8 (sz 33)) v_K)
-        (out: t_Array (t_Array u8 v_LEN) v_K)
-        ->
-        true);
-    f_PRFxN
-    =
-    (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input);
-    f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true);
-    f_shake128_init_absorb_post
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd256Hash) -> true);
-    f_shake128_init_absorb
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input);
-    f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd256Hash) -> true);
-    f_shake128_squeeze_three_blocks_post
-    =
-    (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true);
-    f_shake128_squeeze_three_blocks
-    =
-    (fun (self: t_Simd256Hash) ->
-        let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) =
-          shake128_squeeze_three_blocks v_K self
-        in
-        let self:t_Simd256Hash = tmp0 in
-        let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in
-        self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K));
-    f_shake128_squeeze_block_pre = (fun (self: t_Simd256Hash) -> true);
-    f_shake128_squeeze_block_post
-    =
-    (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true);
-    f_shake128_squeeze_block
-    =
-    fun (self: t_Simd256Hash) ->
-      let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) =
-        shake128_squeeze_block v_K self
-      in
-      let self:t_Simd256Hash = tmp0 in
-      let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in
-      self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)
-  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst
new file mode 100644
index 000000000..8c2d78e3f
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst
@@ -0,0 +1,81 @@
+module Libcrux_ml_kem.Hash_functions.Neon
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val t_Simd128Hash': eqtype
+
+let t_Simd128Hash = t_Simd128Hash'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
+
+let impl (v_K: usize) = impl' v_K
+
+assume
+val v_G': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
+
+let v_G = v_G'
+
+assume
+val v_H': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
+
+let v_H = v_H'
+
+assume
+val v_PRF': v_LEN: usize -> input: t_Slice u8
+  -> Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
+
+let v_PRF (v_LEN: usize) = v_PRF' v_LEN
+
+assume
+val v_PRFxN': v_K: usize -> v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K
+  -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+let v_PRFxN (v_K v_LEN: usize) = v_PRFxN' v_K v_LEN
+
+assume
+val shake128_init_absorb_final': v_K: usize -> input: t_Array (t_Array u8 (sz 34)) v_K
+  -> Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True)
+
+let shake128_init_absorb_final (v_K: usize) = shake128_init_absorb_final' v_K
+
+assume
+val shake128_squeeze_first_three_blocks': v_K: usize -> st: t_Simd128Hash
+  -> Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_first_three_blocks (v_K: usize) = shake128_squeeze_first_three_blocks' v_K
+
+assume
+val shake128_squeeze_next_block': v_K: usize -> st: t_Simd128Hash
+  -> Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
index d3285aaba..1a7c6875a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
@@ -1,91 +1,57 @@
 module Libcrux_ml_kem.Hash_functions.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True)
+/// The state.
+/// It\'s only used for SHAKE128.
+/// All other functions don\'t actually use any members.
+val t_Simd128Hash:eqtype
 
-val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
 
-val v_PRF (v_LEN: usize) (input: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True)
+val v_G (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
 
-val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
-    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True)
+val v_H (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
 
-/// The state.
-/// It\'s only used for SHAKE128.
-/// All other functions don\'t actually use any members.
-val t_Simd128Hash:Type0
+val v_PRF (v_LEN: usize) (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
 
-val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
+val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
+    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
     : Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True)
 
-val shake128_squeeze_block (v_K: usize) (st: t_Simd128Hash)
-    : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)
+val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd128Hash)
+    : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd128Hash)
-    : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)
+val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash)
+    : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K =
-  {
-    f_G_pre = (fun (input: t_Slice u8) -> true);
-    f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true);
-    f_G = (fun (input: t_Slice u8) -> v_G input);
-    f_H_pre = (fun (input: t_Slice u8) -> true);
-    f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true);
-    f_H = (fun (input: t_Slice u8) -> v_H input);
-    f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true);
-    f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true);
-    f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input);
-    f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true);
-    f_PRFxN_post
-    =
-    (fun
-        (v_LEN: usize)
-        (input: t_Array (t_Array u8 (sz 33)) v_K)
-        (out: t_Array (t_Array u8 v_LEN) v_K)
-        ->
-        true);
-    f_PRFxN
-    =
-    (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input);
-    f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true);
-    f_shake128_init_absorb_post
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd128Hash) -> true);
-    f_shake128_init_absorb
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input);
-    f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd128Hash) -> true);
-    f_shake128_squeeze_three_blocks_post
-    =
-    (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true);
-    f_shake128_squeeze_three_blocks
-    =
-    (fun (self: t_Simd128Hash) ->
-        let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) =
-          shake128_squeeze_three_blocks v_K self
-        in
-        let self:t_Simd128Hash = tmp0 in
-        let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in
-        self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K));
-    f_shake128_squeeze_block_pre = (fun (self: t_Simd128Hash) -> true);
-    f_shake128_squeeze_block_post
-    =
-    (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true);
-    f_shake128_squeeze_block
-    =
-    fun (self: t_Simd128Hash) ->
-      let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) =
-        shake128_squeeze_block v_K self
-      in
-      let self:t_Simd128Hash = tmp0 in
-      let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in
-      self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)
-  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst
new file mode 100644
index 000000000..7ed902f04
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst
@@ -0,0 +1,81 @@
+module Libcrux_ml_kem.Hash_functions.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val t_PortableHash': v_K: usize -> eqtype
+
+let t_PortableHash (v_K: usize) = t_PortableHash' v_K
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
+
+let impl (v_K: usize) = impl' v_K
+
+assume
+val v_G': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
+
+let v_G = v_G'
+
+assume
+val v_H': input: t_Slice u8
+  -> Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
+
+let v_H = v_H'
+
+assume
+val v_PRF': v_LEN: usize -> input: t_Slice u8
+  -> Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
+
+let v_PRF (v_LEN: usize) = v_PRF' v_LEN
+
+assume
+val v_PRFxN': v_K: usize -> v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K
+  -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+let v_PRFxN (v_K v_LEN: usize) = v_PRFxN' v_K v_LEN
+
+assume
+val shake128_init_absorb_final': v_K: usize -> input: t_Array (t_Array u8 (sz 34)) v_K
+  -> Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True)
+
+let shake128_init_absorb_final (v_K: usize) = shake128_init_absorb_final' v_K
+
+assume
+val shake128_squeeze_first_three_blocks': v_K: usize -> st: t_PortableHash v_K
+  -> Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_first_three_blocks (v_K: usize) = shake128_squeeze_first_three_blocks' v_K
+
+assume
+val shake128_squeeze_next_block': v_K: usize -> st: t_PortableHash v_K
+  -> Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
index 88cba2292..661213d58 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
@@ -1,99 +1,57 @@
 module Libcrux_ml_kem.Hash_functions.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True)
+/// The state.
+/// It\'s only used for SHAKE128.
+/// All other functions don\'t actually use any members.
+val t_PortableHash (v_K: usize) : eqtype
 
-val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
 
-val v_PRF (v_LEN: usize) (input: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True)
+val v_G (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 64))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 64) = result in
+          result == Spec.Utils.v_G input)
 
-val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
-    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True)
+val v_H (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.Utils.v_H input)
 
-/// The state.
-/// It\'s only used for SHAKE128.
-/// All other functions don\'t actually use any members.
-val t_PortableHash (v_K: usize) : Type0
+val v_PRF (v_LEN: usize) (input: t_Slice u8)
+    : Prims.Pure (t_Array u8 v_LEN)
+      (requires v v_LEN < pow2 32)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Spec.Utils.v_PRF v_LEN input)
 
-val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
+val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K)
+    : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
+      (requires v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4))
+      (ensures
+        fun result ->
+          let result:t_Array (t_Array u8 v_LEN) v_K = result in
+          result == Spec.Utils.v_PRFxN v_K v_LEN input)
+
+val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
     : Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True)
 
-val shake128_squeeze_block (v_K: usize) (st: t_PortableHash v_K)
-    : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)
+val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_PortableHash v_K)
+    : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val shake128_squeeze_three_blocks (v_K: usize) (st: t_PortableHash v_K)
-    : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)
+val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K)
+    : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)
       Prims.l_True
       (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K =
-  {
-    f_G_pre = (fun (input: t_Slice u8) -> true);
-    f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true);
-    f_G = (fun (input: t_Slice u8) -> v_G input);
-    f_H_pre = (fun (input: t_Slice u8) -> true);
-    f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true);
-    f_H = (fun (input: t_Slice u8) -> v_H input);
-    f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true);
-    f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true);
-    f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input);
-    f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true);
-    f_PRFxN_post
-    =
-    (fun
-        (v_LEN: usize)
-        (input: t_Array (t_Array u8 (sz 33)) v_K)
-        (out: t_Array (t_Array u8 v_LEN) v_K)
-        ->
-        true);
-    f_PRFxN
-    =
-    (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input);
-    f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true);
-    f_shake128_init_absorb_post
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_PortableHash v_K) -> true);
-    f_shake128_init_absorb
-    =
-    (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input);
-    f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true);
-    f_shake128_squeeze_three_blocks_post
-    =
-    (fun
-        (self: t_PortableHash v_K)
-        (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K))
-        ->
-        true);
-    f_shake128_squeeze_three_blocks
-    =
-    (fun (self: t_PortableHash v_K) ->
-        let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) =
-          shake128_squeeze_three_blocks v_K self
-        in
-        let self:t_PortableHash v_K = tmp0 in
-        let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in
-        self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K));
-    f_shake128_squeeze_block_pre = (fun (self: t_PortableHash v_K) -> true);
-    f_shake128_squeeze_block_post
-    =
-    (fun
-        (self: t_PortableHash v_K)
-        (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K))
-        ->
-        true);
-    f_shake128_squeeze_block
-    =
-    fun (self: t_PortableHash v_K) ->
-      let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) =
-        shake128_squeeze_block v_K self
-      in
-      let self:t_PortableHash v_K = tmp0 in
-      let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in
-      self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)
-  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti
index c8582760b..05c34b4bc 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Hash_functions
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,44 +10,56 @@ open FStar.Mul
 /// - NEON
 /// - Portable
 class t_Hash (v_Self: Type0) (v_K: usize) = {
-  f_G_pre:t_Slice u8 -> Type0;
-  f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> Type0;
+  f_G_pre:input: t_Slice u8 -> pred: Type0{true ==> pred};
+  f_G_post:input: t_Slice u8 -> result: t_Array u8 (sz 64)
+    -> pred: Type0{pred ==> result == Spec.Utils.v_G input};
   f_G:x0: t_Slice u8
     -> Prims.Pure (t_Array u8 (sz 64)) (f_G_pre x0) (fun result -> f_G_post x0 result);
-  f_H_pre:t_Slice u8 -> Type0;
-  f_H_post:t_Slice u8 -> t_Array u8 (sz 32) -> Type0;
+  f_H_pre:input: t_Slice u8 -> pred: Type0{true ==> pred};
+  f_H_post:input: t_Slice u8 -> result: t_Array u8 (sz 32)
+    -> pred: Type0{pred ==> result == Spec.Utils.v_H input};
   f_H:x0: t_Slice u8
     -> Prims.Pure (t_Array u8 (sz 32)) (f_H_pre x0) (fun result -> f_H_post x0 result);
-  f_PRF_pre:v_LEN: usize -> t_Slice u8 -> Type0;
-  f_PRF_post:v_LEN: usize -> t_Slice u8 -> t_Array u8 v_LEN -> Type0;
+  f_PRF_pre:v_LEN: usize -> input: t_Slice u8 -> pred: Type0{v v_LEN < pow2 32 ==> pred};
+  f_PRF_post:v_LEN: usize -> input: t_Slice u8 -> result: t_Array u8 v_LEN
+    -> pred: Type0{pred ==> v v_LEN < pow2 32 ==> result == Spec.Utils.v_PRF v_LEN input};
   f_PRF:v_LEN: usize -> x0: t_Slice u8
     -> Prims.Pure (t_Array u8 v_LEN) (f_PRF_pre v_LEN x0) (fun result -> f_PRF_post v_LEN x0 result);
-  f_PRFxN_pre:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> Type0;
-  f_PRFxN_post:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> t_Array (t_Array u8 v_LEN) v_K
-    -> Type0;
+  f_PRFxN_pre:v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K
+    -> pred: Type0{v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4) ==> pred};
+  f_PRFxN_post:
+      v_LEN: usize ->
+      input: t_Array (t_Array u8 (sz 33)) v_K ->
+      result: t_Array (t_Array u8 v_LEN) v_K
+    -> pred:
+      Type0
+        { pred ==>
+          (v v_LEN < pow2 32 /\ (v v_K == 2 \/ v v_K == 3 \/ v v_K == 4)) ==>
+          result == Spec.Utils.v_PRFxN v_K v_LEN input };
   f_PRFxN:v_LEN: usize -> x0: t_Array (t_Array u8 (sz 33)) v_K
     -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K)
         (f_PRFxN_pre v_LEN x0)
         (fun result -> f_PRFxN_post v_LEN x0 result);
-  f_shake128_init_absorb_pre:t_Array (t_Array u8 (sz 34)) v_K -> Type0;
-  f_shake128_init_absorb_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0;
-  f_shake128_init_absorb:x0: t_Array (t_Array u8 (sz 34)) v_K
+  f_shake128_init_absorb_final_pre:input: t_Array (t_Array u8 (sz 34)) v_K
+    -> pred: Type0{true ==> pred};
+  f_shake128_init_absorb_final_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0;
+  f_shake128_init_absorb_final:x0: t_Array (t_Array u8 (sz 34)) v_K
     -> Prims.Pure v_Self
-        (f_shake128_init_absorb_pre x0)
-        (fun result -> f_shake128_init_absorb_post x0 result);
-  f_shake128_squeeze_three_blocks_pre:v_Self -> Type0;
-  f_shake128_squeeze_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K)
+        (f_shake128_init_absorb_final_pre x0)
+        (fun result -> f_shake128_init_absorb_final_post x0 result);
+  f_shake128_squeeze_first_three_blocks_pre:self___: v_Self -> pred: Type0{true ==> pred};
+  f_shake128_squeeze_first_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K)
     -> Type0;
-  f_shake128_squeeze_three_blocks:x0: v_Self
+  f_shake128_squeeze_first_three_blocks:x0: v_Self
     -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 504)) v_K)
-        (f_shake128_squeeze_three_blocks_pre x0)
-        (fun result -> f_shake128_squeeze_three_blocks_post x0 result);
-  f_shake128_squeeze_block_pre:v_Self -> Type0;
-  f_shake128_squeeze_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0;
-  f_shake128_squeeze_block:x0: v_Self
+        (f_shake128_squeeze_first_three_blocks_pre x0)
+        (fun result -> f_shake128_squeeze_first_three_blocks_post x0 result);
+  f_shake128_squeeze_next_block_pre:self___: v_Self -> pred: Type0{true ==> pred};
+  f_shake128_squeeze_next_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0;
+  f_shake128_squeeze_next_block:x0: v_Self
     -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 168)) v_K)
-        (f_shake128_squeeze_block_pre x0)
-        (fun result -> f_shake128_squeeze_block_post x0 result)
+        (f_shake128_squeeze_next_block_pre x0)
+        (fun result -> f_shake128_squeeze_next_block_post x0 result)
 }
 
 /// The SHA3 block size.
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
index cdab4f44a..ec082d69c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,7 +13,35 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
+let decapsulate_avx2
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
+    v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+    v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+    v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+    key_pair ciphertext
+
+let decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     =
+  decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
+    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+    v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+    v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext
+
+let encapsulate_avx2
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key:
@@ -27,46 +55,40 @@ let encapsulate
     v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
     #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness
 
-let unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+  encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+    v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
+    v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness
+
+let generate_keypair_avx2
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+          usize)
+      (randomness: t_Array u8 (sz 64))
+      (out:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  let hax_temp_output, out:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
       Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
     (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
-      v_T_AS_NTT_ENCODED_SIZE
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
-      #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-      public_key
-      unpacked_public_key
+    Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+      v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+      #Libcrux_ml_kem.Variant.t_MlKem randomness out
     <:
     (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
         Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
   in
-  unpacked_public_key
-
-let decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
-          usize)
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
-    v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
-    v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
-    v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
-    key_pair ciphertext
+  out
 
 let generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
@@ -80,10 +102,15 @@ let generate_keypair
     Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
       Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
     (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
-      v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
-      #Libcrux_ml_kem.Variant.t_MlKem randomness out
+    generate_keypair_avx2 v_K
+      v_CPA_PRIVATE_KEY_SIZE
+      v_PRIVATE_KEY_SIZE
+      v_PUBLIC_KEY_SIZE
+      v_BYTES_PER_RING_ELEMENT
+      v_ETA1
+      v_ETA1_RANDOMNESS_SIZE
+      randomness
+      out
     <:
     (Prims.unit &
       Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
@@ -112,3 +139,53 @@ let keypair_from_private_key
       key_pair
   in
   key_pair
+
+let unpack_public_key_avx2
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+      v_T_AS_NTT_ENCODED_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+  in
+  unpacked_public_key
+
+let unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+    (),
+    unpack_public_key_avx2 v_K
+      v_T_AS_NTT_ENCODED_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
index 79c0e4424..b55a38fd3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,8 +13,50 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-/// Unpacked encapsulate
-val encapsulate
+val decapsulate_avx2
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Unpacked decapsulate
+val decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+val encapsulate_avx2
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key:
@@ -22,29 +64,55 @@ val encapsulate
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
+/// Unpacked encapsulate
+val encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Unpacked decapsulate
-val decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+val generate_keypair_avx2
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
-      (key_pair:
+      (randomness: t_Array u8 (sz 64))
+      (out:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 /// Generate a key pair
 val generate_keypair
@@ -56,7 +124,13 @@ val generate_keypair
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 /// Take a serialized private key and generate an unpacked key pair from it.
 val keypair_from_private_key
@@ -68,4 +142,41 @@ val keypair_from_private_key
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpack_public_key_avx2
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
index eddadbe1a..c6fa41647 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,38 +13,34 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
+let validate_private_key_avx2
+      (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
      =
-  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
+  Libcrux_ml_kem.Ind_cca.validate_private_key v_K
     v_SECRET_KEY_SIZE
+    v_CIPHERTEXT_SIZE
     #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
     private_key
+    ciphertext
 
 let validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     = validate_private_key_avx2 v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE private_key ciphertext
+
+let validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
      =
-  Libcrux_ml_kem.Ind_cca.validate_private_key v_K
+  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
     v_SECRET_KEY_SIZE
-    v_CIPHERTEXT_SIZE
     #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
     private_key
-    ciphertext
 
-let validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-     =
-  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
-    v_RANKED_BYTES_PER_RING_ELEMENT
-    v_PUBLIC_KEY_SIZE
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    public_key
-
-let decapsulate
+let decapsulate_avx2
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
           usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -57,7 +53,18 @@ let decapsulate
     #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
     #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext
 
-let encapsulate
+let decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     =
+  decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
+    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+    v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+    v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext
+
+let encapsulate_avx2
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
@@ -69,7 +76,17 @@ let encapsulate
     #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
     #Libcrux_ml_kem.Variant.t_MlKem public_key randomness
 
-let generate_keypair
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (randomness: t_Array u8 (sz 32))
+     =
+  encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+    v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
+    v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness
+
+let generate_keypair_avx2
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
@@ -78,3 +95,32 @@ let generate_keypair
     v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
     #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
     #Libcrux_ml_kem.Variant.t_MlKem randomness
+
+let generate_keypair
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+          usize)
+      (randomness: t_Array u8 (sz 64))
+     =
+  generate_keypair_avx2 v_K
+    v_CPA_PRIVATE_KEY_SIZE
+    v_PRIVATE_KEY_SIZE
+    v_PUBLIC_KEY_SIZE
+    v_BYTES_PER_RING_ELEMENT
+    v_ETA1
+    v_ETA1_RANDOMNESS_SIZE
+    randomness
+
+let validate_public_key_avx2
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+     =
+  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+    v_RANKED_BYTES_PER_RING_ELEMENT
+    v_PUBLIC_KEY_SIZE
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    public_key
+
+let validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+     = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
index ac6c19208..d31791ba7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,32 +13,97 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-/// Private key validation
-val validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
+val validate_private_key_avx2
+      (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Private key validation
 val validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Public key validation
-val validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Private key validation
+val validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+    : Prims.Pure bool
+      (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
+      )
+      (fun _ -> Prims.l_True)
+
+val decapsulate_avx2
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Portable decapsulate
 val decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
           usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+val encapsulate_avx2
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val encapsulate
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
@@ -46,14 +111,64 @@ val encapsulate
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Portable generate key pair.
+val generate_keypair_avx2
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+          usize)
+      (randomness: t_Array u8 (sz 64))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
 val generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+val validate_public_key_avx2
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+val validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
index fa6cb8845..591097306 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,46 +13,6 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
-          usize)
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
-    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
-    v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
-    v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness
-
-let unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
-      v_T_AS_NTT_ENCODED_SIZE
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
-      #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-  in
-  unpacked_public_key
-
 let decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
           usize)
@@ -68,6 +28,20 @@ let decapsulate
     #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
     #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext
 
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
+    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+    v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+    v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness
+
 let generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
@@ -113,3 +87,29 @@ let keypair_from_private_key
       key_pair
   in
   key_pair
+
+let unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+      v_T_AS_NTT_ENCODED_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
index 58251c88d..05e8e5cd5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,6 +13,31 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+/// Unpacked decapsulate
+val decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
 /// Unpacked encapsulate
 val encapsulate
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
@@ -22,32 +47,19 @@ val encapsulate
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
-/// Unpacked decapsulate
-val decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
-          usize)
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
 /// Generate a key pair
 val generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
@@ -59,7 +71,13 @@ val generate_keypair
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
           Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Take a serialized private key and generate an unpacked key pair from it.
@@ -73,5 +91,25 @@ val keypair_from_private_key
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
           Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
index b311a7d73..30ff60795 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,15 +13,6 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-     =
-  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
-    v_SECRET_KEY_SIZE
-    #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
-    private_key
-
 let validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -34,15 +25,14 @@ let validate_private_key
     private_key
     ciphertext
 
-let validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+let validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
      =
-  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
-    v_RANKED_BYTES_PER_RING_ELEMENT
-    v_PUBLIC_KEY_SIZE
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    public_key
+  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
+    v_SECRET_KEY_SIZE
+    #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
+    private_key
 
 let decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
@@ -59,24 +49,34 @@ let decapsulate
     ciphertext
 
 let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE
-    v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR
-    v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE
+    v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE
+    v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE
     #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
     #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key
     randomness
 
 let generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
      =
   Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
-    v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+    v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
     #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
     #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness
+
+let validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+     =
+  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+    v_RANKED_BYTES_PER_RING_ELEMENT
+    v_PUBLIC_KEY_SIZE
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
index 2baa54697..fd97941df 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,24 +13,25 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-/// Private key validation
-val validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Private key validation
 val validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Public key validation
-val validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Private key validation
+val validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+    : Prims.Pure bool
+      (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
+      )
+      (fun _ -> Prims.l_True)
 
 /// Portable decapsulate
 val decapsulate
@@ -38,22 +39,64 @@ val decapsulate
           usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Portable generate key pair.
 val generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Public key validation
+val validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
index b8ed5ec86..b9f62cbc3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,46 +13,6 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
-          usize)
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
-    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
-    v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
-    v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness
-
-let unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
-      v_T_AS_NTT_ENCODED_SIZE
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
-      #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-  in
-  unpacked_public_key
-
 let decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
           usize)
@@ -68,6 +28,20 @@ let decapsulate
     #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
     #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext
 
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
+    v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+    v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+    v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness
+
 let generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
@@ -113,3 +87,29 @@ let keypair_from_private_key
       key_pair
   in
   key_pair
+
+let unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+      v_T_AS_NTT_ENCODED_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
index 763644fa1..f406d6a8f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,6 +13,31 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+/// Unpacked decapsulate
+val decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
 /// Unpacked encapsulate
 val encapsulate
       (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
@@ -22,32 +47,19 @@ val encapsulate
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
-/// Unpacked decapsulate
-val decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
-          usize)
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
 /// Generate a key pair
 val generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
@@ -59,7 +71,13 @@ val generate_keypair
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
           Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Take a serialized private key and generate an unpacked key pair from it.
@@ -73,5 +91,25 @@ val keypair_from_private_key
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
           Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
index 2ae564746..414098242 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,15 +13,6 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-     =
-  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
-    v_SECRET_KEY_SIZE
-    #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
-    private_key
-
 let validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -34,15 +25,14 @@ let validate_private_key
     private_key
     ciphertext
 
-let validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+let validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
      =
-  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
-    v_RANKED_BYTES_PER_RING_ELEMENT
-    v_PUBLIC_KEY_SIZE
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    public_key
+  Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K
+    v_SECRET_KEY_SIZE
+    #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+    private_key
 
 let decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
@@ -59,25 +49,35 @@ let decapsulate
     private_key ciphertext
 
 let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
      =
   Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE
-    v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR
-    v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE
+    v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE
+    v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE
     #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
     #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
     public_key randomness
 
 let generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
      =
   Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
-    v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+    v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
     #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
     #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
     randomness
+
+let validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+     =
+  Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+    v_RANKED_BYTES_PER_RING_ELEMENT
+    v_PUBLIC_KEY_SIZE
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
index a4d5407a5..19dc4859d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Instantiations.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -13,24 +13,25 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-/// Private key validation
-val validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Private key validation
 val validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-/// Public key validation
-val validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Private key validation
+val validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+    : Prims.Pure bool
+      (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
+      )
+      (fun _ -> Prims.l_True)
 
 /// Portable decapsulate
 val decapsulate
@@ -38,22 +39,64 @@ val decapsulate
           usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Portable generate key pair.
 val generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+      (fun _ -> Prims.l_True)
+
+/// Public key validation
+val validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
index f945524c6..ca7056f6c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Multiplexing
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -52,7 +52,7 @@ let decapsulate
         private_key ciphertext
 
 let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
@@ -61,23 +61,23 @@ let encapsulate
   then
     Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
       v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
-      v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+      v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
       v_ETA2_RANDOMNESS_SIZE public_key randomness
   else
     if Libcrux_platform.Platform.simd128_support ()
     then
       Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
         v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
-        v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+        v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
         v_ETA2_RANDOMNESS_SIZE public_key randomness
     else
       Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate v_K v_CIPHERTEXT_SIZE
         v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
-        v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+        v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
         v_ETA2_RANDOMNESS_SIZE public_key randomness
 
 let generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
      =
@@ -87,7 +87,7 @@ let generate_keypair
       v_CPA_PRIVATE_KEY_SIZE
       v_PRIVATE_KEY_SIZE
       v_PUBLIC_KEY_SIZE
-      v_BYTES_PER_RING_ELEMENT
+      v_RANKED_BYTES_PER_RING_ELEMENT
       v_ETA1
       v_ETA1_RANDOMNESS_SIZE
       randomness
@@ -98,7 +98,7 @@ let generate_keypair
         v_CPA_PRIVATE_KEY_SIZE
         v_PRIVATE_KEY_SIZE
         v_PUBLIC_KEY_SIZE
-        v_BYTES_PER_RING_ELEMENT
+        v_RANKED_BYTES_PER_RING_ELEMENT
         v_ETA1
         v_ETA1_RANDOMNESS_SIZE
         randomness
@@ -107,7 +107,7 @@ let generate_keypair
         v_CPA_PRIVATE_KEY_SIZE
         v_PRIVATE_KEY_SIZE
         v_PUBLIC_KEY_SIZE
-        v_BYTES_PER_RING_ELEMENT
+        v_RANKED_BYTES_PER_RING_ELEMENT
         v_ETA1
         v_ETA1_RANDOMNESS_SIZE
         randomness
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
index 8323134a3..4fc70d000 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Multiplexing
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -7,33 +7,73 @@ val validate_private_key
       (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val validate_public_key
       (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
       (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
           usize)
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
 val encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 val generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
index 20ac54a4f..ed2632129 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,114 +15,382 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let impl__serialized
+let impl_4__private_key
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+     = self.f_private_key
+
+let impl_4__public_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+     = self.f_public_key
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2':
+    v_K: usize ->
+    #v_Vector: Type0 ->
+    {| i1: Core.Clone.t_Clone v_Vector |} ->
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  -> Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector)
+
+let impl_2
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+     = impl_2' v_K #v_Vector #i1 #i2
+
+#push-options "--z3rlimit 200"
+
+let transpose_a
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (ind_cpa_a:
+          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
      =
-  Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-    #(t_Array u8 v_PUBLIC_KEY_SIZE)
-    #FStar.Tactics.Typeclasses.solve
-    (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
-        v_RANKED_BYTES_PER_RING_ELEMENT
-        v_PUBLIC_KEY_SIZE
-        #v_Vector
-        self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-        (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+  let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+    Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      v_K
+      (fun v__i ->
+          let v__i:usize = v__i in
+          Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+            v_K
+            (fun v__j ->
+                let v__j:usize = v__j in
+                Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          <:
+          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+  in
+  let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      v_K
+      (fun v_A i ->
+          let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+            v_K =
+            v_A
+          in
+          let i:usize = i in
+          forall (j: nat).
+            j < v i ==>
+            (forall (k: nat).
+                k < v v_K ==> Seq.index (Seq.index v_A j) k == Seq.index (Seq.index ind_cpa_a k) j))
+      v_A
+      (fun v_A i ->
+          let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+            v_K =
+            v_A
+          in
+          let i:usize = i in
+          let v__a_i:t_Array
+            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+            v_A
+          in
+          Rust_primitives.Hax.Folds.fold_range (sz 0)
+            v_K
+            (fun v_A j ->
+                let v_A:t_Array
+                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                  v_A
+                in
+                let j:usize = j in
+                (forall (k: nat). k < v i ==> Seq.index v_A k == Seq.index v__a_i k) /\
+                (forall (k: nat).
+                    k < v j ==>
+                    Seq.index (Seq.index v_A (v i)) k == Seq.index (Seq.index ind_cpa_a k) (v i)))
+            v_A
+            (fun v_A j ->
+                let v_A:t_Array
+                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                  v_A
+                in
+                let j:usize = j in
+                let v_A:t_Array
+                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                  Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A
+                    i
+                    (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A.[ i ]
+                          <:
+                          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+                        j
+                        (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement
+                              v_Vector)
+                            #FStar.Tactics.Typeclasses.solve
+                            ((ind_cpa_a.[ j ]
+                                <:
+                                t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+                                  v_K).[ i ]
+                              <:
+                              Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+                          <:
+                          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+                      <:
+                      t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+                in
+                v_A))
+  in
+  v_A
+
+#pop-options
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+    : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKeyUnpacked v_K v_Vector) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      {
+        f_ind_cpa_public_key
+        =
+        Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K
+              v_Vector)
+          #FStar.Tactics.Typeclasses.solve
+          ();
+        f_public_key_hash = Rust_primitives.Hax.repeat 0uy (sz 32)
+      }
       <:
-      t_Array u8 v_PUBLIC_KEY_SIZE)
+      t_MlKemPublicKeyUnpacked v_K v_Vector
+  }
 
-let impl__serialized_mut
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+    : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      {
+        f_private_key
+        =
+        {
+          f_ind_cpa_private_key
+          =
+          Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K
+                v_Vector)
+            #FStar.Tactics.Typeclasses.solve
+            ();
+          f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32)
+        }
+        <:
+        t_MlKemPrivateKeyUnpacked v_K v_Vector;
+        f_public_key
+        =
+        Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector)
+          #FStar.Tactics.Typeclasses.solve
+          ()
+      }
+      <:
+      t_MlKemKeyPairUnpacked v_K v_Vector
+  }
+
+let impl_4__new
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (_: Prims.unit)
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
-    {
-      serialized with
-      Libcrux_ml_kem.Types.f_value
-      =
-      Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K
-        v_RANKED_BYTES_PER_RING_ELEMENT
-        v_PUBLIC_KEY_SIZE
-        #v_Vector
-        self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-        (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
-        serialized.Libcrux_ml_kem.Types.f_value
-    }
-    <:
-    Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE
-  in
-  serialized
+  Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve ()
 
-let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+let keys_from_private_key
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
           usize)
-      (#v_Vector #v_Hasher: Type0)
+      (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
-      (randomness: t_Array u8 (sz 32))
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
      =
-  let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
+  let ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice
+    u8 &
+    t_Slice u8 &
+    t_Slice u8 &
+    t_Slice u8) =
+    Libcrux_ml_kem.Types.unpack_private_key v_CPA_SECRET_KEY_SIZE
+      v_PUBLIC_KEY_SIZE
+      (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8)
   in
-  let to_hash:t_Array u8 (sz 64) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
-      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+    {
+      key_pair with
+      f_private_key
+      =
+      {
+        key_pair.f_private_key with
+        f_ind_cpa_private_key
+        =
+        {
+          key_pair.f_private_key.f_ind_cpa_private_key with
+          Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+          =
+          Core.Slice.impl__copy_from_slice #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement
+              v_Vector)
+            key_pair.f_private_key.f_ind_cpa_private_key
+              .Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+            (Libcrux_ml_kem.Ind_cpa.deserialize_secret_key v_K #v_Vector ind_cpa_secret_key
+              <:
+              t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector))
+        }
         <:
-        Core.Ops.Range.t_RangeFrom usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
+      }
+      <:
+      t_MlKemPrivateKeyUnpacked v_K v_Vector
+    }
+    <:
+    t_MlKemKeyPairUnpacked v_K v_Vector
+  in
+  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+    {
+      key_pair with
+      f_public_key
+      =
+      {
+        key_pair.f_public_key with
+        f_ind_cpa_public_key
+        =
+        Libcrux_ml_kem.Ind_cpa.build_unpacked_public_key_mut v_K
+          v_T_AS_NTT_ENCODED_SIZE
+          #v_Vector
+          #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+          ind_cpa_public_key
+          key_pair.f_public_key.f_ind_cpa_public_key
+      }
+      <:
+      t_MlKemPublicKeyUnpacked v_K v_Vector
+    }
+    <:
+    t_MlKemKeyPairUnpacked v_K v_Vector
+  in
+  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+    {
+      key_pair with
+      f_public_key
+      =
+      {
+        key_pair.f_public_key with
+        f_public_key_hash
+        =
+        Core.Slice.impl__copy_from_slice #u8
+          key_pair.f_public_key.f_public_key_hash
+          ind_cpa_public_key_hash
+      }
+      <:
+      t_MlKemPublicKeyUnpacked v_K v_Vector
+    }
+    <:
+    t_MlKemKeyPairUnpacked v_K v_Vector
+  in
+  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+    {
+      key_pair with
+      f_private_key
+      =
+      {
+        key_pair.f_private_key with
+        f_implicit_rejection_value
+        =
+        Core.Slice.impl__copy_from_slice #u8
+          key_pair.f_private_key.f_implicit_rejection_value
+          implicit_rejection_value
+      }
+      <:
+      t_MlKemPrivateKeyUnpacked v_K v_Vector
+    }
+    <:
+    t_MlKemKeyPairUnpacked v_K v_Vector
+  in
+  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+    {
+      key_pair with
+      f_public_key
+      =
+      {
+        key_pair.f_public_key with
+        f_ind_cpa_public_key
+        =
+        {
+          key_pair.f_public_key.f_ind_cpa_public_key with
+          Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+          =
+          Core.Slice.impl__copy_from_slice #u8
+            key_pair.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+            (ind_cpa_public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
+                <:
+                Core.Ops.Range.t_RangeFrom usize ]
               <:
-              Core.Ops.Range.t_RangeFrom usize ]
-            <:
-            t_Slice u8)
-          (public_key.f_public_key_hash <: t_Slice u8)
+              t_Slice u8)
+        }
         <:
-        t_Slice u8)
+        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+      }
+      <:
+      t_MlKemPublicKeyUnpacked v_K v_Vector
+    }
+    <:
+    t_MlKemKeyPairUnpacked v_K v_Vector
   in
-  let hashed:t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
-      #v_K
+  key_pair
+
+let impl_4__from_private_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+          usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+     =
+  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
+    Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector)
       #FStar.Tactics.Typeclasses.solve
-      (to_hash <: t_Slice u8)
-  in
-  let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8
-      (hashed <: t_Slice u8)
-      Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-  in
-  let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
-    Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
-      v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
-      v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
-      public_key.f_ind_cpa_public_key randomness pseudorandomness
+      ()
   in
-  let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let shared_secret_array:t_Array u8 (sz 32) =
-    Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret
+  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
+    keys_from_private_key v_K
+      v_SECRET_KEY_SIZE
+      v_CPA_SECRET_KEY_SIZE
+      v_PUBLIC_KEY_SIZE
+      v_BYTES_PER_RING_ELEMENT
+      v_T_AS_NTT_ENCODED_SIZE
+      #v_Vector
+      private_key
+      out
   in
-  Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    #(t_Array u8 v_CIPHERTEXT_SIZE)
-    #FStar.Tactics.Typeclasses.solve
-    ciphertext,
-  shared_secret_array
-  <:
-  (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+  out
 
 let unpack_public_key
       (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
@@ -145,8 +413,7 @@ let unpack_public_key
         unpacked_public_key.f_ind_cpa_public_key with
         Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
         =
-        Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE
-          v_K
+        Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
           #v_Vector
           (public_key.Libcrux_ml_kem.Types.f_value.[ {
                 Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE
@@ -163,6 +430,14 @@ let unpack_public_key
     <:
     t_MlKemPublicKeyUnpacked v_K v_Vector
   in
+  let _:Prims.unit =
+    let _, seed = split public_key.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) in
+    Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed;
+    Lib.Sequence.eq_intro #u8
+      #32
+      (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
+      seed
+  in
   let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
     {
       unpacked_public_key with
@@ -226,144 +501,15 @@ let unpack_public_key
       Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
         #v_K
         #FStar.Tactics.Typeclasses.solve
-        (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
+        (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
     }
     <:
     t_MlKemPublicKeyUnpacked v_K v_Vector
   in
   unpacked_public_key
 
-let impl_2__private_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-     = self.f_private_key
-
-let impl_2__public_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-     = self.f_public_key
-
-let impl_2__serialized_private_key_mut
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
-          usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-     =
-  let ind_cpa_private_key, ind_cpa_public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
-    t_Array u8 v_PUBLIC_KEY_SIZE) =
-    Libcrux_ml_kem.Ind_cpa.serialize_unpacked_secret_key v_K
-      v_CPA_PRIVATE_KEY_SIZE
-      v_PUBLIC_KEY_SIZE
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      #v_Vector
-      self.f_public_key.f_ind_cpa_public_key
-      self.f_private_key.f_ind_cpa_private_key
-  in
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
-    {
-      serialized with
-      Libcrux_ml_kem.Types.f_value
-      =
-      Libcrux_ml_kem.Ind_cca.serialize_kem_secret_key_mut v_K
-        v_PRIVATE_KEY_SIZE
-        #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
-        (ind_cpa_private_key <: t_Slice u8)
-        (ind_cpa_public_key <: t_Slice u8)
-        (self.f_private_key.f_implicit_rejection_value <: t_Slice u8)
-        serialized.Libcrux_ml_kem.Types.f_value
-    }
-    <:
-    Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE
-  in
-  serialized
-
-let impl_2__serialized_private_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
-          usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-     =
-  let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
-    Core.Default.f_default #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-      #FStar.Tactics.Typeclasses.solve
-      ()
-  in
-  let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
-    impl_2__serialized_private_key_mut v_K
-      #v_Vector
-      v_CPA_PRIVATE_KEY_SIZE
-      v_PRIVATE_KEY_SIZE
-      v_PUBLIC_KEY_SIZE
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      self
-      sk
-  in
-  sk
-
-let impl_2__serialized_public_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-     =
-  impl__serialized v_K #v_Vector v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE self.f_public_key
-
-let impl_2__serialized_public_key_mut
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-     =
-  let hax_temp_output, serialized:(Prims.unit &
-    Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
-    (),
-    impl__serialized_mut v_K
-      #v_Vector
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
-      self.f_public_key
-      serialized
-    <:
-    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-  in
-  serialized
-
-let impl_2__new
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (_: Prims.unit)
-     =
-  Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve ()
-
-let decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (#v_Vector #v_Hasher: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -372,37 +518,36 @@ let decapsulate
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i3:
           Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+      (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+      (randomness: t_Array u8 (sz 32))
      =
-  let decrypted:t_Array u8 (sz 32) =
-    Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K
-      v_CIPHERTEXT_SIZE
-      v_C1_SIZE
-      v_VECTOR_U_COMPRESSION_FACTOR
-      v_VECTOR_V_COMPRESSION_FACTOR
-      #v_Vector
-      key_pair.f_private_key.f_ind_cpa_private_key
-      ciphertext.Libcrux_ml_kem.Types.f_value
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #32
+      (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 64) randomness) 0 32)
+      randomness
   in
   let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8)
+    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
   in
   let to_hash:t_Array u8 (sz 64) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
-      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
         <:
         Core.Ops.Range.t_RangeFrom usize)
       (Core.Slice.impl__copy_from_slice #u8
-          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
               <:
               Core.Ops.Range.t_RangeFrom usize ]
             <:
             t_Slice u8)
-          (key_pair.f_public_key.f_public_key_hash <: t_Slice u8)
+          (public_key.f_public_key_hash <: t_Slice u8)
         <:
         t_Slice u8)
   in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8 #64 to_hash (concat randomness public_key.f_public_key_hash)
+  in
   let hashed:t_Array u8 (sz 64) =
     Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
       #v_K
@@ -414,57 +559,113 @@ let decapsulate
       (hashed <: t_Slice u8)
       Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
   in
-  let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8
-    v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
-    Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
-      (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8)
-  in
-  let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
-      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
-        <:
-        Core.Ops.Range.t_RangeFrom usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
-              <:
-              Core.Ops.Range.t_RangeFrom usize ]
-            <:
-            t_Slice u8)
-          (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-              #(t_Slice u8)
-              #FStar.Tactics.Typeclasses.solve
-              ciphertext
-            <:
-            t_Slice u8)
-        <:
-        t_Slice u8)
+  let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
+    Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+      v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
+      v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
+      public_key.f_ind_cpa_public_key randomness pseudorandomness
   in
-  let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) =
-    Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher
-      #v_K
-      #FStar.Tactics.Typeclasses.solve
-      (sz 32)
-      (to_hash <: t_Slice u8)
+  let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+  let shared_secret_array:t_Array u8 (sz 32) =
+    Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret
   in
-  let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
-    Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
-      v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
-      v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
-      key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness
+  Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    #(t_Array u8 v_CIPHERTEXT_SIZE)
+    #FStar.Tactics.Typeclasses.solve
+    ciphertext,
+  shared_secret_array
+  <:
+  (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+
+let impl_3__serialized_mut
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+    {
+      serialized with
+      Libcrux_ml_kem.Types.f_value
+      =
+      Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K
+        v_RANKED_BYTES_PER_RING_ELEMENT
+        v_PUBLIC_KEY_SIZE
+        #v_Vector
+        self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+        (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+        serialized.Libcrux_ml_kem.Types.f_value
+    }
+    <:
+    Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE
   in
-  let selector:u8 =
-    Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext
-            v_CIPHERTEXT_SIZE)
-          #(t_Slice u8)
-          #FStar.Tactics.Typeclasses.solve
-          ciphertext
-        <:
-        t_Slice u8)
-      (expected_ciphertext <: t_Slice u8)
+  serialized
+
+let impl_4__serialized_public_key_mut
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+     =
+  let hax_temp_output, serialized:(Prims.unit &
+    Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
+    (),
+    impl_3__serialized_mut v_K
+      #v_Vector
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      self.f_public_key
+      serialized
+    <:
+    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
   in
-  Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret
-    (implicit_rejection_shared_secret <: t_Slice u8)
-    selector
+  serialized
+
+let impl_3__serialized
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+     =
+  Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+    #(t_Array u8 v_PUBLIC_KEY_SIZE)
+    #FStar.Tactics.Typeclasses.solve
+    (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
+        v_RANKED_BYTES_PER_RING_ELEMENT
+        v_PUBLIC_KEY_SIZE
+        #v_Vector
+        self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+        (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+      <:
+      t_Array u8 v_PUBLIC_KEY_SIZE)
+
+let impl_4__serialized_public_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+     =
+  impl_3__serialized v_K
+    #v_Vector
+    v_RANKED_BYTES_PER_RING_ELEMENT
+    v_PUBLIC_KEY_SIZE
+    self.f_public_key
+
+#push-options "--z3rlimit 1500 --ext context_pruning --z3refresh"
 
 let generate_keypair
       (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
@@ -530,213 +731,53 @@ let generate_keypair
     t_MlKemKeyPairUnpacked v_K v_Vector
   in
   let _:Prims.unit = () in
-  let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-    Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      v_K
-      (fun v__i ->
-          let v__i:usize = v__i in
-          Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-            v_K
-            (fun v__j ->
-                let v__j:usize = v__j in
-                Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-                <:
-                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          <:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-  in
-  let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_K
-      (fun v_A temp_1_ ->
-          let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-            v_K =
-            v_A
-          in
-          let _:usize = temp_1_ in
-          true)
-      v_A
-      (fun v_A i ->
-          let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-            v_K =
-            v_A
-          in
-          let i:usize = i in
-          Rust_primitives.Hax.Folds.fold_range (sz 0)
-            v_K
-            (fun v_A temp_1_ ->
-                let v_A:t_Array
-                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                  v_A
-                in
-                let _:usize = temp_1_ in
-                true)
-            v_A
-            (fun v_A j ->
-                let v_A:t_Array
-                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                  v_A
-                in
-                let j:usize = j in
-                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A
-                  i
-                  (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A.[ i ]
-                        <:
-                        t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-                      j
-                      (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement
-                            v_Vector)
-                          #FStar.Tactics.Typeclasses.solve
-                          ((out.f_public_key.f_ind_cpa_public_key
-                                .Libcrux_ml_kem.Ind_cpa.Unpacked.f_A.[ j ]
-                              <:
-                              t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-                                v_K).[ i ]
-                            <:
-                            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-                        <:
-                        Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-                    <:
-                    t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-                <:
-                t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-                  v_K)
-          <:
-          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
-  in
-  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
-    {
-      out with
-      f_public_key
-      =
-      {
-        out.f_public_key with
-        f_ind_cpa_public_key
-        =
-        { out.f_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A }
-        <:
-        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
-      }
-      <:
-      t_MlKemPublicKeyUnpacked v_K v_Vector
-    }
-    <:
-    t_MlKemKeyPairUnpacked v_K v_Vector
-  in
-  let pk_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
-    Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
-      v_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
-      #v_Vector
-      out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-      (out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
-        <:
-        t_Slice u8)
-  in
-  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
-    {
-      out with
-      f_public_key
-      =
-      {
-        out.f_public_key with
-        f_public_key_hash
-        =
-        Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
-          #v_K
-          #FStar.Tactics.Typeclasses.solve
-          (pk_serialized <: t_Slice u8)
-      }
-      <:
-      t_MlKemPublicKeyUnpacked v_K v_Vector
-    }
-    <:
-    t_MlKemKeyPairUnpacked v_K v_Vector
-  in
-  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
-    {
-      out with
-      f_private_key
-      =
-      {
-        out.f_private_key with
-        f_implicit_rejection_value
-        =
-        Core.Result.impl__unwrap #(t_Array u8 (sz 32))
-          #Core.Array.t_TryFromSliceError
-          (Core.Convert.f_try_into #(t_Slice u8)
-              #(t_Array u8 (sz 32))
-              #FStar.Tactics.Typeclasses.solve
-              implicit_rejection_value
-            <:
-            Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)
-      }
-      <:
-      t_MlKemPrivateKeyUnpacked v_K v_Vector
-    }
-    <:
-    t_MlKemKeyPairUnpacked v_K v_Vector
-  in
-  out
-
-let keys_from_private_key
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
-          usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
-     =
-  let ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice
-    u8 &
-    t_Slice u8 &
-    t_Slice u8 &
-    t_Slice u8) =
-    Libcrux_ml_kem.Types.unpack_private_key v_CPA_SECRET_KEY_SIZE
-      v_PUBLIC_KEY_SIZE
-      (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8)
-  in
-  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
-    {
-      key_pair with
-      f_private_key
-      =
-      {
-        key_pair.f_private_key with
-        f_ind_cpa_private_key
-        =
-        {
-          key_pair.f_private_key.f_ind_cpa_private_key with
-          Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
-          =
-          Libcrux_ml_kem.Ind_cpa.deserialize_secret_key v_K #v_Vector ind_cpa_secret_key
-        }
-        <:
-        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
-      }
-      <:
-      t_MlKemPrivateKeyUnpacked v_K v_Vector
-    }
-    <:
-    t_MlKemKeyPairUnpacked v_K v_Vector
+  let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+    transpose_a v_K
+      #v_Vector
+      out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
   in
-  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+  let _:Prims.unit =
+    let ind_cpa_keypair_randomness, _ =
+      split randomness Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE
+    in
+    let (((_, _), matrix_A_as_ntt), _), sufficient_randomness =
+      Spec.MLKEM.ind_cpa_generate_keypair_unpacked v_K ind_cpa_keypair_randomness
+    in
+    let m_v_A = Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector v_A in
+    let m_f_A =
+      Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+        #v_Vector
+        out.f_public_key.f_ind_cpa_public_key.f_A
+    in
+    let m_A:Spec.MLKEM.matrix v_K = createi v_K (Spec.MLKEM.matrix_A_as_ntt_i matrix_A_as_ntt) in
+    assert (forall (i: nat).
+          i < v v_K ==>
+          (forall (j: nat).
+              j < v v_K ==> Seq.index (Seq.index m_v_A i) j == Seq.index (Seq.index m_f_A j) i));
+    let lemma_aux (i: nat{i < v v_K})
+        : Lemma (sufficient_randomness ==> Seq.index m_v_A i == Seq.index m_A i) =
+      if sufficient_randomness
+      then
+        Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial)
+          #(v v_K)
+          (Seq.index m_v_A i)
+          (Seq.index m_A i)
+    in
+    Classical.forall_intro lemma_aux;
+    if sufficient_randomness then Lib.Sequence.eq_intro #(Spec.MLKEM.vector v_K) #(v v_K) m_A m_v_A
+  in
+  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
     {
-      key_pair with
+      out with
       f_public_key
       =
       {
-        key_pair.f_public_key with
+        out.f_public_key with
         f_ind_cpa_public_key
         =
-        Libcrux_ml_kem.Ind_cpa.build_unpacked_public_key_mut v_K
-          v_T_AS_NTT_ENCODED_SIZE
-          #v_Vector
-          #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
-          ind_cpa_public_key
-          key_pair.f_public_key.f_ind_cpa_public_key
+        { out.f_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A }
+        <:
+        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
       }
       <:
       t_MlKemPublicKeyUnpacked v_K v_Vector
@@ -744,18 +785,29 @@ let keys_from_private_key
     <:
     t_MlKemKeyPairUnpacked v_K v_Vector
   in
-  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+  let pk_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+    Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
+      v_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
+      #v_Vector
+      out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+      (out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+        <:
+        t_Slice u8)
+  in
+  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
     {
-      key_pair with
+      out with
       f_public_key
       =
       {
-        key_pair.f_public_key with
+        out.f_public_key with
         f_public_key_hash
         =
-        Core.Slice.impl__copy_from_slice #u8
-          key_pair.f_public_key.f_public_key_hash
-          ind_cpa_public_key_hash
+        Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+          #v_K
+          #FStar.Tactics.Typeclasses.solve
+          (pk_serialized <: t_Slice u8)
       }
       <:
       t_MlKemPublicKeyUnpacked v_K v_Vector
@@ -763,18 +815,23 @@ let keys_from_private_key
     <:
     t_MlKemKeyPairUnpacked v_K v_Vector
   in
-  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
     {
-      key_pair with
+      out with
       f_private_key
       =
       {
-        key_pair.f_private_key with
+        out.f_private_key with
         f_implicit_rejection_value
         =
-        Core.Slice.impl__copy_from_slice #u8
-          key_pair.f_private_key.f_implicit_rejection_value
-          implicit_rejection_value
+        Core.Result.impl__unwrap #(t_Array u8 (sz 32))
+          #Core.Array.t_TryFromSliceError
+          (Core.Convert.f_try_into #(t_Slice u8)
+              #(t_Array u8 (sz 32))
+              #FStar.Tactics.Typeclasses.solve
+              implicit_rejection_value
+            <:
+            Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)
       }
       <:
       t_MlKemPrivateKeyUnpacked v_K v_Vector
@@ -782,62 +839,206 @@ let keys_from_private_key
     <:
     t_MlKemKeyPairUnpacked v_K v_Vector
   in
-  let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
+  out
+
+#pop-options
+
+let impl_4__serialized_private_key_mut
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+          usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+     =
+  let ind_cpa_private_key, ind_cpa_public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
+    t_Array u8 v_PUBLIC_KEY_SIZE) =
+    Libcrux_ml_kem.Ind_cpa.serialize_unpacked_secret_key v_K
+      v_CPA_PRIVATE_KEY_SIZE
+      v_PUBLIC_KEY_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      #v_Vector
+      self.f_public_key.f_ind_cpa_public_key
+      self.f_private_key.f_ind_cpa_private_key
+  in
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
     {
-      key_pair with
-      f_public_key
+      serialized with
+      Libcrux_ml_kem.Types.f_value
       =
-      {
-        key_pair.f_public_key with
-        f_ind_cpa_public_key
-        =
-        {
-          key_pair.f_public_key.f_ind_cpa_public_key with
-          Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
-          =
-          Core.Slice.impl__copy_from_slice #u8
-            key_pair.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
-            (ind_cpa_public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
-                <:
-                Core.Ops.Range.t_RangeFrom usize ]
-              <:
-              t_Slice u8)
-        }
-        <:
-        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
-      }
-      <:
-      t_MlKemPublicKeyUnpacked v_K v_Vector
+      Libcrux_ml_kem.Ind_cca.serialize_kem_secret_key_mut v_K
+        v_PRIVATE_KEY_SIZE
+        #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+        (ind_cpa_private_key <: t_Slice u8)
+        (ind_cpa_public_key <: t_Slice u8)
+        (self.f_private_key.f_implicit_rejection_value <: t_Slice u8)
+        serialized.Libcrux_ml_kem.Types.f_value
     }
     <:
-    t_MlKemKeyPairUnpacked v_K v_Vector
+    Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE
   in
-  key_pair
+  serialized
 
-let impl_2__from_private_key
+let impl_4__serialized_private_key
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
           usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
      =
-  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
-    Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector)
+  let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
+    Core.Default.f_default #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
       #FStar.Tactics.Typeclasses.solve
       ()
   in
-  let out:t_MlKemKeyPairUnpacked v_K v_Vector =
-    keys_from_private_key v_K
-      v_SECRET_KEY_SIZE
-      v_CPA_SECRET_KEY_SIZE
+  let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
+    impl_4__serialized_private_key_mut v_K
+      #v_Vector
+      v_CPA_PRIVATE_KEY_SIZE
+      v_PRIVATE_KEY_SIZE
       v_PUBLIC_KEY_SIZE
-      v_BYTES_PER_RING_ELEMENT
-      v_T_AS_NTT_ENCODED_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      self
+      sk
+  in
+  sk
+
+#push-options "--z3rlimit 200 --ext context_pruning --z3refresh"
+
+let decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (#v_Vector #v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     =
+  let _:Prims.unit =
+    assert (v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == 32 + v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K));
+    assert (v (Spec.MLKEM.v_C1_SIZE v_K +! Spec.MLKEM.v_C2_SIZE v_K) ==
+        v (Spec.MLKEM.v_C1_SIZE v_K) + v (Spec.MLKEM.v_C2_SIZE v_K));
+    assert (v (Spec.MLKEM.v_C1_SIZE v_K) == v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) * v v_K);
+    assert (v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) ==
+        32 * v (Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K));
+    assert (v (Spec.MLKEM.v_C2_SIZE v_K) == 32 * v (Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K))
+  in
+  let decrypted:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K
+      v_CIPHERTEXT_SIZE
+      v_C1_SIZE
+      v_VECTOR_U_COMPRESSION_FACTOR
+      v_VECTOR_V_COMPRESSION_FACTOR
       #v_Vector
-      private_key
-      out
+      key_pair.f_private_key.f_ind_cpa_private_key
+      ciphertext.Libcrux_ml_kem.Types.f_value
   in
-  out
+  let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
+    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8)
+  in
+  let _:Prims.unit = Lib.Sequence.eq_intro #u8 #32 (Seq.slice to_hash 0 32) decrypted in
+  let to_hash:t_Array u8 (sz 64) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
+      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+        <:
+        Core.Ops.Range.t_RangeFrom usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+              <:
+              Core.Ops.Range.t_RangeFrom usize ]
+            <:
+            t_Slice u8)
+          (key_pair.f_public_key.f_public_key_hash <: t_Slice u8)
+        <:
+        t_Slice u8)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.lemma_concat2 32 decrypted 32 key_pair.f_public_key.f_public_key_hash to_hash
+  in
+  let hashed:t_Array u8 (sz 64) =
+    Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      (to_hash <: t_Slice u8)
+  in
+  let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8
+      (hashed <: t_Slice u8)
+      Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+  in
+  let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8
+    v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
+    Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+      (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #32
+      (Seq.slice to_hash 0 32)
+      key_pair.f_private_key.f_implicit_rejection_value
+  in
+  let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
+      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+        <:
+        Core.Ops.Range.t_RangeFrom usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
+              <:
+              Core.Ops.Range.t_RangeFrom usize ]
+            <:
+            t_Slice u8)
+          (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+              #(t_Slice u8)
+              #FStar.Tactics.Typeclasses.solve
+              ciphertext
+            <:
+            t_Slice u8)
+        <:
+        t_Slice u8)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.lemma_concat2 32
+      key_pair.f_private_key.f_implicit_rejection_value
+      (v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K))
+      ciphertext.f_value
+      to_hash
+  in
+  let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      (sz 32)
+      (to_hash <: t_Slice u8)
+  in
+  let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
+    Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+      v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+      v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
+      key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness
+  in
+  let selector:u8 =
+    Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext
+            v_CIPHERTEXT_SIZE)
+          #(t_Slice u8)
+          #FStar.Tactics.Typeclasses.solve
+          ciphertext
+        <:
+        t_Slice u8)
+      (expected_ciphertext <: t_Slice u8)
+  in
+  Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret
+    (implicit_rejection_shared_secret <: t_Slice u8)
+    selector
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
index a42619356..a6eb033b1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -31,78 +31,6 @@ type t_MlKemPublicKeyUnpacked
   f_public_key_hash:t_Array u8 (sz 32)
 }
 
-/// Get the serialized public key.
-val impl__serialized
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val impl__serialized_mut
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-    : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKeyUnpacked v_K v_Vector) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      {
-        f_ind_cpa_public_key
-        =
-        Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K
-              v_Vector)
-          #FStar.Tactics.Typeclasses.solve
-          ();
-        f_public_key_hash = Rust_primitives.Hax.repeat 0uy (sz 32)
-      }
-      <:
-      t_MlKemPublicKeyUnpacked v_K v_Vector
-  }
-
-val encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
-          usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Generate an unpacked key from a serialized key.
-val unpack_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Hasher #v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
-    : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
 /// An unpacked ML-KEM KeyPair
 type t_MlKemKeyPairUnpacked
   (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -112,124 +40,293 @@ type t_MlKemKeyPairUnpacked
 }
 
 /// Get the serialized public key.
-val impl_2__private_key
+val impl_4__private_key
       (v_K: usize)
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self: t_MlKemKeyPairUnpacked v_K v_Vector)
     : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val impl_2__public_key
+val impl_4__public_key
       (v_K: usize)
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self: t_MlKemKeyPairUnpacked v_K v_Vector)
     : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val impl_2__serialized_private_key_mut
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
-          usize)
+      {| i1: Core.Clone.t_Clone v_Vector |}
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+    : Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector)
+
+val transpose_a
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (ind_cpa_a:
+          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+    : Prims.Pure
+      (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
       Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array
+            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+            result
+          in
+          forall (i: nat).
+            i < v v_K ==>
+            (forall (j: nat).
+                j < v v_K ==>
+                Seq.index (Seq.index result i) j == Seq.index (Seq.index ind_cpa_a j) i))
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector)
+
+/// Create a new empty unpacked key pair.
+val impl_4__new:
+    v_K: usize ->
+    #v_Vector: Type0 ->
+    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+    Prims.unit
+  -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val keys_from_private_key
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+          usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
+    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val impl_2__serialized_private_key
+/// Take a serialized private key and generate an unpacked key pair from it.
+val impl_4__from_private_key
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+      (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
           usize)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-      Prims.l_True
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
       (fun _ -> Prims.l_True)
 
+/// Generate an unpacked key from a serialized key.
+val unpack_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Hasher #v_Vector: Type0)
+      {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+    : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+      (ensures
+        fun unpacked_public_key_future ->
+          let unpacked_public_key_future:t_MlKemPublicKeyUnpacked v_K v_Vector =
+            unpacked_public_key_future
+          in
+          let public_key_hash, (seed, (deserialized_pk, (matrix_A, valid))) =
+            Spec.MLKEM.ind_cca_unpack_public_key v_K public_key.f_value
+          in
+          (valid ==>
+            Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+              #v_Vector
+              unpacked_public_key_future.f_ind_cpa_public_key.f_A ==
+            matrix_A) /\
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+            #v_Vector
+            unpacked_public_key_future.f_ind_cpa_public_key.f_t_as_ntt ==
+          deserialized_pk /\ unpacked_public_key_future.f_ind_cpa_public_key.f_seed_for_A == seed /\
+          unpacked_public_key_future.f_public_key_hash == public_key_hash)
+
+val encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (#v_Vector #v_Hasher: Type0)
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (ensures
+        fun temp_0_ ->
+          let ciphertext_result, shared_secret_array:(Libcrux_ml_kem.Types.t_MlKemCiphertext
+            v_CIPHERTEXT_SIZE &
+            t_Array u8 (sz 32)) =
+            temp_0_
+          in
+          let ciphertext, shared_secret =
+            Spec.MLKEM.ind_cca_unpack_encapsulate v_K
+              public_key.f_public_key_hash
+              (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                  #v_Vector
+                  public_key.f_ind_cpa_public_key.f_t_as_ntt)
+              (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+                  #v_Vector
+                  public_key.f_ind_cpa_public_key.f_A)
+              randomness
+          in
+          ciphertext_result.f_value == ciphertext /\ shared_secret_array == shared_secret)
+
 /// Get the serialized public key.
-val impl_2__serialized_public_key
+val impl_3__serialized_mut
       (v_K: usize)
       (#v_Vector: Type0)
       (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
+      (ensures
+        fun serialized_future ->
+          let serialized_future:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+            serialized_future
+          in
+          serialized_future.f_value ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                    #v_Vector
+                    self.f_ind_cpa_public_key.f_t_as_ntt))
+            self.f_ind_cpa_public_key.f_seed_for_A)
 
 /// Get the serialized public key.
-val impl_2__serialized_public_key_mut
+val impl_4__serialized_public_key_mut
       (v_K: usize)
       (#v_Vector: Type0)
       (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self: t_MlKemKeyPairUnpacked v_K v_Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self.f_public_key
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
+      (ensures
+        fun serialized_future ->
+          let serialized_future:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+            serialized_future
+          in
+          serialized_future.f_value ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                    #v_Vector
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
+            self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_3
+/// Get the serialized public key.
+val impl_3__serialized
       (v_K: usize)
       (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-    : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      {
-        f_private_key
-        =
-        {
-          f_ind_cpa_private_key
-          =
-          Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K
-                v_Vector)
-            #FStar.Tactics.Typeclasses.solve
-            ();
-          f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32)
-        }
-        <:
-        t_MlKemPrivateKeyUnpacked v_K v_Vector;
-        f_public_key
-        =
-        Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector)
-          #FStar.Tactics.Typeclasses.solve
-          ()
-      }
-      <:
-      t_MlKemKeyPairUnpacked v_K v_Vector
-  }
-
-/// Create a new empty unpacked key pair.
-val impl_2__new:
-    v_K: usize ->
-    #v_Vector: Type0 ->
-    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
-    Prims.unit
-  -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = res in
+          res.f_value ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                    #v_Vector
+                    self.f_ind_cpa_public_key.f_t_as_ntt))
+            self.f_ind_cpa_public_key.f_seed_for_A)
 
-val decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
-          usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Get the serialized public key.
+val impl_4__serialized_public_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self.f_public_key
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = res in
+          res.f_value ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                    #v_Vector
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
+            self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)
 
 /// Generate Unpacked Keys
 val generate_keypair
@@ -241,24 +338,92 @@ val generate_keypair
       {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
       (randomness: t_Array u8 (sz 64))
       (out: t_MlKemKeyPairUnpacked v_K v_Vector)
-    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+      (ensures
+        fun out_future ->
+          let out_future:t_MlKemKeyPairUnpacked v_K v_Vector = out_future in
+          let ((m_A, public_key_hash), implicit_rejection_value), valid =
+            Spec.MLKEM.ind_cca_unpack_generate_keypair v_K randomness
+          in
+          valid ==>
+          Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+            #v_Vector
+            out_future.f_public_key.f_ind_cpa_public_key.f_A ==
+          m_A /\ out_future.f_public_key.f_public_key_hash == public_key_hash /\
+          out_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value)
 
-/// Take a serialized private key and generate an unpacked key pair from it.
-val keys_from_private_key
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
-          usize)
+/// Get the serialized private key.
+val impl_4__serialized_private_key_mut
+      (v_K: usize)
       (#v_Vector: Type0)
+      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+          usize)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
-    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K)
+      (fun _ -> Prims.l_True)
 
-/// Take a serialized private key and generate an unpacked key pair from it.
-val impl_2__from_private_key
+/// Get the serialized private key.
+val impl_4__serialized_private_key
       (v_K: usize)
       (#v_Vector: Type0)
-      (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+      (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
           usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K)
+      (fun _ -> Prims.l_True)
+
+val decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (#v_Vector #v_Hasher: Type0)
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-    : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result ==
+          Spec.MLKEM.ind_cca_unpack_decapsulate v_K
+            key_pair.f_public_key.f_public_key_hash
+            key_pair.f_private_key.f_implicit_rejection_value
+            ciphertext.f_value
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                #v_Vector
+                key_pair.f_private_key.f_ind_cpa_private_key.f_secret_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                #v_Vector
+                key_pair.f_public_key.f_ind_cpa_public_key.f_t_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+                #v_Vector
+                key_pair.f_public_key.f_ind_cpa_public_key.f_A))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
index e71864a5e..a6ffee609 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,6 +12,57 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+#push-options "--z3rlimit 300"
+
+let validate_private_key_only
+      (v_K v_SECRET_KEY_SIZE: usize)
+      (#v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+     =
+  let t:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      (private_key.Libcrux_ml_kem.Types.f_value.[ {
+            Core.Ops.Range.f_start = sz 384 *! v_K <: usize;
+            Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize
+          }
+          <:
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+  in
+  let expected:t_Slice u8 =
+    private_key.Libcrux_ml_kem.Types.f_value.[ {
+        Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize;
+        Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize
+      }
+      <:
+      Core.Ops.Range.t_Range usize ]
+  in
+  t =. expected
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let validate_private_key
+      (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
+      (#v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+     = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key
+
+#pop-options
+
+#push-options "--z3rlimit 150"
+
 let serialize_kem_secret_key_mut
       (v_K v_SERIALIZED_KEY_LEN: usize)
       (#v_Hasher: Type0)
@@ -122,8 +173,46 @@ let serialize_kem_secret_key_mut
         <:
         t_Slice u8)
   in
+  let _:Prims.unit =
+    let open Spec.Utils in
+    assert ((Seq.slice serialized 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K)))
+        `Seq.equal`
+        private_key);
+    assert ((Seq.slice serialized
+            (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K))
+            (v #usize_inttype
+                (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)))
+        `Seq.equal`
+        public_key);
+    assert ((Seq.slice serialized
+            (v #usize_inttype
+                (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K))
+            (v #usize_inttype
+                (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +!
+                  Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)))
+        `Seq.equal`
+        (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key));
+    assert (Seq.slice serialized
+          (v #usize_inttype
+              (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +!
+                Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))
+          (v #usize_inttype
+              (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +!
+                Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +!
+                Spec.MLKEM.v_SHARED_SECRET_SIZE)) ==
+        implicit_rejection_value);
+    lemma_slice_append_4 serialized
+      private_key
+      public_key
+      (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key)
+      implicit_rejection_value
+  in
   serialized
 
+#pop-options
+
+#push-options "--z3rlimit 150"
+
 let serialize_kem_secret_key
       (v_K v_SERIALIZED_KEY_LEN: usize)
       (#v_Hasher: Type0)
@@ -144,6 +233,99 @@ let serialize_kem_secret_key
   in
   out
 
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let encapsulate
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+          usize)
+      (#v_Vector #v_Hasher #v_Scheme: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i4:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+      (randomness: t_Array u8 (sz 32))
+     =
+  let randomness:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme
+      #FStar.Tactics.Typeclasses.solve
+      v_K
+      #v_Hasher
+      (randomness <: t_Slice u8)
+  in
+  let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
+    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
+  in
+  let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in
+  let to_hash:t_Array u8 (sz 64) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
+      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+        <:
+        Core.Ops.Range.t_RangeFrom usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+              <:
+              Core.Ops.Range.t_RangeFrom usize ]
+            <:
+            t_Slice u8)
+          (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+              #v_K
+              #FStar.Tactics.Typeclasses.solve
+              (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
+            <:
+            t_Slice u8)
+        <:
+        t_Slice u8)
+  in
+  let _:Prims.unit =
+    assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness);
+    lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value);
+    assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value))
+  in
+  let hashed:t_Array u8 (sz 64) =
+    Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      (to_hash <: t_Slice u8)
+  in
+  let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8
+      (hashed <: t_Slice u8)
+      Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+  in
+  let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
+    Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+      v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+      v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
+      (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness
+      pseudorandomness
+  in
+  let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE =
+    Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+      #(t_Array u8 v_CIPHERTEXT_SIZE)
+      #FStar.Tactics.Typeclasses.solve
+      ciphertext
+  in
+  let shared_secret_array:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Variant.f_kdf #v_Scheme
+      #FStar.Tactics.Typeclasses.solve
+      v_K
+      v_CIPHERTEXT_SIZE
+      #v_Hasher
+      shared_secret
+      ciphertext
+  in
+  ciphertext, shared_secret_array
+  <:
+  (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+
+#pop-options
+
 let validate_public_key
       (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
       (#v_Vector: Type0)
@@ -153,8 +335,7 @@ let validate_public_key
       (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
      =
   let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_PUBLIC_KEY_SIZE
-      v_K
+    Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K
       #v_Vector
       (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT }
           <:
@@ -176,46 +357,70 @@ let validate_public_key
   in
   public_key =. public_key_serialized
 
-let validate_private_key_only
-      (v_K v_SECRET_KEY_SIZE: usize)
-      (#v_Hasher: Type0)
+#push-options "--z3rlimit 300"
+
+let generate_keypair
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+          usize)
+      (#v_Vector #v_Hasher #v_Scheme: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i3:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i4:
           Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
+      (randomness: t_Array u8 (sz 64))
      =
-  let t:t_Array u8 (sz 32) =
-    Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
-      #v_K
-      #FStar.Tactics.Typeclasses.solve
-      (private_key.Libcrux_ml_kem.Types.f_value.[ {
-            Core.Ops.Range.f_start = sz 384 *! v_K <: usize;
-            Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize
-          }
-          <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice u8)
-  in
-  let expected:t_Slice u8 =
-    private_key.Libcrux_ml_kem.Types.f_value.[ {
-        Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize;
-        Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize
+  let ind_cpa_keypair_randomness:t_Slice u8 =
+    randomness.[ {
+        Core.Ops.Range.f_start = sz 0;
+        Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
       }
       <:
       Core.Ops.Range.t_Range usize ]
   in
-  t =. expected
+  let implicit_rejection_value:t_Slice u8 =
+    randomness.[ {
+        Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
+      }
+      <:
+      Core.Ops.Range.t_RangeFrom usize ]
+  in
+  let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
+    t_Array u8 v_PUBLIC_KEY_SIZE) =
+    Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
+      v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme
+      ind_cpa_keypair_randomness
+  in
+  let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE =
+    serialize_kem_secret_key v_K
+      v_PRIVATE_KEY_SIZE
+      #v_Hasher
+      (ind_cpa_private_key <: t_Slice u8)
+      (public_key <: t_Slice u8)
+      implicit_rejection_value
+  in
+  let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey
+  v_PRIVATE_KEY_SIZE =
+    Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+      #(t_Array u8 v_PRIVATE_KEY_SIZE)
+      #FStar.Tactics.Typeclasses.solve
+      secret_key_serialized
+  in
+  Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE
+    v_PUBLIC_KEY_SIZE
+    private_key
+    (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+        #(t_Array u8 v_PUBLIC_KEY_SIZE)
+        #FStar.Tactics.Typeclasses.solve
+        public_key
+      <:
+      Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
 
-let validate_private_key
-      (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
-      (#v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-      (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-     = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key
+#pop-options
+
+#push-options "--z3rlimit 500"
 
 let decapsulate
       (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
@@ -231,6 +436,10 @@ let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
      =
+  let _:Prims.unit =
+    assert (v v_CIPHERTEXT_SIZE ==
+        v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE)
+  in
   let ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice
     u8 &
     t_Slice u8 &
@@ -240,6 +449,20 @@ let decapsulate
       v_PUBLIC_KEY_SIZE
       (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8)
   in
+  let _:Prims.unit =
+    assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE);
+    assert (ind_cpa_public_key ==
+        slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)
+      );
+    assert (ind_cpa_public_key_hash ==
+        slice private_key.f_value
+          (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)
+          (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE));
+    assert (implicit_rejection_value ==
+        slice private_key.f_value
+          (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)
+          (length private_key.f_value))
+  in
   let decrypted:t_Array u8 (sz 32) =
     Libcrux_ml_kem.Ind_cpa.decrypt v_K
       v_CIPHERTEXT_SIZE
@@ -253,6 +476,7 @@ let decapsulate
   let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
     Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8)
   in
+  let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in
   let to_hash:t_Array u8 (sz 64) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
       ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
@@ -268,6 +492,11 @@ let decapsulate
         <:
         t_Slice u8)
   in
+  let _:Prims.unit =
+    lemma_slice_append to_hash decrypted ind_cpa_public_key_hash;
+    assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value);
+    assert (to_hash == concat decrypted ind_cpa_public_key_hash)
+  in
   let hashed:t_Array u8 (sz 64) =
     Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
       #v_K
@@ -279,11 +508,21 @@ let decapsulate
       (hashed <: t_Slice u8)
       Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
   in
+  let _:Prims.unit =
+    assert ((shared_secret, pseudorandomness) ==
+        split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE);
+    assert (length implicit_rejection_value =
+        v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -!
+        Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE);
+    assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE);
+    assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+  in
   let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8
     v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
     Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
       implicit_rejection_value
   in
+  let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in
   let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
       ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE }
@@ -304,6 +543,12 @@ let decapsulate
         <:
         t_Slice u8)
   in
+  let _:Prims.unit =
+    assert_norm (pow2 32 == 0x100000000);
+    assert (v (sz 32) < pow2 32);
+    assert (i4.f_PRF_pre (sz 32) to_hash);
+    lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value
+  in
   let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) =
     Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher
       #v_K
@@ -311,6 +556,10 @@ let decapsulate
       (sz 32)
       (to_hash <: t_Slice u8)
   in
+  let _:Prims.unit =
+    assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash);
+    assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE)
+  in
   let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
     Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
       v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
@@ -346,142 +595,4 @@ let decapsulate
     (shared_secret <: t_Slice u8)
     (implicit_rejection_shared_secret <: t_Slice u8)
 
-let encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
-          usize)
-      (#v_Vector #v_Hasher #v_Scheme: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      (randomness: t_Array u8 (sz 32))
-     =
-  let randomness:t_Array u8 (sz 32) =
-    Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme
-      #FStar.Tactics.Typeclasses.solve
-      v_K
-      #v_Hasher
-      (randomness <: t_Slice u8)
-  in
-  let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
-  in
-  let to_hash:t_Array u8 (sz 64) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
-      ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
-        <:
-        Core.Ops.Range.t_RangeFrom usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
-              <:
-              Core.Ops.Range.t_RangeFrom usize ]
-            <:
-            t_Slice u8)
-          (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
-              #v_K
-              #FStar.Tactics.Typeclasses.solve
-              (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
-            <:
-            t_Slice u8)
-        <:
-        t_Slice u8)
-  in
-  let hashed:t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
-      #v_K
-      #FStar.Tactics.Typeclasses.solve
-      (to_hash <: t_Slice u8)
-  in
-  let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8
-      (hashed <: t_Slice u8)
-      Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-  in
-  let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
-    Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
-      v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1
-      v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
-      (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness
-      pseudorandomness
-  in
-  let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE =
-    Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-      #(t_Array u8 v_CIPHERTEXT_SIZE)
-      #FStar.Tactics.Typeclasses.solve
-      ciphertext
-  in
-  let shared_secret_array:t_Array u8 (sz 32) =
-    Libcrux_ml_kem.Variant.f_kdf #v_Scheme
-      #FStar.Tactics.Typeclasses.solve
-      v_K
-      v_CIPHERTEXT_SIZE
-      #v_Hasher
-      shared_secret
-      ciphertext
-  in
-  ciphertext, shared_secret_array
-  <:
-  (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-
-let generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
-          usize)
-      (#v_Vector #v_Hasher #v_Scheme: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
-      (randomness: t_Array u8 (sz 64))
-     =
-  let ind_cpa_keypair_randomness:t_Slice u8 =
-    randomness.[ {
-        Core.Ops.Range.f_start = sz 0;
-        Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
-      }
-      <:
-      Core.Ops.Range.t_Range usize ]
-  in
-  let implicit_rejection_value:t_Slice u8 =
-    randomness.[ {
-        Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
-      }
-      <:
-      Core.Ops.Range.t_RangeFrom usize ]
-  in
-  let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
-    t_Array u8 v_PUBLIC_KEY_SIZE) =
-    Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
-      v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme
-      ind_cpa_keypair_randomness
-  in
-  let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE =
-    serialize_kem_secret_key v_K
-      v_PRIVATE_KEY_SIZE
-      #v_Hasher
-      (ind_cpa_private_key <: t_Slice u8)
-      (public_key <: t_Slice u8)
-      implicit_rejection_value
-  in
-  let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey
-  v_PRIVATE_KEY_SIZE =
-    Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-      #(t_Array u8 v_PRIVATE_KEY_SIZE)
-      #FStar.Tactics.Typeclasses.solve
-      secret_key_serialized
-  in
-  Libcrux_ml_kem.Types.impl__from v_PRIVATE_KEY_SIZE
-    v_PUBLIC_KEY_SIZE
-    private_key
-    (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-        #(t_Array u8 v_PUBLIC_KEY_SIZE)
-        #FStar.Tactics.Typeclasses.solve
-        public_key
-      <:
-      Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
index 4f561be5f..057295e89 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cca
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -20,34 +20,6 @@ let v_KEY_GENERATION_SEED_SIZE: usize =
   Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +!
   Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
 
-/// Serialize the secret key.
-val serialize_kem_secret_key_mut
-      (v_K v_SERIALIZED_KEY_LEN: usize)
-      (#v_Hasher: Type0)
-      {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (private_key public_key implicit_rejection_value: t_Slice u8)
-      (serialized: t_Array u8 v_SERIALIZED_KEY_LEN)
-    : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Serialize the secret key.
-val serialize_kem_secret_key
-      (v_K v_SERIALIZED_KEY_LEN: usize)
-      (#v_Hasher: Type0)
-      {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (private_key public_key implicit_rejection_value: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Validate an ML-KEM public key.
-/// This implements the Modulus check in 7.2 2.
-/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
-/// `public_key` type.
-val validate_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Validate an ML-KEM private key.
 /// This implements the Hash check in 7.3 3.
 val validate_private_key_only
@@ -55,7 +27,10 @@ val validate_private_key_only
       (#v_Hasher: Type0)
       {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
+      )
+      (fun _ -> Prims.l_True)
 
 /// Validate an ML-KEM private key.
 /// This implements the Hash check in 7.3 3.
@@ -67,21 +42,54 @@ val validate_private_key
       {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
       (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+      (fun _ -> Prims.l_True)
 
-val decapsulate
-      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
-          usize)
-      (#v_Vector #v_Hasher #v_Scheme: Type0)
-      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
-      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
-      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Serialize the secret key.
+val serialize_kem_secret_key_mut
+      (v_K v_SERIALIZED_KEY_LEN: usize)
+      (#v_Hasher: Type0)
+      {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (private_key public_key implicit_rejection_value: t_Slice u8)
+      (serialized: t_Array u8 v_SERIALIZED_KEY_LEN)
+    : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE)
+      (ensures
+        fun serialized_future ->
+          let serialized_future:t_Array u8 v_SERIALIZED_KEY_LEN = serialized_future in
+          serialized_future ==
+          Seq.append private_key
+            (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value)
+            ))
+
+val serialize_kem_secret_key
+      (v_K v_SERIALIZED_KEY_LEN: usize)
+      (#v_Hasher: Type0)
+      {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (private_key public_key implicit_rejection_value: t_Slice u8)
+    : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in
+          result ==
+          Seq.append private_key
+            (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value)
+            ))
 
 val encapsulate
-      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+      (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
       (#v_Vector #v_Hasher #v_Scheme: Type0)
       {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -90,7 +98,40 @@ val encapsulate
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-      Prims.l_True
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+          =
+            result
+          in
+          let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in
+          valid ==> (result._1.f_value, result._2) == expected)
+
+/// Validate an ML-KEM public key.
+/// This implements the Modulus check in 7.2 2.
+/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
+/// `public_key` type.
+val validate_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure bool
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
       (fun _ -> Prims.l_True)
 
 /// Packed API
@@ -98,7 +139,7 @@ val encapsulate
 /// Depending on the `Vector` and `Hasher` used, this requires different hardware
 /// features
 val generate_keypair
-      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+      (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
       (#v_Vector #v_Hasher #v_Scheme: Type0)
       {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -106,5 +147,50 @@ val generate_keypair
       {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
       (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE =
+            result
+          in
+          let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in
+          valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected)
+
+/// This code verifies on some machines, runs out of memory on others
+val decapsulate
+      (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+          usize)
+      (#v_Vector #v_Hasher #v_Scheme: Type0)
+      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
+      (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+      (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+        v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          let expected, valid =
+            Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value
+          in
+          valid ==> result == expected)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst
new file mode 100644
index 000000000..1f6cee7c2
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst
@@ -0,0 +1,92 @@
+module Libcrux_ml_kem.Ind_cpa.Unpacked
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Vector.Traits in
+  ()
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2':
+    v_K: usize ->
+    #v_Vector: Type0 ->
+    {| i1: Core.Clone.t_Clone v_Vector |} ->
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  -> Core.Clone.t_Clone (t_IndCpaPublicKeyUnpacked v_K v_Vector)
+
+let impl_2
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+     = impl_2' v_K #v_Vector #i1 #i2
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+    : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPrivateKeyUnpacked v_K v_Vector) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      {
+        f_secret_as_ntt
+        =
+        Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          v_K
+      }
+      <:
+      t_IndCpaPrivateKeyUnpacked v_K v_Vector
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+    : Core.Default.t_Default (t_IndCpaPublicKeyUnpacked v_K v_Vector) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPublicKeyUnpacked v_K v_Vector) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      {
+        f_t_as_ntt
+        =
+        Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          v_K;
+        f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32);
+        f_A
+        =
+        Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO
+                  #v_Vector
+                  ()
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+              v_K
+            <:
+            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+          v_K
+      }
+      <:
+      t_IndCpaPublicKeyUnpacked v_K v_Vector
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
index 11603e5ef..1f7036f4f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cpa.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -14,32 +14,6 @@ type t_IndCpaPrivateKeyUnpacked
   (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
   = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K }
 
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-    : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPrivateKeyUnpacked v_K v_Vector) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      {
-        f_secret_as_ntt
-        =
-        Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-            <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          v_K
-      }
-      <:
-      t_IndCpaPrivateKeyUnpacked v_K v_Vector
-  }
-
 /// An unpacked ML-KEM IND-CPA Private Key
 type t_IndCpaPublicKeyUnpacked
   (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -50,39 +24,23 @@ type t_IndCpaPublicKeyUnpacked
 }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1
+val impl_2
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Core.Clone.t_Clone v_Vector |}
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Clone.t_Clone (t_IndCpaPublicKeyUnpacked v_K v_Vector)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1
       (v_K: usize)
       (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-    : Core.Default.t_Default (t_IndCpaPublicKeyUnpacked v_K v_Vector) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPublicKeyUnpacked v_K v_Vector) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      {
-        f_t_as_ntt
-        =
-        Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-            <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          v_K;
-        f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32);
-        f_A
-        =
-        Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO
-                  #v_Vector
-                  ()
-                <:
-                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-              v_K
-            <:
-            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-          v_K
-      }
-      <:
-      t_IndCpaPublicKeyUnpacked v_K v_Vector
-  }
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Default.t_Default (t_IndCpaPublicKeyUnpacked v_K v_Vector)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
index 0884e48e4..ffe998283 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cpa
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,6 +12,296 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+#push-options "--z3rlimit 800 --ext context_pruning"
+
+let deserialize_secret_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (secret_key: t_Slice u8)
+     =
+  let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in
+  let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      v_K
+      (fun temp_0_ ->
+          let _:usize = temp_0_ in
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+          <:
+          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  in
+  let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
+      secret_key
+      (fun secret_as_ntt i ->
+          let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+          =
+            secret_as_ntt
+          in
+          let i:usize = i in
+          forall (j: nat).
+            j < v i ==>
+            j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
+            v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
+            v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K) /\
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index secret_as_ntt j) ==
+            Spec.MLKEM.byte_decode 12
+              (Seq.slice secret_key
+                  (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+                  (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
+                    v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)))
+      secret_as_ntt
+      (fun secret_as_ntt temp_1_ ->
+          let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+          =
+            secret_as_ntt
+          in
+          let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
+          let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+          =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt
+              i
+              (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector
+                  secret_bytes
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          in
+          secret_as_ntt)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
+      #(v v_K)
+      (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_as_ntt)
+      (Spec.MLKEM.vector_decode_12 #v_K secret_key)
+  in
+  secret_as_ntt
+
+#pop-options
+
+let build_unpacked_public_key_mut
+      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+      (#v_Vector #v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (public_key: t_Slice u8)
+      (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+     =
+  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    {
+      unpacked_public_key with
+      Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+      =
+      Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
+        #v_Vector
+        (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE }
+            <:
+            Core.Ops.Range.t_RangeTo usize ]
+          <:
+          t_Slice u8)
+        unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+    }
+    <:
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+  in
+  let seed:t_Slice u8 =
+    public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
+      <:
+      Core.Ops.Range.t_RangeFrom usize ]
+  in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #32
+      seed
+      (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
+  in
+  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    {
+      unpacked_public_key with
+      Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+      =
+      Libcrux_ml_kem.Matrix.sample_matrix_A v_K
+        #v_Vector
+        #v_Hasher
+        unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+        (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34))
+        false
+    }
+    <:
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+  in
+  unpacked_public_key
+
+let build_unpacked_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+      (#v_Vector #v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (public_key: t_Slice u8)
+     =
+  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+      #FStar.Tactics.Typeclasses.solve
+      ()
+  in
+  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    build_unpacked_public_key_mut v_K
+      v_T_AS_NTT_ENCODED_SIZE
+      #v_Vector
+      #v_Hasher
+      public_key
+      unpacked_public_key
+  in
+  unpacked_public_key
+
+#push-options "--z3rlimit 800 --ext context_pruning"
+
+let deserialize_then_decompress_u
+      (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+     =
+  let _:Prims.unit =
+    assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /!
+            sz 8) ==
+        v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
+  in
+  let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      v_K
+      (fun temp_0_ ->
+          let _:usize = temp_0_ in
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+          <:
+          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  in
+  let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *!
+          v_U_COMPRESSION_FACTOR
+          <:
+          usize) /!
+        sz 8
+        <:
+        usize)
+      (ciphertext <: t_Slice u8)
+      (fun u_as_ntt i ->
+          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            u_as_ntt
+          in
+          let i:usize = i in
+          forall (j: nat).
+            j < v i ==>
+            j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <=
+            v v_CIPHERTEXT_SIZE /\
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) ==
+            Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR)
+                  (Seq.slice ciphertext
+                      (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
+                      (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)))
+              ))
+      u_as_ntt
+      (fun u_as_ntt temp_1_ ->
+          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            u_as_ntt
+          in
+          let i, u_bytes:(usize & t_Slice u8) = temp_1_ in
+          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
+              i
+              (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR
+                  #v_Vector
+                  u_bytes
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          in
+          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
+              i
+              (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR
+                  #v_Vector
+                  (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          in
+          u_as_ntt)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
+      #(v v_K)
+      (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt)
+      (let open Spec.MLKEM in
+        vector_ntt (decode_then_decompress_u #v_K
+              (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))
+  in
+  u_as_ntt
+
+#pop-options
+
+let sample_ring_element_cbd_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+
+let sample_ring_element_cbd_helper_2
+      (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
+            Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
+          (Spec.MLKEM.sample_vector_cbd2 #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))
+
+#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
+
 let sample_ring_element_cbd
       (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize)
       (#v_Vector #v_Hasher: Type0)
@@ -29,35 +319,19 @@ let sample_ring_element_cbd
       v_K
       (fun v__i ->
           let v__i:usize = v__i in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
           <:
           Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
   let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in
-  let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_K
-      (fun temp_0_ temp_1_ ->
-          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
-          let _:usize = temp_1_ in
-          true)
-      (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
-      (fun temp_0_ i ->
-          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
-          let i:usize = i in
-          let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_inputs
-              i
-              (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (prf_inputs.[ i ]
-                    <:
-                    t_Array u8 (sz 33))
-                  (sz 32)
-                  domain_separator
-                <:
-                t_Array u8 (sz 33))
-          in
-          let domain_separator:u8 = domain_separator +! 1uy in
-          domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
+  let v__domain_separator_init:u8 = domain_separator in
+  let tmp0, out:(t_Array (t_Array u8 (sz 33)) v_K & u8) =
+    Libcrux_ml_kem.Utils.prf_input_inc v_K prf_inputs domain_separator
+  in
+  let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = tmp0 in
+  let domain_separator:u8 = out in
+  let _:Prims.unit =
+    sample_ring_element_cbd_helper_1 v_K prf_inputs prf_input v__domain_separator_init
   in
   let (prf_outputs: t_Array (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K):t_Array
     (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K =
@@ -70,32 +344,102 @@ let sample_ring_element_cbd
   let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_K
-      (fun error_1_ temp_1_ ->
+      (fun error_1_ i ->
           let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             error_1_
           in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          forall (j: nat).
+            j < v i ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1_.[ sz j ] ==
+            Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz j ])
       error_1_
       (fun error_1_ i ->
           let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             error_1_
           in
           let i:usize = i in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_
-            i
-            (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2
-                #v_Vector
-                (prf_outputs.[ i ] <: t_Slice u8)
-              <:
-              Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          <:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+          let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_
+              i
+              (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2
+                  #v_Vector
+                  (prf_outputs.[ i ] <: t_Slice u8)
+                <:
+                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          in
+          error_1_)
+  in
+  let _:Prims.unit =
+    sample_ring_element_cbd_helper_2 v_K
+      v_ETA2
+      v_ETA2_RANDOMNESS_SIZE
+      #v_Vector
+      error_1_
+      prf_input
+      v__domain_separator_init
   in
   error_1_, domain_separator
   <:
   (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
 
+#pop-options
+
+let sample_vector_cbd_then_ntt_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+
+let sample_vector_cbd_then_ntt_helper_2
+      (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\
+          v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_as_ntt.[ sz i ] ==
+            Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd v_ETA prf_outputs.[ sz i ])))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt ==
+          (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    reveal_opaque (`%Spec.MLKEM.sample_vector_cbd_then_ntt) (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K);
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+      (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt)
+      (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator)))
+
+#push-options "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
+
 let sample_vector_cbd_then_ntt
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
       (#v_Vector #v_Hasher: Type0)
@@ -110,30 +454,14 @@ let sample_vector_cbd_then_ntt
       (domain_separator: u8)
      =
   let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in
-  let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_K
-      (fun temp_0_ temp_1_ ->
-          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
-          let _:usize = temp_1_ in
-          true)
-      (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
-      (fun temp_0_ i ->
-          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
-          let i:usize = i in
-          let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_inputs
-              i
-              (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (prf_inputs.[ i ]
-                    <:
-                    t_Array u8 (sz 33))
-                  (sz 32)
-                  domain_separator
-                <:
-                t_Array u8 (sz 33))
-          in
-          let domain_separator:u8 = domain_separator +! 1uy in
-          domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
+  let v__domain_separator_init:u8 = domain_separator in
+  let tmp0, out:(t_Array (t_Array u8 (sz 33)) v_K & u8) =
+    Libcrux_ml_kem.Utils.prf_input_inc v_K prf_inputs domain_separator
+  in
+  let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = tmp0 in
+  let domain_separator:u8 = out in
+  let _:Prims.unit =
+    sample_vector_cbd_then_ntt_helper_1 v_K prf_inputs prf_input v__domain_separator_init
   in
   let (prf_outputs: t_Array (t_Array u8 v_ETA_RANDOMNESS_SIZE) v_K):t_Array
     (t_Array u8 v_ETA_RANDOMNESS_SIZE) v_K =
@@ -146,12 +474,16 @@ let sample_vector_cbd_then_ntt
   let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_K
-      (fun re_as_ntt temp_1_ ->
+      (fun re_as_ntt i ->
           let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             re_as_ntt
           in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          forall (j: nat).
+            j < v i ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_as_ntt.[ sz j ] ==
+            Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd v_ETA prf_outputs.[ sz j ]) /\
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #v_Vector re_as_ntt.[ sz j ])
       re_as_ntt
       (fun re_as_ntt i ->
           let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
@@ -177,11 +509,22 @@ let sample_vector_cbd_then_ntt
           in
           re_as_ntt)
   in
+  let _:Prims.unit =
+    sample_vector_cbd_then_ntt_helper_2 v_K
+      v_ETA
+      v_ETA_RANDOMNESS_SIZE
+      #v_Vector
+      re_as_ntt
+      prf_input
+      v__domain_separator_init
+  in
   let hax_temp_output:u8 = domain_separator in
   re_as_ntt, hax_temp_output
   <:
   (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
 
+#pop-options
+
 let sample_vector_cbd_then_ntt_out
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
       (#v_Vector #v_Hasher: Type0)
@@ -199,7 +542,7 @@ let sample_vector_cbd_then_ntt_out
       v_K
       (fun v__i ->
           let v__i:usize = v__i in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
           <:
           Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
@@ -219,368 +562,149 @@ let sample_vector_cbd_then_ntt_out
   <:
   (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
 
-let compress_then_serialize_u
-      (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize)
-      (#v_Vector: Type0)
+#push-options "--z3rlimit 500 --ext context_pruning --z3refresh"
+
+let generate_keypair_unpacked
+      (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize)
+      (#v_Vector #v_Hasher #v_Scheme: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i3:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (out: t_Slice u8)
-     =
-  let out:t_Slice u8 =
-    Rust_primitives.Hax.Folds.fold_enumerated_slice input
-      (fun out temp_1_ ->
-          let out:t_Slice u8 = out in
-          let _:usize = temp_1_ in
-          true)
-      out
-      (fun out temp_1_ ->
-          let out:t_Slice u8 = out in
-          let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-            temp_1_
-          in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
-            ({
-                Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
-                Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize
-              }
-              <:
-              Core.Ops.Range.t_Range usize)
-            (Core.Slice.impl__copy_from_slice #u8
-                (out.[ {
-                      Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
-                      Core.Ops.Range.f_end
-                      =
-                      (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize ]
-                  <:
-                  t_Slice u8)
-                (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR
-                    v_BLOCK_LEN
-                    #v_Vector
-                    re
-                  <:
-                  t_Slice u8)
-              <:
-              t_Slice u8)
-          <:
-          t_Slice u8)
-  in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  out
-
-let deserialize_then_decompress_u
-      (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
-      (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+          i4:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
+      (key_generation_seed: t_Slice u8)
+      (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+      (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
      =
-  let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  let hashed:t_Array u8 (sz 64) =
+    Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme
+      #FStar.Tactics.Typeclasses.solve
       v_K
-      (fun temp_0_ ->
-          let _:usize = temp_0_ in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-          <:
-          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-  in
-  let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *!
-          v_U_COMPRESSION_FACTOR
-          <:
-          usize) /!
-        sz 8
-        <:
-        usize)
-      (ciphertext <: t_Slice u8)
-      (fun u_as_ntt temp_1_ ->
-          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-            u_as_ntt
-          in
-          let _:usize = temp_1_ in
-          true)
-      u_as_ntt
-      (fun u_as_ntt temp_1_ ->
-          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-            u_as_ntt
-          in
-          let i, u_bytes:(usize & t_Slice u8) = temp_1_ in
-          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
-              i
-              (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR
-                  #v_Vector
-                  u_bytes
-                <:
-                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          in
-          let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
-              i
-              (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR
-                  #v_Vector
-                  (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-                <:
-                Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          in
-          u_as_ntt)
+      #v_Hasher
+      key_generation_seed
   in
-  u_as_ntt
-
-let deserialize_secret_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (secret_key: t_Slice u8)
-     =
-  let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      v_K
-      (fun temp_0_ ->
-          let _:usize = temp_0_ in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-          <:
-          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32)
   in
-  let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
-      secret_key
-      (fun secret_as_ntt temp_1_ ->
-          let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
-          =
-            secret_as_ntt
-          in
-          let _:usize = temp_1_ in
-          true)
-      secret_as_ntt
-      (fun secret_as_ntt temp_1_ ->
-          let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
-          =
-            secret_as_ntt
-          in
-          let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt
-            i
-            (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector
-                secret_bytes
-              <:
-              Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          <:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #32
+      seed_for_A
+      (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A) 0 32)
   in
-  secret_as_ntt
-
-let serialize_secret_key
-      (v_K v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-     =
-  let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
-  let out:t_Array u8 v_OUT_LEN =
-    Rust_primitives.Hax.Folds.fold_enumerated_slice key
-      (fun out temp_1_ ->
-          let out:t_Array u8 v_OUT_LEN = out in
-          let _:usize = temp_1_ in
-          true)
-      out
-      (fun out temp_1_ ->
-          let out:t_Array u8 v_OUT_LEN = out in
-          let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-            temp_1_
-          in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
-            ({
-                Core.Ops.Range.f_start
-                =
-                i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
-                Core.Ops.Range.f_end
-                =
-                (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize
-              }
-              <:
-              Core.Ops.Range.t_Range usize)
-            (Core.Slice.impl__copy_from_slice #u8
-                (out.[ {
-                      Core.Ops.Range.f_start
-                      =
-                      i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
-                      Core.Ops.Range.f_end
-                      =
-                      (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
-                      <:
-                      usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize ]
-                  <:
-                  t_Slice u8)
-                (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re
-                  <:
-                  t_Slice u8)
-              <:
-              t_Slice u8)
-          <:
-          t_Array u8 v_OUT_LEN)
+  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    {
+      public_key with
+      Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+      =
+      Libcrux_ml_kem.Matrix.sample_matrix_A v_K
+        #v_Vector
+        #v_Hasher
+        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+        (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34))
+        true
+    }
+    <:
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
   in
-  out
-
-let serialize_public_key_mut
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (seed_for_a: t_Slice u8)
-      (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
-     =
-  let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT }
-        <:
-        Core.Ops.Range.t_Range usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (serialized.[ {
-                Core.Ops.Range.f_start = sz 0;
-                Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT
-              }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-          (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt
-            <:
-            t_Slice u8)
-        <:
-        t_Slice u8)
+  let _:Prims.unit =
+    let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
+    assert (valid ==> matrix_A_as_ntt == Libcrux_ml_kem.Polynomial.to_spec_matrix_t public_key.f_A)
   in
-  let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized
-      ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
-        <:
-        Core.Ops.Range.t_RangeFrom usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
-              <:
-              Core.Ops.Range.t_RangeFrom usize ]
-            <:
-            t_Slice u8)
-          seed_for_a
-        <:
-        t_Slice u8)
+  let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) =
+    Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error
   in
-  serialized
-
-let serialize_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (seed_for_a: t_Slice u8)
-     =
-  let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
-    Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8 #32 seed_for_secret_and_error (Seq.slice prf_input 0 32)
   in
-  let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
-    serialize_public_key_mut v_K
-      v_RANKED_BYTES_PER_RING_ELEMENT
-      v_PUBLIC_KEY_SIZE
+  let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) =
+    sample_vector_cbd_then_ntt v_K
+      v_ETA1
+      v_ETA1_RANDOMNESS_SIZE
       #v_Vector
-      tt_as_ntt
-      seed_for_a
-      public_key_serialized
+      #v_Hasher
+      private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+      prf_input
+      0uy
   in
-  public_key_serialized
-
-let build_unpacked_public_key_mut
-      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
-      (#v_Vector #v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (public_key: t_Slice u8)
-      (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-     =
-  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    {
-      unpacked_public_key with
-      Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-      =
-      Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE
-        v_K
-        #v_Vector
-        (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE }
-            <:
-            Core.Ops.Range.t_RangeTo usize ]
-          <:
-          t_Slice u8)
-        unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-    }
+  let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
+    { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 }
     <:
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
   in
-  let seed:t_Slice u8 =
-    public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
-      <:
-      Core.Ops.Range.t_RangeFrom usize ]
+  let domain_separator:u8 = out in
+  let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8
+  ) =
+    sample_vector_cbd_then_ntt_out v_K
+      v_ETA1
+      v_ETA1_RANDOMNESS_SIZE
+      #v_Vector
+      #v_Hasher
+      prf_input
+      domain_separator
   in
-  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
     {
-      unpacked_public_key with
-      Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+      public_key with
+      Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
       =
-      Libcrux_ml_kem.Matrix.sample_matrix_A v_K
+      Libcrux_ml_kem.Matrix.compute_As_plus_e v_K
         #v_Vector
-        #v_Hasher
-        unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
-        (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34))
-        false
+        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+        private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+        error_as_ntt
     }
     <:
     Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
   in
-  unpacked_public_key
-
-let build_unpacked_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
-      (#v_Vector #v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (public_key: t_Slice u8)
-     =
-  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-      #FStar.Tactics.Typeclasses.solve
-      ()
+  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+    {
+      public_key with
+      Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+      =
+      Core.Result.impl__unwrap #(t_Array u8 (sz 32))
+        #Core.Array.t_TryFromSliceError
+        (Core.Convert.f_try_into #(t_Slice u8)
+            #(t_Array u8 (sz 32))
+            #FStar.Tactics.Typeclasses.solve
+            seed_for_A
+          <:
+          Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)
+    }
+    <:
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
   in
-  let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    build_unpacked_public_key_mut v_K
-      v_T_AS_NTT_ENCODED_SIZE
-      #v_Vector
-      #v_Hasher
-      public_key
-      unpacked_public_key
+  let _:Prims.unit =
+    let (((t_as_ntt, seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid =
+      Spec.MLKEM.ind_cpa_generate_keypair_unpacked v_K key_generation_seed
+    in
+    assert (valid ==>
+        ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector public_key.f_t_as_ntt) ==
+          t_as_ntt) /\ (public_key.f_seed_for_A == seed_for_A) /\
+        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector public_key.f_A == matrix_A_as_ntt
+        ) /\
+        ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector private_key.f_secret_as_ntt) ==
+          secret_as_ntt));
+    assert ((forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key
+                    .f_secret_as_ntt
+                  i)) /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                    .f_t_as_ntt
+                  i)))
   in
-  unpacked_public_key
+  private_key, public_key
+  <:
+  (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
+    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+
+#pop-options
 
 let decrypt_unpacked
       (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
@@ -596,7 +720,8 @@ let decrypt_unpacked
     deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext
   in
   let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR
+    Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_K
+      v_V_COMPRESSION_FACTOR
       #v_Vector
       (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE }
           <:
@@ -623,6 +748,7 @@ let decrypt
       (secret_key: t_Slice u8)
       (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
      =
+  let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in
   let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
     deserialize_secret_key v_K #v_Vector secret_key
   in
@@ -640,6 +766,109 @@ let decrypt
     secret_key_unpacked
     ciphertext
 
+#push-options "--z3rlimit 800 --ext context_pruning --z3refresh"
+
+let compress_then_serialize_u
+      (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (out: t_Slice u8)
+     =
+  let _:Prims.unit =
+    assert (v (sz 32 *! v_COMPRESSION_FACTOR) == 32 * v v_COMPRESSION_FACTOR);
+    assert (v (v_OUT_LEN /! v_K) == v v_OUT_LEN / v v_K);
+    assert (v v_OUT_LEN / v v_K == 32 * v v_COMPRESSION_FACTOR)
+  in
+  let out:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_enumerated_slice input
+      (fun out i ->
+          let out:t_Slice u8 = out in
+          let i:usize = i in
+          (v i < v v_K ==>
+            Seq.length out == v v_OUT_LEN /\
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i))) /\
+          (forall (j: nat).
+              j < v i ==>
+              Seq.length out == v v_OUT_LEN /\ (j + 1) * (v v_OUT_LEN / v v_K) <= Seq.length out /\
+              (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) ==
+                Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+                  (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j)))))
+      out
+      (fun out temp_1_ ->
+          let out:t_Slice u8 = out in
+          let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_1_
+          in
+          let _:Prims.unit =
+            assert (forall (j: nat).
+                  j < v i ==>
+                  ((Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) ==
+                      Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+                        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j)))))
+          in
+          let out:t_Slice u8 =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
+              ({
+                  Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
+                  Core.Ops.Range.f_end
+                  =
+                  (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (out.[ {
+                        Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
+                        Core.Ops.Range.f_end
+                        =
+                        (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR
+                      v_BLOCK_LEN
+                      #v_Vector
+                      re
+                    <:
+                    t_Slice u8)
+                <:
+                t_Slice u8)
+          in
+          let _:Prims.unit =
+            let lemma_aux (j: nat{j < v i})
+                : Lemma
+                (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) ==
+                  Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))) =
+              Lib.Sequence.eq_intro #u8
+                #(v v_OUT_LEN / v v_K)
+                (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)))
+                (Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j)))
+            in
+            Classical.forall_intro lemma_aux
+          in
+          out)
+  in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #(v v_OUT_LEN)
+      out
+      (Spec.MLKEM.compress_then_encode_u #v_K
+          (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input))
+  in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  out
+
+#pop-options
+
+#push-options "--z3rlimit 200"
+
 let encrypt_unpacked
       (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
@@ -668,6 +897,10 @@ let encrypt_unpacked
       prf_input
       0uy
   in
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8 #32 randomness (Seq.slice prf_input 0 32);
+    assert (v domain_separator == v v_K)
+  in
   let error_1_, domain_separator:(t_Array
       (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K &
     u8) =
@@ -682,6 +915,10 @@ let encrypt_unpacked
   let prf_input:t_Array u8 (sz 33) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator
   in
+  let _:Prims.unit =
+    assert (Seq.equal prf_input (Seq.append randomness (Seq.create 1 domain_separator)));
+    assert (prf_input == Seq.append randomness (Seq.create 1 domain_separator))
+  in
   let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE =
     Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher
       #v_K
@@ -712,6 +949,12 @@ let encrypt_unpacked
       error_2_
       message_as_ring_element
   in
+  let _:Prims.unit =
+    assert (v_C1_LEN = Spec.MLKEM.v_C1_SIZE v_K);
+    assert (v_C2_LEN = Spec.MLKEM.v_C2_SIZE v_K);
+    assert (v_CIPHERTEXT_SIZE == v_C1_LEN +! v_C2_LEN);
+    assert (v_C1_LEN <=. v_CIPHERTEXT_SIZE)
+  in
   let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Rust_primitives.Hax.repeat 0uy v_CIPHERTEXT_SIZE in
   let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range ciphertext
@@ -735,7 +978,8 @@ let encrypt_unpacked
   let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext
       ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize)
-      (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR
+      (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_K
+          v_V_COMPRESSION_FACTOR
           v_C2_LEN
           #v_Vector
           v
@@ -745,8 +989,17 @@ let encrypt_unpacked
         <:
         t_Slice u8)
   in
+  let _:Prims.unit =
+    lemma_slice_append ciphertext
+      (Seq.slice ciphertext 0 (Rust_primitives.v v_C1_LEN))
+      (Seq.slice ciphertext (Rust_primitives.v v_C1_LEN) (Seq.length ciphertext))
+  in
   ciphertext
 
+#pop-options
+
+#push-options "--z3rlimit 500 --ext context_pruning"
+
 let encrypt
       (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
           usize)
@@ -761,6 +1014,7 @@ let encrypt
       (message: t_Array u8 (sz 32))
       (randomness: t_Slice u8)
      =
+  let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt in
   let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
     build_unpacked_public_key v_K v_T_AS_NTT_ENCODED_SIZE #v_Vector #v_Hasher public_key
   in
@@ -768,110 +1022,189 @@ let encrypt
     v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
     v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness
 
-let generate_keypair_unpacked
-      (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize)
-      (#v_Vector #v_Hasher #v_Scheme: Type0)
+#pop-options
+
+#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh"
+
+let serialize_secret_key
+      (v_K v_OUT_LEN: usize)
+      (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
-      (key_generation_seed: t_Slice u8)
-      (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
-      (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+      (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
      =
-  let hashed:t_Array u8 (sz 64) =
-    Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme
-      #FStar.Tactics.Typeclasses.solve
-      v_K
-      #v_Hasher
-      key_generation_seed
+  let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in
+  let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
+  let out:t_Array u8 v_OUT_LEN =
+    Rust_primitives.Hax.Folds.fold_enumerated_slice key
+      (fun out i ->
+          let out:t_Array u8 v_OUT_LEN = out in
+          let i:usize = i in
+          (v i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) /\
+          (forall (j: nat).
+              j < v i ==>
+              (j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= Seq.length out /\
+              (Seq.slice out
+                  (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+                  ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
+                Spec.MLKEM.byte_encode 12
+                  (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))))
+      out
+      (fun out temp_1_ ->
+          let out:t_Array u8 v_OUT_LEN = out in
+          let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_1_
+          in
+          let out:t_Array u8 v_OUT_LEN =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
+              ({
+                  Core.Ops.Range.f_start
+                  =
+                  i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
+                  Core.Ops.Range.f_end
+                  =
+                  (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (out.[ {
+                        Core.Ops.Range.f_start
+                        =
+                        i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
+                        Core.Ops.Range.f_end
+                        =
+                        (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
+                        <:
+                        usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re
+                    <:
+                    t_Slice u8)
+                <:
+                t_Slice u8)
+          in
+          let _:Prims.unit =
+            let lemma_aux (j: nat{j < v i})
+                : Lemma
+                (Seq.slice out
+                    (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+                    ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
+                  Spec.MLKEM.byte_encode 12
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j))) =
+              Lib.Sequence.eq_intro #u8
+                #(v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+                (Seq.slice out
+                    (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+                    ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT))
+                (Spec.MLKEM.byte_encode 12
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))
+            in
+            Classical.forall_intro lemma_aux
+          in
+          out)
   in
-  let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32)
+  let _:Prims.unit =
+    assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+              #v_Vector
+              key) ==
+        Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key);
+    reveal_opaque (`%Spec.MLKEM.vector_encode_12) (Spec.MLKEM.vector_encode_12 #v_K);
+    Lib.Sequence.eq_intro #u8
+      #(v v_OUT_LEN)
+      out
+      (Spec.MLKEM.vector_encode_12 #v_K
+          (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
   in
-  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    {
-      public_key with
-      Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
-      =
-      Libcrux_ml_kem.Matrix.sample_matrix_A v_K
-        #v_Vector
-        #v_Hasher
-        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
-        (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34))
-        true
-    }
-    <:
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+  out
+
+#pop-options
+
+let serialize_public_key_mut
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (seed_for_a: t_Slice u8)
+      (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
+     =
+  let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT }
+        <:
+        Core.Ops.Range.t_Range usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (serialized.[ {
+                Core.Ops.Range.f_start = sz 0;
+                Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT
+              }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice u8)
+          (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt
+            <:
+            t_Slice u8)
+        <:
+        t_Slice u8)
   in
-  let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) =
-    Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error
+  let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized
+      ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
+        <:
+        Core.Ops.Range.t_RangeFrom usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
+              <:
+              Core.Ops.Range.t_RangeFrom usize ]
+            <:
+            t_Slice u8)
+          seed_for_a
+        <:
+        t_Slice u8)
   in
-  let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) =
-    sample_vector_cbd_then_ntt v_K
-      v_ETA1
-      v_ETA1_RANDOMNESS_SIZE
-      #v_Vector
-      #v_Hasher
-      private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
-      prf_input
-      0uy
+  let _:Prims.unit =
+    Lib.Sequence.eq_intro #u8
+      #(v v_PUBLIC_KEY_SIZE)
+      serialized
+      (Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+              (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+          seed_for_a)
   in
-  let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
-    { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 }
-    <:
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
+  serialized
+
+let serialize_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (seed_for_a: t_Slice u8)
+     =
+  let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+    Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE
   in
-  let domain_separator:u8 = out in
-  let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8
-  ) =
-    sample_vector_cbd_then_ntt_out v_K
-      v_ETA1
-      v_ETA1_RANDOMNESS_SIZE
+  let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+    serialize_public_key_mut v_K
+      v_RANKED_BYTES_PER_RING_ELEMENT
+      v_PUBLIC_KEY_SIZE
       #v_Vector
-      #v_Hasher
-      prf_input
-      domain_separator
-  in
-  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    {
-      public_key with
-      Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-      =
-      Libcrux_ml_kem.Matrix.compute_As_plus_e v_K
-        #v_Vector
-        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
-        public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
-        private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
-        error_as_ntt
-    }
-    <:
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
-  in
-  let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
-    {
-      public_key with
-      Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
-      =
-      Core.Result.impl__unwrap #(t_Array u8 (sz 32))
-        #Core.Array.t_TryFromSliceError
-        (Core.Convert.f_try_into #(t_Slice u8)
-            #(t_Array u8 (sz 32))
-            #FStar.Tactics.Typeclasses.solve
-            seed_for_A
-          <:
-          Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)
-    }
-    <:
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+      tt_as_ntt
+      seed_for_a
+      public_key_serialized
   in
-  private_key, public_key
-  <:
-  (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
-    Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+  public_key_serialized
+
+#push-options "--admit_smt_queries true"
 
 let serialize_unpacked_secret_key
       (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize)
@@ -900,6 +1233,8 @@ let serialize_unpacked_secret_key
   <:
   (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
 
+#pop-options
+
 let generate_keypair
       (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
           usize)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
index 6754a210b..981a0c86e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ind_cpa
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,6 +12,92 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
+val deserialize_secret_key
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (secret_key: t_Slice u8)
+    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v (Core.Slice.impl__len #u8 secret_key) /
+        v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
+        v v_K)
+      (ensures
+        fun res ->
+          let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
+          Spec.MLKEM.vector_decode_12 #v_K secret_key)
+
+val build_unpacked_public_key_mut
+      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+      (#v_Vector #v_Hasher: Type0)
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (public_key: t_Slice u8)
+      (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+    : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+      (ensures
+        fun unpacked_public_key_future ->
+          let unpacked_public_key_future:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked
+            v_K v_Vector =
+            unpacked_public_key_future
+          in
+          let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
+          let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
+          let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
+          (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+              #v_Vector
+              unpacked_public_key_future.f_t_as_ntt ==
+            t_as_ntt /\ valid ==>
+            Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector unpacked_public_key_future.f_A ==
+            Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+
+val build_unpacked_public_key
+      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+      (#v_Vector #v_Hasher: Type0)
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (public_key: t_Slice u8)
+    : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+            result
+          in
+          let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
+          let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
+          let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
+          (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector result.f_t_as_ntt == t_as_ntt /\
+            valid ==>
+            Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector result.f_A ==
+            Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+
+/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
+/// in the `ciphertext`.
+val deserialize_then_decompress_u
+      (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K)
+      (ensures
+        fun res ->
+          let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
+          Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K
+                  (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))))
+
 /// Sample a vector of ring elements from a centered binomial distribution.
 val sample_ring_element_cbd
       (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize)
@@ -21,8 +107,19 @@ val sample_ring_element_cbd
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ v domain_separator < 2 * v v_K /\
+        range (v domain_separator + v v_K) u8_inttype)
+      (ensures
+        fun temp_0_ ->
+          let err1, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K &
+            u8) =
+            temp_0_
+          in
+          v ds == v domain_separator + v v_K /\
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector err1 ==
+          Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))
 
 /// Sample a vector of ring elements from a centered binomial distribution and
 /// convert them into their NTT representations.
@@ -35,8 +132,26 @@ val sample_vector_cbd_then_ntt
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\
+        range (v domain_separator + v v_K) u8_inttype)
+      (ensures
+        fun temp_0_ ->
+          let re_as_ntt_future, ds:(t_Array
+              (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K &
+            u8) =
+            temp_0_
+          in
+          v ds == v domain_separator + v v_K /\
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt_future ==
+          Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+            (Seq.slice prf_input 0 32)
+            (sz (v domain_separator)) /\
+          (forall (i: nat).
+              i < v v_K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #v_Vector
+                (Seq.index re_as_ntt_future i)))
 
 val sample_vector_cbd_then_ntt_out
       (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
@@ -46,86 +161,100 @@ val sample_vector_cbd_then_ntt_out
       (prf_input: t_Array u8 (sz 33))
       (domain_separator: u8)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Call [`compress_then_serialize_ring_element_u`] on each ring element.
-val compress_then_serialize_u
-      (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (out: t_Slice u8)
-    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
-/// in the `ciphertext`.
-val deserialize_then_decompress_u
-      (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
-val deserialize_secret_key
-      (v_K: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (secret_key: t_Slice u8)
-    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Call [`serialize_uncompressed_ring_element`] for each ring element.
-val serialize_secret_key
-      (v_K v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-    : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Concatenate `t` and `ρ` into the public key.
-val serialize_public_key_mut
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (seed_for_a: t_Slice u8)
-      (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Concatenate `t` and `ρ` into the public key.
-val serialize_public_key
-      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      (seed_for_a: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\
+        range (v domain_separator + v v_K) u8_inttype)
+      (ensures
+        fun temp_0_ ->
+          let re, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8)
+          =
+            temp_0_
+          in
+          v ds == v domain_separator + v v_K /\
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re ==
+          Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+            (Seq.slice prf_input 0 32)
+            (sz (v domain_separator)))
 
-val build_unpacked_public_key_mut
-      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (public_key: t_Slice u8)
-      (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-    : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-val build_unpacked_public_key
-      (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (public_key: t_Slice u8)
-    : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+/// This function implements most of <strong>Algorithm 12</strong> of the
+/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm.
+/// We say \"most of\" since Algorithm 12 samples the required randomness within
+/// the function itself, whereas this implementation expects it to be provided
+/// through the `key_generation_seed` parameter.
+/// Algorithm 12 is reproduced below:
+/// ```plaintext
+/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}.
+/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
+/// d ←$ B
+/// (ρ,σ) ← G(d)
+/// N ← 0
+/// for (i ← 0; i < k; i++)
+///     for(j ← 0; j < k; j++)
+///         Â[i,j] ← SampleNTT(XOF(ρ, i, j))
+///     end for
+/// end for
+/// for(i ← 0; i < k; i++)
+///     s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N))
+///     N ← N + 1
+/// end for
+/// for(i ← 0; i < k; i++)
+///     e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N))
+///     N ← N + 1
+/// end for
+/// ŝ ← NTT(s)
+/// ê ← NTT(e)
+/// t\u{302} ← Â◦ŝ + ê
+/// ekₚₖₑ ← ByteEncode₁₂(t\u{302}) ‖ ρ
+/// dkₚₖₑ ← ByteEncode₁₂(ŝ)
+/// ```
+/// The NIST FIPS 203 standard can be found at
+/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
+val generate_keypair_unpacked
+      (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize)
+      (#v_Vector #v_Hasher #v_Scheme: Type0)
+      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
+      (key_generation_seed: t_Slice u8)
+      (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+      (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
+        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE)
+      (ensures
+        fun temp_0_ ->
+          let private_key_future, public_key_future:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked
+              v_K v_Vector &
+            Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) =
+            temp_0_
+          in
+          let (((t_as_ntt, seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid =
+            Spec.MLKEM.ind_cpa_generate_keypair_unpacked v_K key_generation_seed
+          in
+          (valid ==>
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector public_key_future.f_t_as_ntt ==
+              t_as_ntt) /\ (public_key_future.f_seed_for_A == seed_for_A) /\
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector public_key_future.f_A ==
+              matrix_A_as_ntt) /\
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+                #v_Vector
+                private_key_future.f_secret_as_ntt ==
+              secret_as_ntt)) /\
+          (forall (i: nat).
+              i < v v_K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key_future
+                      .f_secret_as_ntt
+                    i)) /\
+          (forall (i: nat).
+              i < v v_K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key_future
+                      .f_t_as_ntt
+                    i)))
 
 /// This function implements <strong>Algorithm 14</strong> of the
 /// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm.
@@ -152,7 +281,19 @@ val decrypt_unpacked
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
       (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result ==
+          Spec.MLKEM.ind_cpa_decrypt_unpacked v_K
+            ciphertext
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt))
 
 val decrypt
       (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
@@ -161,7 +302,39 @@ val decrypt
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (secret_key: t_Slice u8)
       (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires
+        Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\
+        v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext)
+
+/// Call [`compress_then_serialize_ring_element_u`] on each ring element.
+val compress_then_serialize_u
+      (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_C1_SIZE v_K /\
+        v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input i)))
+      (ensures
+        fun out_future ->
+          let out_future:t_Slice u8 = out_future in
+          out_future ==
+          Spec.MLKEM.compress_then_encode_u #v_K
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input))
 
 /// This function implements <strong>Algorithm 13</strong> of the
 /// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm.
@@ -172,7 +345,7 @@ val decrypt
 /// Input: encryption randomness r ∈ 𝔹^{32}.
 /// Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}.
 /// N ← 0
-/// t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k])
+/// t\u{302} ← ByteDecode₁₂(ekₚₖₑ[0:384k])
 /// ρ ← ekₚₖₑ[384k: 384k + 32]
 /// for (i ← 0; i < k; i++)
 ///     for(j ← 0; j < k; j++)
@@ -188,10 +361,10 @@ val decrypt
 ///     N ← N + 1
 /// end for
 /// e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N))
-/// r̂ ← NTT(r)
-/// u ← NTT-¹(Âᵀ ◦ r̂) + e₁
+/// r\u{302} ← NTT(r)
+/// u ← NTT-¹(Âᵀ ◦ r\u{302}) + e₁
 /// μ ← Decompress₁(ByteDecode₁(m)))
-/// v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ
+/// v ← NTT-¹(t\u{302}ᵀ ◦ rˆ) + e₂ + μ
 /// c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u))
 /// c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v))
 /// return c ← (c₁ ‖ c₂)
@@ -207,7 +380,27 @@ val encrypt_unpacked
       (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
       (message: t_Array u8 (sz 32))
       (randomness: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+        v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_C1_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_LEN == Spec.MLKEM.v_C2_SIZE v_K /\
+        v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        length randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_CIPHERTEXT_SIZE = result in
+          result ==
+          Spec.MLKEM.ind_cpa_encrypt_unpacked v_K
+            message
+            randomness
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector public_key.f_t_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector public_key.f_A))
 
 val encrypt
       (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
@@ -218,55 +411,90 @@ val encrypt
       (public_key: t_Slice u8)
       (message: t_Array u8 (sz 32))
       (randomness: t_Slice u8)
-    : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_ETA1 = Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        v_ETA2 = Spec.MLKEM.v_ETA2 v_K /\ v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+        v_ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+        v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+        v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        length randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\
+        v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+        v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+        v_C1_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_LEN == Spec.MLKEM.v_C2_SIZE v_K)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_CIPHERTEXT_SIZE = result in
+          let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in
+          valid ==> result == expected)
 
-/// This function implements most of <strong>Algorithm 12</strong> of the
-/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm.
-/// We say "most of" since Algorithm 12 samples the required randomness within
-/// the function itself, whereas this implementation expects it to be provided
-/// through the `key_generation_seed` parameter.
-/// Algorithm 12 is reproduced below:
-/// ```plaintext
-/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}.
-/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
-/// d ←$ B
-/// (ρ,σ) ← G(d)
-/// N ← 0
-/// for (i ← 0; i < k; i++)
-///     for(j ← 0; j < k; j++)
-///         Â[i,j] ← SampleNTT(XOF(ρ, i, j))
-///     end for
-/// end for
-/// for(i ← 0; i < k; i++)
-///     s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N))
-///     N ← N + 1
-/// end for
-/// for(i ← 0; i < k; i++)
-///     e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N))
-///     N ← N + 1
-/// end for
-/// ŝ ← NTT(s)
-/// ê ← NTT(e)
-/// t̂ ← Â◦ŝ + ê
-/// ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ
-/// dkₚₖₑ ← ByteEncode₁₂(ŝ)
-/// ```
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-val generate_keypair_unpacked
-      (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize)
-      (#v_Vector #v_Hasher #v_Scheme: Type0)
-      {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
-      (key_generation_seed: t_Slice u8)
-      (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
-      (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
-        Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+/// Call [`serialize_uncompressed_ring_element`] for each ring element.
+val serialize_secret_key
+      (v_K v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+    : Prims.Pure (t_Array u8 v_OUT_LEN)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i)))
+      (ensures
+        fun res ->
+          let res:t_Array u8 v_OUT_LEN = res in
+          res ==
+          Spec.MLKEM.vector_encode_12 #v_K
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
+
+/// Concatenate `t` and `ρ` into the public key.
+val serialize_public_key_mut
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (seed_for_a: t_Slice u8)
+      (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
+    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
+      (ensures
+        fun serialized_future ->
+          let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in
+          serialized_future ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+            seed_for_a)
+
+/// Concatenate `t` and `ρ` into the public key.
+val serialize_public_key
+      (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (seed_for_a: t_Slice u8)
+    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
+        (forall (i: nat).
+            i < v v_K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
+      (ensures
+        fun res ->
+          let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in
+          res ==
+          Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+                (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+            seed_for_a)
 
 /// Serialize the secret key from the unpacked key pair generation.
 val serialize_unpacked_secret_key
@@ -288,5 +516,15 @@ val generate_keypair
       {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
       (key_generation_seed: t_Slice u8)
     : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+        v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+        v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+        v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+        v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+        length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE)
+      (ensures
+        fun result ->
+          let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in
+          let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in
+          valid ==> result == expected)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
index c8c456676..b819cb727 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Invert_ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -29,6 +29,8 @@ let inv_ntt_layer_int_vec_step_reduce
   let b:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector a_minus_b zeta_r in
   a, b <: (v_Vector & v_Vector)
 
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let invert_ntt_at_layer_1_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -36,17 +38,28 @@ let invert_ntt_at_layer_1_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #v_Vector) in
+  let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init - v round * 4 /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque (4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque 3328
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -54,6 +67,11 @@ let invert_ntt_at_layer_1_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -65,19 +83,10 @@ let invert_ntt_at_layer_1_
                 (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_1_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize
-                      ]
-                      <:
-                      i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize
-                      ]
-                      <:
-                      i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize
-                      ]
-                      <:
-                      i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i -! sz 1 <: usize) <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i -! sz 2 <: usize) <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i -! sz 3 <: usize) <: i16)
                   <:
                   v_Vector)
             }
@@ -85,11 +94,24 @@ let invert_ntt_at_layer_1_
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
           let zeta_i:usize = zeta_i -! sz 3 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let invert_ntt_at_layer_2_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -97,17 +119,27 @@ let invert_ntt_at_layer_2_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init - v round * 2 /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque 3328
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -115,6 +147,11 @@ let invert_ntt_at_layer_2_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -126,11 +163,8 @@ let invert_ntt_at_layer_2_
                 (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_2_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize
-                      ]
-                      <:
-                      i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i -! sz 1 <: usize) <: i16)
                   <:
                   v_Vector)
             }
@@ -138,11 +172,24 @@ let invert_ntt_at_layer_2_
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
           let zeta_i:usize = zeta_i -! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let invert_ntt_at_layer_3_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -150,17 +197,27 @@ let invert_ntt_at_layer_3_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init - v round /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque 3328
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -168,6 +225,11 @@ let invert_ntt_at_layer_3_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -179,18 +241,31 @@ let invert_ntt_at_layer_3_
                 (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_3_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
                   <:
                   v_Vector)
             }
             <:
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque 3328
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
 let invert_ntt_at_layer_4_plus
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -239,7 +314,7 @@ let invert_ntt_at_layer_4_plus
                       (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ]
                         <:
                         v_Vector)
-                      (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
+                      (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
                   in
                   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
                     {
@@ -274,6 +349,8 @@ let invert_ntt_at_layer_4_plus
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
 let invert_ntt_montgomery
       (v_K: usize)
       (#v_Vector: Type0)
@@ -284,19 +361,19 @@ let invert_ntt_montgomery
      =
   let zeta_i:usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    invert_ntt_at_layer_1_ #v_Vector zeta_i re (sz 1)
+    invert_ntt_at_layer_1_ #v_Vector zeta_i re
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    invert_ntt_at_layer_2_ #v_Vector zeta_i re (sz 2)
+    invert_ntt_at_layer_2_ #v_Vector zeta_i re
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    invert_ntt_at_layer_3_ #v_Vector zeta_i re (sz 3)
+    invert_ntt_at_layer_3_ #v_Vector zeta_i re
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
@@ -327,7 +404,7 @@ let invert_ntt_montgomery
   let _:Prims.unit = () in
   let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   =
-    (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re
+    (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re
     <:
     (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
index ffe255831..52d37549d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Invert_ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -14,37 +14,81 @@ val inv_ntt_layer_int_vec_step_reduce
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (a b: v_Vector)
       (zeta_r: i16)
-    : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (v_Vector & v_Vector)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta_r /\
+        (forall i.
+            i < 16 ==>
+            Spec.Utils.is_intb (pow2 15 - 1)
+              (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) -
+                v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\
+        (forall i.
+            i < 16 ==>
+            Spec.Utils.is_intb (pow2 15 - 1)
+              (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
+                v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\
+        Spec.Utils.is_i16b_array 28296
+          (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b)))
+      (fun _ -> Prims.l_True)
+
+[@@ "opaque_to_smt"]
+   let invert_ntt_re_range_1 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
+
+[@@ "opaque_to_smt"]
+   let invert_ntt_re_range_2 (#v_Vector: Type0)
+           {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+           (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328
+               (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
 
 val invert_ntt_at_layer_1_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 128 /\ invert_ntt_re_range_1 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          invert_ntt_re_range_2 re_future /\ v zeta_i_future == 64)
 
 val invert_ntt_at_layer_2_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 64 /\ invert_ntt_re_range_2 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          invert_ntt_re_range_2 re_future /\ v zeta_i_future == 32)
 
 val invert_ntt_at_layer_3_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 32 /\ invert_ntt_re_range_2 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16)
 
 val invert_ntt_at_layer_4_plus
       (#v_Vector: Type0)
@@ -53,7 +97,7 @@ val invert_ntt_at_layer_4_plus
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (layer: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires v layer >= 4 /\ v layer <= 7)
       (fun _ -> Prims.l_True)
 
 val invert_ntt_montgomery
@@ -62,5 +106,5 @@ val invert_ntt_montgomery
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires invert_ntt_re_range_1 re)
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
index 1c0bd1278..92a2c589d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Matrix
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,6 +10,133 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+let sample_matrix_A
+      (v_K: usize)
+      (#v_Vector #v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (v_A_transpose:
+          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+      (seed: t_Array u8 (sz 34))
+      (transpose: bool)
+     =
+  let v_A_transpose:t_Array
+    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      v_K
+      (fun v_A_transpose temp_1_ ->
+          let v_A_transpose:t_Array
+            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+            v_A_transpose
+          in
+          let _:usize = temp_1_ in
+          true)
+      v_A_transpose
+      (fun v_A_transpose i ->
+          let v_A_transpose:t_Array
+            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+            v_A_transpose
+          in
+          let i:usize = i in
+          let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in
+          let seeds:t_Array (t_Array u8 (sz 34)) v_K =
+            Rust_primitives.Hax.Folds.fold_range (sz 0)
+              v_K
+              (fun seeds temp_1_ ->
+                  let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in
+                  let _:usize = temp_1_ in
+                  true)
+              seeds
+              (fun seeds j ->
+                  let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in
+                  let j:usize = j in
+                  let seeds:t_Array (t_Array u8 (sz 34)) v_K =
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
+                      j
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
+                            <:
+                            t_Array u8 (sz 34))
+                          (sz 32)
+                          (cast (i <: usize) <: u8)
+                        <:
+                        t_Array u8 (sz 34))
+                  in
+                  let seeds:t_Array (t_Array u8 (sz 34)) v_K =
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
+                      j
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
+                            <:
+                            t_Array u8 (sz 34))
+                          (sz 33)
+                          (cast (j <: usize) <: u8)
+                        <:
+                        t_Array u8 (sz 34))
+                  in
+                  seeds)
+          in
+          let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds
+          in
+          Rust_primitives.Hax.Folds.fold_enumerated_slice sampled
+            (fun v_A_transpose temp_1_ ->
+                let v_A_transpose:t_Array
+                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                  v_A_transpose
+                in
+                let _:usize = temp_1_ in
+                true)
+            v_A_transpose
+            (fun v_A_transpose temp_1_ ->
+                let v_A_transpose:t_Array
+                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                  v_A_transpose
+                in
+                let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+                  temp_1_
+                in
+                if transpose
+                then
+                  let v_A_transpose:t_Array
+                    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
+                      j
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j
+                            ]
+                            <:
+                            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+                          )
+                          i
+                          sample
+                        <:
+                        t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+                  in
+                  v_A_transpose
+                else
+                  let v_A_transpose:t_Array
+                    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
+                      i
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i
+                            ]
+                            <:
+                            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+                          )
+                          j
+                          sample
+                        <:
+                        t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+                  in
+                  v_A_transpose))
+  in
+  let result:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
+  v_A_transpose
+
 let compute_As_plus_e
       (v_K: usize)
       (#v_Vector: Type0)
@@ -44,7 +171,7 @@ let compute_As_plus_e
           let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
               i
-              (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+              (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
                 <:
                 Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
           in
@@ -70,7 +197,7 @@ let compute_As_plus_e
                     temp_1_
                   in
                   let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-                    Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector
+                    Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
                       matrix_element
                       (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                   in
@@ -78,7 +205,7 @@ let compute_As_plus_e
                     v_K =
                     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
                       i
-                      (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector
+                      (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector
                           v_K
                           (tt_as_ntt.[ i ]
                             <:
@@ -92,7 +219,7 @@ let compute_As_plus_e
           let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
               i
-              (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce #v_Vector
+              (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector
                   (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                   (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                 <:
@@ -100,9 +227,59 @@ let compute_As_plus_e
           in
           tt_as_ntt)
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  let result:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
   tt_as_ntt
 
+#push-options "--admit_smt_queries true"
+
+let compute_message
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (secret_as_ntt u_as_ntt:
+          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+     =
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      v_K
+      (fun result temp_1_ ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          let _:usize = temp_1_ in
+          true)
+      result
+      (fun result i ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          let i:usize = i in
+          let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
+              (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+              (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          in
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product
+          in
+          result)
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result
+  in
+  result
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
 let compute_ring_element_v
       (v_K: usize)
       (#v_Vector: Type0)
@@ -113,7 +290,7 @@ let compute_ring_element_v
       (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
   let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
   in
   let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -127,12 +304,12 @@ let compute_ring_element_v
           let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
           let i:usize = i in
           let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector
+            Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
               (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
               (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
           in
           let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product
+            Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product
           in
           result)
   in
@@ -140,10 +317,14 @@ let compute_ring_element_v
     Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result
   in
   let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__add_message_error_reduce #v_Vector error_2_ message result
+    Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result
   in
   result
 
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
 let compute_vector_u
       (v_K: usize)
       (#v_Vector: Type0)
@@ -159,7 +340,7 @@ let compute_vector_u
       v_K
       (fun v__i ->
           let v__i:usize = v__i in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
           <:
           Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
@@ -204,7 +385,7 @@ let compute_vector_u
                     temp_1_
                   in
                   let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-                    Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector
+                    Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
                       a_element
                       (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                   in
@@ -212,7 +393,7 @@ let compute_vector_u
                     v_K =
                     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
                       i
-                      (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector
+                      (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector
                           v_K
                           (result.[ i ]
                             <:
@@ -235,7 +416,7 @@ let compute_vector_u
           let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
               i
-              (Libcrux_ml_kem.Polynomial.impl__add_error_reduce #v_Vector
+              (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector
                   (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                   (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
                 <:
@@ -245,169 +426,4 @@ let compute_vector_u
   in
   result
 
-let compute_message
-      (v_K: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (secret_as_ntt u_as_ntt:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-     =
-  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-  in
-  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_K
-      (fun result temp_1_ ->
-          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
-          let _:usize = temp_1_ in
-          true)
-      result
-      (fun result i ->
-          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
-          let i:usize = i in
-          let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector
-              (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-              (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          in
-          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product
-          in
-          result)
-  in
-  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result
-  in
-  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__subtract_reduce #v_Vector v result
-  in
-  result
-
-let sample_matrix_A
-      (v_K: usize)
-      (#v_Vector #v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (v_A_transpose:
-          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
-      (seed: t_Array u8 (sz 34))
-      (transpose: bool)
-     =
-  let v_A_transpose:t_Array
-    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_K
-      (fun v_A_transpose temp_1_ ->
-          let v_A_transpose:t_Array
-            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-            v_A_transpose
-          in
-          let _:usize = temp_1_ in
-          true)
-      v_A_transpose
-      (fun v_A_transpose i ->
-          let v_A_transpose:t_Array
-            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-            v_A_transpose
-          in
-          let i:usize = i in
-          let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in
-          let seeds:t_Array (t_Array u8 (sz 34)) v_K =
-            Rust_primitives.Hax.Folds.fold_range (sz 0)
-              v_K
-              (fun seeds temp_1_ ->
-                  let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in
-                  let _:usize = temp_1_ in
-                  true)
-              seeds
-              (fun seeds j ->
-                  let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in
-                  let j:usize = j in
-                  let seeds:t_Array (t_Array u8 (sz 34)) v_K =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
-                      j
-                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
-                            <:
-                            t_Array u8 (sz 34))
-                          (sz 32)
-                          (cast (i <: usize) <: u8)
-                        <:
-                        t_Array u8 (sz 34))
-                  in
-                  let seeds:t_Array (t_Array u8 (sz 34)) v_K =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
-                      j
-                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
-                            <:
-                            t_Array u8 (sz 34))
-                          (sz 33)
-                          (cast (j <: usize) <: u8)
-                        <:
-                        t_Array u8 (sz 34))
-                  in
-                  seeds)
-          in
-          let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-            Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds
-          in
-          Rust_primitives.Hax.Folds.fold_enumerated_slice sampled
-            (fun v_A_transpose temp_1_ ->
-                let v_A_transpose:t_Array
-                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                  v_A_transpose
-                in
-                let _:usize = temp_1_ in
-                true)
-            v_A_transpose
-            (fun v_A_transpose temp_1_ ->
-                let v_A_transpose:t_Array
-                  (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                  v_A_transpose
-                in
-                let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-                  temp_1_
-                in
-                if transpose
-                then
-                  let v_A_transpose:t_Array
-                    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
-                      j
-                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j
-                            ]
-                            <:
-                            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
-                          )
-                          i
-                          sample
-                        <:
-                        t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-                  in
-                  v_A_transpose
-                else
-                  let v_A_transpose:t_Array
-                    (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
-                      i
-                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i
-                            ]
-                            <:
-                            t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
-                          )
-                          j
-                          sample
-                        <:
-                        t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-                  in
-                  v_A_transpose))
-  in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  v_A_transpose
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
index 78dea4243..8c4c95e96 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Matrix
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,6 +10,32 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+val sample_matrix_A
+      (v_K: usize)
+      (#v_Vector #v_Hasher: Type0)
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (v_A_transpose:
+          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+      (seed: t_Array u8 (sz 34))
+      (transpose: bool)
+    : Prims.Pure
+      (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+      (requires Spec.MLKEM.is_rank v_K)
+      (ensures
+        fun v_A_transpose_future ->
+          let v_A_transpose_future:t_Array
+            (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+            v_A_transpose_future
+          in
+          let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in
+          valid ==>
+          (if transpose
+            then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A
+            else
+              Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future ==
+              Spec.MLKEM.matrix_transpose matrix_A))
+
 /// Compute  ◦ ŝ + ê
 val compute_As_plus_e
       (v_K: usize)
@@ -21,10 +47,49 @@ val compute_As_plus_e
       (s_as_ntt error_as_ntt:
           t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.MLKEM.is_rank v_K)
+      (ensures
+        fun tt_as_ntt_future ->
+          let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+            v_K =
+            tt_as_ntt_future
+          in
+          let open Libcrux_ml_kem.Polynomial in
+          to_spec_vector_t tt_as_ntt_future =
+          Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A)
+            (to_spec_vector_t s_as_ntt)
+            (to_spec_vector_t error_as_ntt) /\
+          (forall (i: nat).
+              i < v v_K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt_future
+                    i)))
+
+/// The following functions compute various expressions involving
+/// vectors and matrices. The computation of these expressions has been
+/// abstracted away into these functions in order to save on loop iterations.
+/// Compute v − InverseNTT(sᵀ ◦ NTT(u))
+val compute_message
+      (v_K: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (secret_as_ntt u_as_ntt:
+          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+    : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (requires Spec.MLKEM.is_rank v_K)
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in
+          let open Libcrux_ml_kem.Polynomial in
+          let secret_spec = to_spec_vector_t secret_as_ntt in
+          let u_spec = to_spec_vector_t u_as_ntt in
+          let v_spec = to_spec_poly_t v in
+          to_spec_poly_t res ==
+          Spec.MLKEM.(poly_sub v_spec
+              (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res)
 
-/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
+/// Compute InverseNTT(tᵀ ◦ r\u{302}) + e₂ + message
 val compute_ring_element_v
       (v_K: usize)
       (#v_Vector: Type0)
@@ -32,10 +97,21 @@ val compute_ring_element_v
       (tt_as_ntt r_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
       (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.MLKEM.is_rank v_K)
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in
+          let open Libcrux_ml_kem.Polynomial in
+          let tt_spec = to_spec_vector_t tt_as_ntt in
+          let r_spec = to_spec_vector_t r_as_ntt in
+          let e2_spec = to_spec_poly_t error_2_ in
+          let m_spec = to_spec_poly_t message in
+          let res_spec = to_spec_poly_t res in
+          res_spec ==
+          Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #v_K tt_spec r_spec) e2_spec)
+              m_spec) /\ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res)
 
-/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
+/// Compute u := InvertNTT(Aᵀ ◦ r\u{302}) + e₁
 val compute_vector_u
       (v_K: usize)
       (#v_Vector: Type0)
@@ -44,34 +120,17 @@ val compute_vector_u
           t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
       (r_as_ntt error_1_: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// The following functions compute various expressions involving
-/// vectors and matrices. The computation of these expressions has been
-/// abstracted away into these functions in order to save on loop iterations.
-/// Compute v − InverseNTT(sᵀ ◦ NTT(u))
-val compute_message
-      (v_K: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (secret_as_ntt u_as_ntt:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-    : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-val sample_matrix_A
-      (v_K: usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (v_A_transpose:
-          t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
-      (seed: t_Array u8 (sz 34))
-      (transpose: bool)
-    : Prims.Pure
-      (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.MLKEM.is_rank v_K)
+      (ensures
+        fun res ->
+          let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
+          let open Libcrux_ml_kem.Polynomial in
+          let a_spec = to_spec_matrix_t a_as_ntt in
+          let r_spec = to_spec_vector_t r_as_ntt in
+          let e_spec = to_spec_vector_t error_1_ in
+          let res_spec = to_spec_vector_t res in
+          res_spec ==
+          Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\
+          (forall (i: nat).
+              i < v v_K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
index 090b83138..e37975ff3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,60 +11,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
-    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 4)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 1536)
+    (sz 3168)
+    (sz 1568)
+    (sz 1536)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+      (sz 1536)
+      (sz 3168)
+      (sz 1568)
+      (sz 1536)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 1536)
+    (sz 1568)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 4)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
       #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 1536)
       (sz 1568)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4)
-      (sz 1536)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 1536)
       (sz 1568)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -76,6 +95,16 @@ let decapsulate
     (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1600) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -122,6 +151,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (key_pair:
@@ -141,60 +176,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 4)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 1536)
-    (sz 3168)
-    (sz 1568)
-    (sz 1536)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-      (sz 1536)
-      (sz 3168)
-      (sz 1568)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4)
       (sz 1536)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 4)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 1536)
-    (sz 1568)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 1536)
       (sz 1568)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
index 538403ec3..72df96050 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,53 +11,71 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-/// Encapsulate ML-KEM 1024 (unpacked)
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
-/// <https://github.com/hacspec/hax/issues/770>
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+/// Get the serialized public key.
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 1024 (unpacked)
 /// Generates an [`MlKemSharedSecret`].
@@ -70,6 +88,28 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 1024 (unpacked)
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
+/// <https://github.com/hacspec/hax/issues/770>
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 1024 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -92,6 +132,12 @@ val init_key_pair: Prims.unit
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
@@ -102,40 +148,12 @@ val key_pair_from_private_mut
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
index c32c46655..c9b450487 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 4) (sz 3168) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4)
-    (sz 1536)
-    (sz 1568)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4)
+    (sz 1536)
+    (sz 1568)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
index 3639ad2ec..763fc3d71 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 1024
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
index 73bd9b119..92cd21b33 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,60 +11,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
-    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 4)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 1536)
+    (sz 3168)
+    (sz 1568)
+    (sz 1536)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      (sz 1536)
+      (sz 3168)
+      (sz 1568)
+      (sz 1536)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 1536)
+    (sz 1568)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 4)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
       #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 1536)
       (sz 1568)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4)
-      (sz 1536)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 1536)
       (sz 1568)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -76,6 +95,16 @@ let decapsulate
     (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1600) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -122,6 +151,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (key_pair:
@@ -141,60 +176,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 4)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 1536)
-    (sz 3168)
-    (sz 1568)
-    (sz 1536)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      (sz 1536)
-      (sz 3168)
-      (sz 1568)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4)
       (sz 1536)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 4)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 1536)
-    (sz 1568)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 1536)
       (sz 1568)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
index cee2df61c..3b4eb1833 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,56 +11,70 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
-
-/// Encapsulate ML-KEM 1024 (unpacked)
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
-/// <https://github.com/hacspec/hax/issues/770>
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 1024 (unpacked)
@@ -74,6 +88,28 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 1024 (unpacked)
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
+/// <https://github.com/hacspec/hax/issues/770>
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 1024 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -102,6 +138,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
@@ -114,40 +158,14 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       Prims.l_True
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
index 998288fcd..f664c07b3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 4) (sz 3168) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4)
-    (sz 1536)
-    (sz 1568)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4)
+    (sz 1536)
+    (sz 1568)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
index 764b28578..097585875 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 1024
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
index c06cea855..c0f9ff42d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,60 +11,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
-    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 4)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 1536)
+    (sz 3168)
+    (sz 1568)
+    (sz 1536)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (sz 1536)
+      (sz 3168)
+      (sz 1568)
+      (sz 1536)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 1536)
+    (sz 1568)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 4)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
       #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 1536)
       (sz 1568)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4)
-      (sz 1536)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 1536)
       (sz 1568)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -76,6 +95,16 @@ let decapsulate
     (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1600) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -122,6 +151,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (key_pair:
@@ -141,60 +176,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 4)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 1536)
-    (sz 3168)
-    (sz 1568)
-    (sz 1536)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      (sz 1536)
-      (sz 3168)
-      (sz 1568)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4)
       (sz 1536)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 4)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 1536)
-    (sz 1568)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 4)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 1536)
       (sz 1568)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
index 52a00e90c..6370203e4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,56 +11,70 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
-
-/// Encapsulate ML-KEM 1024 (unpacked)
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
-/// <https://github.com/hacspec/hax/issues/770>
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (requires
+        forall (i: nat).
+          i < 4 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 1024 (unpacked)
@@ -74,6 +88,28 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 1024 (unpacked)
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
+/// <https://github.com/hacspec/hax/issues/770>
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 1024 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -102,6 +138,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
@@ -114,40 +158,14 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       Prims.l_True
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
index d4a4eb1fd..c093cfc37 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -18,12 +18,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
     (sz 3168)
     private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4)
-    (sz 1536)
-    (sz 1568)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -48,3 +42,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4)
+    (sz 1536)
+    (sz 1568)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
index f9be395f7..cb06fc90f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 1024
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
index 363d3888a..69f4ab0fc 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
index a6890b7d0..b2175b095 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
index 6137197ca..c296a0efc 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -23,23 +23,35 @@ let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568)
-    (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600)
-    private_key ciphertext
+  let result:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568)
+      (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600)
+      private_key ciphertext
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let encapsulate
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408)
-    (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+  let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408)
+      (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let generate_key_pair (randomness: t_Array u8 (sz 64)) =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4)
-    (sz 1536)
-    (sz 3168)
-    (sz 1568)
-    (sz 1536)
-    (sz 2)
-    (sz 128)
-    randomness
+  let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4)
+      (sz 1536)
+      (sz 3168)
+      (sz 1568)
+      (sz 1536)
+      (sz 2)
+      (sz 128)
+      randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
index e62e15b56..007e5c86f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem1024
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -80,7 +80,15 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1
 val decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun res ->
+          let res:t_Array u8 (sz 32) = res in
+          let shared_secret, valid =
+            Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value
+          in
+          valid ==> res == shared_secret)
 
 /// Encapsulate ML-KEM 1024
 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -91,7 +99,14 @@ val encapsulate
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = res in
+          let (ciphertext, shared_secret), valid =
+            Spec.MLKEM.Instances.mlkem1024_encapsulate public_key.f_value randomness
+          in
+          let res_ciphertext, res_shared_secret = res in
+          valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
 
 /// Generate ML-KEM 1024 Key Pair
 /// Generate an ML-KEM key pair. The input is a byte array of size
@@ -100,4 +115,10 @@ val encapsulate
 val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in
+          let (secret_key, public_key), valid =
+            Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness
+          in
+          valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
index b24007b1f..a63bcaf11 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,62 +11,82 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
-    (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 2)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 768)
+    (sz 1632)
+    (sz 800)
+    (sz 768)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+      (sz 768)
+      (sz 1632)
+      (sz 800)
+      (sz 768)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 768)
+    (sz 800)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 2)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
       #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 768)
       (sz 800)
-      public_key
+      key_pair
       serialized
-    <:
-    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
     (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2)
-      (sz 768)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 768)
       (sz 800)
       public_key
-      unpacked_public_key
+      serialized
     <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -78,6 +98,15 @@ let decapsulate
     (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
     (sz 800) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
+    (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -118,6 +147,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (key_pair:
@@ -137,60 +172,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 2)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 768)
-    (sz 1632)
-    (sz 800)
-    (sz 768)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-      (sz 768)
-      (sz 1632)
-      (sz 800)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2)
       (sz 768)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 2)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 768)
-    (sz 800)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 768)
       (sz 800)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
index 8c31b6290..21aeb9213 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,51 +11,71 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-/// Encapsulate ML-KEM 512 (unpacked)
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+/// Get the serialized public key.
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 512 (unpacked)
 /// Generates an [`MlKemSharedSecret`].
@@ -68,6 +88,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 512 (unpacked)
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 512 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -90,6 +130,12 @@ val init_key_pair: Prims.unit
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
@@ -100,40 +146,12 @@ val key_pair_from_private_mut
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
index 8f5da9d9d..81867e6a4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 2) (sz 1632) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2)
-    (sz 768)
-    (sz 800)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 3)
     (sz 192)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2)
+    (sz 768)
+    (sz 800)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
index 7ce084a04..b138131fe 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 512
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
index c76973e5a..1142a8c11 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,62 +11,82 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
-    (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 2)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 768)
+    (sz 1632)
+    (sz 800)
+    (sz 768)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      (sz 768)
+      (sz 1632)
+      (sz 800)
+      (sz 768)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 768)
+    (sz 800)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 2)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
       #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 768)
       (sz 800)
-      public_key
+      key_pair
       serialized
-    <:
-    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
     (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2)
-      (sz 768)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 768)
       (sz 800)
       public_key
-      unpacked_public_key
+      serialized
     <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -78,6 +98,15 @@ let decapsulate
     (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
     (sz 800) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
+    (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -118,6 +147,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (key_pair:
@@ -137,60 +172,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 2)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 768)
-    (sz 1632)
-    (sz 800)
-    (sz 768)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      (sz 768)
-      (sz 1632)
-      (sz 800)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2)
       (sz 768)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 2)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 768)
-    (sz 800)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 768)
       (sz 800)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
index 54b8c9688..d6eab98a0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,54 +11,70 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
-
-/// Encapsulate ML-KEM 512 (unpacked)
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 512 (unpacked)
@@ -72,6 +88,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 512 (unpacked)
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 512 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -100,6 +136,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
@@ -112,40 +156,14 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       Prims.l_True
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
index b24f8684b..077af75fe 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 2) (sz 1632) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2)
-    (sz 768)
-    (sz 800)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 3)
     (sz 192)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2)
+    (sz 768)
+    (sz 800)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
index 5d658a252..6886ec966 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 512
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
index 7baf894ce..ac9e84801 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,63 +11,82 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800)
-    (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 2)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 768)
+    (sz 1632)
+    (sz 800)
+    (sz 768)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (sz 768)
+      (sz 1632)
+      (sz 800)
+      (sz 768)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 768)
+    (sz 800)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 2)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
       #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 768)
       (sz 800)
-      public_key
+      key_pair
       serialized
-    <:
-    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
     (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2)
-      (sz 768)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 768)
       (sz 800)
       public_key
-      unpacked_public_key
+      serialized
     <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -79,6 +98,16 @@ let decapsulate
     (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2)
     (sz 128) (sz 800) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800)
+    (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -119,6 +148,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (key_pair:
@@ -138,60 +173,25 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 2)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 768)
-    (sz 1632)
-    (sz 800)
-    (sz 768)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
      =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      (sz 768)
-      (sz 1632)
-      (sz 800)
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2)
       (sz 768)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 2)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 768)
-    (sz 800)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 2)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 768)
       (sz 800)
-      key_pair
-      serialized
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
   in
-  serialized
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
index 4b0381150..7f06b0b9c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,54 +11,70 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-        (* This module has implicit dependencies, here we make them explicit. *)
-        (* The implicit dependencies arise from typeclasses instances. *)
-        let open Libcrux_ml_kem.Vector.Portable in
-        let open Libcrux_ml_kem.Vector.Neon in
-        ()
-
-/// Encapsulate ML-KEM 512 (unpacked)
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (requires
+        forall (i: nat).
+          i < 2 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 512 (unpacked)
@@ -72,6 +88,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+        (* This module has implicit dependencies, here we make them explicit. *)
+        (* The implicit dependencies arise from typeclasses instances. *)
+        let open Libcrux_ml_kem.Vector.Portable in
+        let open Libcrux_ml_kem.Vector.Neon in
+        ()
+
+/// Encapsulate ML-KEM 512 (unpacked)
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 512 Key Pair in "unpacked" form
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -100,6 +136,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
@@ -112,40 +156,14 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       Prims.l_True
       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
index 2f0624828..4c6c96ff8 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -18,12 +18,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
     (sz 1632)
     private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2)
-    (sz 768)
-    (sz 800)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -48,3 +42,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 3)
     (sz 192)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2)
+    (sz 768)
+    (sz 800)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
index 2aa0eb089..64d59c955 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 512
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
index e0359272f..adca30249 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
index 95ba62654..31ef494ee 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
index 4898aaa26..ec76cf211 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -23,23 +23,35 @@ let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
-    (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
-    private_key ciphertext
+  let result:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
+      (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
+      private_key ciphertext
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let encapsulate
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
-    (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+  let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
+      (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let generate_key_pair (randomness: t_Array u8 (sz 64)) =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2)
-    (sz 768)
-    (sz 1632)
-    (sz 800)
-    (sz 768)
-    (sz 3)
-    (sz 192)
-    randomness
+  let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2)
+      (sz 768)
+      (sz 1632)
+      (sz 800)
+      (sz 768)
+      (sz 3)
+      (sz 192)
+      randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
index 9031c5873..94590e2ee 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem512
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -80,7 +80,15 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8
 val decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun res ->
+          let res:t_Array u8 (sz 32) = res in
+          let shared_secret, valid =
+            Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value
+          in
+          valid ==> res == shared_secret)
 
 /// Encapsulate ML-KEM 512
 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -91,7 +99,14 @@ val encapsulate
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = res in
+          let (ciphertext, shared_secret), valid =
+            Spec.MLKEM.Instances.mlkem512_encapsulate public_key.f_value randomness
+          in
+          let res_ciphertext, res_shared_secret = res in
+          valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
 
 /// Generate ML-KEM 512 Key Pair
 /// The input is a byte array of size
@@ -100,4 +115,10 @@ val encapsulate
 val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in
+          let (secret_key, public_key), valid =
+            Spec.MLKEM.Instances.mlkem512_generate_keypair randomness
+          in
+          valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
index ab0f1a6ad..7788eac55 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,60 +11,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
-    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 3)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 1152)
+    (sz 2400)
+    (sz 1184)
+    (sz 1152)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+      (sz 1152)
+      (sz 2400)
+      (sz 1184)
+      (sz 1152)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+    (sz 1152)
+    (sz 1184)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 3)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3)
       #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 1152)
       (sz 1184)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3)
-      (sz 1152)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
       (sz 1152)
       (sz 1184)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -76,6 +95,16 @@ let decapsulate
     (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1120) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -116,6 +145,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (key_pair:
@@ -135,64 +170,6 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 3)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 1152)
-    (sz 2400)
-    (sz 1184)
-    (sz 1152)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-      (sz 1152)
-      (sz 2400)
-      (sz 1184)
-      (sz 1152)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 3)
-    #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-    (sz 1152)
-    (sz 1184)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
-      (sz 1152)
-      (sz 1184)
-      key_pair
-      serialized
-  in
-  serialized
-
 let public_key
       (key_pair:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -206,7 +183,7 @@ let public_key
     Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       #FStar.Tactics.Typeclasses.solve
-      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3)
+      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3)
           #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
           key_pair
         <:
@@ -214,3 +191,26 @@ let public_key
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
   in
   pk
+
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+      Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3)
+      (sz 1152)
+      (sz 1152)
+      (sz 1184)
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
index b7cb0c69f..26bf0ffd6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -11,51 +11,72 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-                (* This module has implicit dependencies, here we make them explicit. *)
-                (* The implicit dependencies arise from typeclasses instances. *)
-                let open Libcrux_ml_kem.Vector.Portable in
-                let open Libcrux_ml_kem.Vector.Neon in
-                ()
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
 
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+/// Get the serialized public key.
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
+      (requires
+        (forall (i: nat).
+            i < 3 ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair
+                    .f_public_key
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 768 (unpacked)
 /// Generates an [`MlKemSharedSecret`].
@@ -68,6 +89,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+                (* This module has implicit dependencies, here we make them explicit. *)
+                (* The implicit dependencies arise from typeclasses instances. *)
+                let open Libcrux_ml_kem.Vector.Portable in
+                let open Libcrux_ml_kem.Vector.Neon in
+                ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 768 Key Pair in "unpacked" form.
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -90,6 +131,12 @@ val init_key_pair: Prims.unit
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -100,44 +147,6 @@ val key_pair_from_private_mut
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
 /// Get the unpacked public key.
 val public_key
       (key_pair:
@@ -149,3 +158,13 @@ val public_key
     : Prims.Pure
       (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
index 33f27771c..ec517abff 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 3) (sz 2400) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3)
-    (sz 1152)
-    (sz 1184)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3)
+    (sz 1152)
+    (sz 1184)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
index be82eee5f..32d3615e9 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 768
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
index 9112b91d8..541f0ab82 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,60 +12,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
-    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 3)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 1152)
+    (sz 2400)
+    (sz 1184)
+    (sz 1152)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      (sz 1152)
+      (sz 2400)
+      (sz 1184)
+      (sz 1152)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+    (sz 1152)
+    (sz 1184)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 3)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3)
       #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 1152)
       (sz 1184)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3)
-      (sz 1152)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       (sz 1152)
       (sz 1184)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -77,6 +96,16 @@ let decapsulate
     (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1120) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -117,6 +146,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (key_pair:
@@ -136,64 +171,6 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 3)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 1152)
-    (sz 2400)
-    (sz 1184)
-    (sz 1152)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      (sz 1152)
-      (sz 2400)
-      (sz 1184)
-      (sz 1152)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 3)
-    #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-    (sz 1152)
-    (sz 1184)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      (sz 1152)
-      (sz 1184)
-      key_pair
-      serialized
-  in
-  serialized
-
 let public_key
       (key_pair:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -207,7 +184,7 @@ let public_key
     Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       #FStar.Tactics.Typeclasses.solve
-      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3)
+      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3)
           #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
           key_pair
         <:
@@ -215,3 +192,26 @@ let public_key
           Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
   in
   pk
+
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+      Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3)
+      (sz 1152)
+      (sz 1152)
+      (sz 1184)
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
index dd9292994..3fbc5e15c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Neon.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,54 +12,71 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-                (* This module has implicit dependencies, here we make them explicit. *)
-                (* The implicit dependencies arise from typeclasses instances. *)
-                let open Libcrux_ml_kem.Vector.Portable in
-                let open Libcrux_ml_kem.Vector.Neon in
-                ()
-
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
+      (requires
+        (forall (i: nat).
+            i < 3 ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair
+                    .f_public_key
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 768 (unpacked)
@@ -73,6 +90,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+                (* This module has implicit dependencies, here we make them explicit. *)
+                (* The implicit dependencies arise from typeclasses instances. *)
+                let open Libcrux_ml_kem.Vector.Portable in
+                let open Libcrux_ml_kem.Vector.Neon in
+                ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 768 Key Pair in "unpacked" form.
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -101,6 +138,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -113,50 +158,24 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
+/// Get the unpacked public key.
+val public_key
       (key_pair:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+      (pk:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the unpacked public key.
-val public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (pk:
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
index e24ec2be2..d6ffc47a4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -16,12 +16,6 @@ let validate_private_key
 let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) =
   Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 3) (sz 2400) private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3)
-    (sz 1152)
-    (sz 1184)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -46,3 +40,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3)
+    (sz 1152)
+    (sz 1184)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
index 2e9433346..00fc18c11 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 768
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
index b78dc56bb..4588ae4aa 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,60 +12,79 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
-    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
-    randomness
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key (sz 3)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 1152)
+    (sz 2400)
+    (sz 1184)
+    (sz 1152)
+    key_pair
 
-let init_public_key (_: Prims.unit) =
-  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    #FStar.Tactics.Typeclasses.solve
-    ()
+let key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+     =
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_private_key_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (sz 1152)
+      (sz 2400)
+      (sz 1184)
+      (sz 1152)
+      key_pair
+      serialized
+  in
+  serialized
 
-let serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+let key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+     =
+  Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+    (sz 1152)
+    (sz 1184)
+    key_pair
+
+let key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
   let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_mut (sz 3)
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3)
       #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 1152)
       (sz 1184)
-      public_key
+      key_pair
       serialized
   in
   serialized
 
-let unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+let serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
      =
-  let hax_temp_output, unpacked_public_key:(Prims.unit &
-    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-    (),
-    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 3)
-      (sz 1152)
+  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+    Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       (sz 1152)
       (sz 1184)
       public_key
-      unpacked_public_key
-    <:
-    (Prims.unit &
-      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      serialized
   in
-  unpacked_public_key
+  serialized
 
 let decapsulate
       (private_key:
@@ -77,6 +96,16 @@ let decapsulate
     (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
     (sz 128) (sz 1120) private_key ciphertext
 
+let encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+    randomness
+
 let generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
       (key_pair:
@@ -117,6 +146,12 @@ let init_key_pair (_: Prims.unit) =
     #FStar.Tactics.Typeclasses.solve
     ()
 
+let init_public_key (_: Prims.unit) =
+  Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    #FStar.Tactics.Typeclasses.solve
+    ()
+
 let key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (key_pair:
@@ -136,64 +171,6 @@ let key_pair_from_private_mut
   in
   key_pair
 
-let key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key (sz 3)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 1152)
-    (sz 2400)
-    (sz 1184)
-    (sz 1152)
-    key_pair
-
-let key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_private_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      (sz 1152)
-      (sz 2400)
-      (sz 1184)
-      (sz 1152)
-      key_pair
-      serialized
-  in
-  serialized
-
-let key_pair_serialized_public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-     =
-  Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key (sz 3)
-    #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-    (sz 1152)
-    (sz 1184)
-    key_pair
-
-let key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-     =
-  let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
-    Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3)
-      #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      (sz 1152)
-      (sz 1184)
-      key_pair
-      serialized
-  in
-  serialized
-
 let public_key
       (key_pair:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -207,7 +184,7 @@ let public_key
     Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
           Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       #FStar.Tactics.Typeclasses.solve
-      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3)
+      (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3)
           #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
           key_pair
         <:
@@ -215,3 +192,26 @@ let public_key
           Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
   in
   pk
+
+let unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+     =
+  let hax_temp_output, unpacked_public_key:(Prims.unit &
+    Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+      Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+    (),
+    Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 3)
+      (sz 1152)
+      (sz 1152)
+      (sz 1184)
+      public_key
+      unpacked_public_key
+    <:
+    (Prims.unit &
+      Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+        Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+  in
+  unpacked_public_key
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
index ebaada192..e4f2a98e1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Portable.Unpacked
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -12,54 +12,71 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let _ =
-                (* This module has implicit dependencies, here we make them explicit. *)
-                (* The implicit dependencies arise from typeclasses instances. *)
-                let open Libcrux_ml_kem.Vector.Portable in
-                let open Libcrux_ml_kem.Vector.Neon in
-                ()
-
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+/// Get the serialized private key.
+val key_pair_serialized_private_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (randomness: t_Array u8 (sz 32))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
-  -> Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+/// Get the serialized private key.
+val key_pair_serialized_private_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the serialized public key.
-val serialized_public_key
-      (public_key:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
+      (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val key_pair_serialized_public_key_mut
+      (key_pair:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
+      (requires
+        (forall (i: nat).
+            i < 3 ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair
+                    .f_public_key
+                    .f_ind_cpa_public_key
+                    .f_t_as_ntt
+                  i)))
       (fun _ -> Prims.l_True)
 
-/// Get the unpacked public key.
-val unpacked_public_key
-      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      (unpacked_public_key:
+/// Get the serialized public key.
+val serialized_public_key
+      (public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure
-      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      Prims.l_True
+      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (requires
+        forall (i: nat).
+          i < 3 ==>
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+                  .f_ind_cpa_public_key
+                  .f_t_as_ntt
+                i))
       (fun _ -> Prims.l_True)
 
 /// Decapsulate ML-KEM 768 (unpacked)
@@ -73,6 +90,26 @@ val decapsulate
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+let _ =
+                (* This module has implicit dependencies, here we make them explicit. *)
+                (* The implicit dependencies arise from typeclasses instances. *)
+                let open Libcrux_ml_kem.Vector.Portable in
+                let open Libcrux_ml_kem.Vector.Neon in
+                ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+      (public_key:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Generate ML-KEM 768 Key Pair in "unpacked" form.
 val generate_key_pair_mut
       (randomness: t_Array u8 (sz 64))
@@ -101,6 +138,14 @@ val init_key_pair: Prims.unit
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+  -> Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Get an unpacked key from a private key.
 val key_pair_from_private_mut
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -113,50 +158,24 @@ val key_pair_from_private_mut
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-/// Get the serialized private key.
-val key_pair_serialized_private_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized private key.
-val key_pair_serialized_private_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key
+/// Get the unpacked public key.
+val public_key
       (key_pair:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+      (pk:
+          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure
+      (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 /// Get the unpacked public key.
-val public_key
-      (key_pair:
-          Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
-            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-      (pk:
+val unpacked_public_key
+      (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+      (unpacked_public_key:
           Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
index 455e4a6b4..ef78b1c7e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -18,12 +18,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
     (sz 2400)
     private_key
 
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
-  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3)
-    (sz 1152)
-    (sz 1184)
-    public_key.Libcrux_ml_kem.Types.f_value
-
 let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -48,3 +42,9 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
     (sz 2)
     (sz 128)
     randomness
+
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+  Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3)
+    (sz 1152)
+    (sz 1184)
+    public_key.Libcrux_ml_kem.Types.f_value
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
index 5b4868d13..d503ab893 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -15,11 +15,6 @@ val validate_private_key
 val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
     : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
 
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
-    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
 /// Decapsulate ML-KEM 768
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
@@ -44,3 +39,8 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+    : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
index df3caf4a2..80ac366d4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
index 6d9fbe622..fb034e0f5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768.Rand
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
index 5d0bec2fe..7a9f4607c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -23,23 +23,35 @@ let decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088)
-    (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120)
-    private_key ciphertext
+  let result:t_Array u8 (sz 32) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088)
+      (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120)
+      private_key ciphertext
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let encapsulate
       (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960)
-    (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+  let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960)
+      (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let generate_key_pair (randomness: t_Array u8 (sz 64)) =
-  Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3)
-    (sz 1152)
-    (sz 2400)
-    (sz 1184)
-    (sz 1152)
-    (sz 2)
-    (sz 128)
-    randomness
+  let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) =
+    Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3)
+      (sz 1152)
+      (sz 2400)
+      (sz 1184)
+      (sz 1152)
+      (sz 2)
+      (sz 128)
+      randomness
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
index 16febee24..d1d7c217f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Mlkem768
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -80,7 +80,15 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1
 val decapsulate
       (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
       (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 32))
+      Prims.l_True
+      (ensures
+        fun res ->
+          let res:t_Array u8 (sz 32) = res in
+          let shared_secret, valid =
+            Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value
+          in
+          valid ==> res == shared_secret)
 
 /// Encapsulate ML-KEM 768
 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -91,7 +99,14 @@ val encapsulate
       (randomness: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = res in
+          let (ciphertext, shared_secret), valid =
+            Spec.MLKEM.Instances.mlkem768_encapsulate public_key.f_value randomness
+          in
+          let res_ciphertext, res_shared_secret = res in
+          valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
 
 /// Generate ML-KEM 768 Key Pair
 /// Generate an ML-KEM key pair. The input is a byte array of size
@@ -100,4 +115,10 @@ val encapsulate
 val generate_key_pair (randomness: t_Array u8 (sz 64))
     : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun res ->
+          let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in
+          let (secret_key, public_key), valid =
+            Spec.MLKEM.Instances.mlkem768_generate_keypair randomness
+          in
+          valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
index 46dfb217a..d9896a6e6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -26,6 +26,8 @@ let ntt_layer_int_vec_step
   in
   a, b <: (v_Vector & v_Vector)
 
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let ntt_at_layer_1_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -33,17 +35,29 @@ let ntt_at_layer_1_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init + v round * 4 /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328)
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -51,6 +65,11 @@ let ntt_at_layer_1_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -62,19 +81,10 @@ let ntt_at_layer_1_
                 (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_1_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize
-                      ]
-                      <:
-                      i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize
-                      ]
-                      <:
-                      i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize
-                      ]
-                      <:
-                      i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i +! sz 1 <: usize) <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i +! sz 2 <: usize) <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i +! sz 3 <: usize) <: i16)
                   <:
                   v_Vector)
             }
@@ -82,11 +92,24 @@ let ntt_at_layer_1_
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
           let zeta_i:usize = zeta_i +! sz 3 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let ntt_at_layer_2_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -94,17 +117,29 @@ let ntt_at_layer_2_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init + v round * 2 /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328)
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -112,6 +147,11 @@ let ntt_at_layer_2_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -123,11 +163,8 @@ let ntt_at_layer_2_
                 (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_2_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize
-                      ]
-                      <:
-                      i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta (zeta_i +! sz 1 <: usize) <: i16)
                   <:
                   v_Vector)
             }
@@ -135,11 +172,24 @@ let ntt_at_layer_2_
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
           let zeta_i:usize = zeta_i +! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let ntt_at_layer_3_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -147,17 +197,29 @@ let ntt_at_layer_3_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
      =
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #v_Vector) in
+  let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 16)
-      (fun temp_0_ temp_1_ ->
+      (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
             temp_0_
           in
-          let _:usize = temp_1_ in
-          true)
+          let round:usize = round in
+          v zeta_i == v v__zeta_i_init + v round /\
+          (v round < 16 ==>
+            (forall (i: nat).
+                (i >= v round /\ i < 16) ==>
+                Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i: nat).
+              i < v round ==>
+              Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328)
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))))
       (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
       (fun temp_0_ round ->
           let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
@@ -165,6 +227,11 @@ let ntt_at_layer_3_
           in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
               re with
@@ -176,18 +243,31 @@ let ntt_at_layer_3_
                 (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_3_step #v_Vector
                     #FStar.Tactics.Typeclasses.solve
                     (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector)
-                    (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
+                    (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
                   <:
                   v_Vector)
             }
             <:
             Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
+          let _:Prims.unit =
+            reveal_opaque (`%Spec.Utils.is_i16b_array_opaque)
+              (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
+          let _:Prims.unit =
+            assert (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328)
+                  (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))
+          in
           re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize))
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
 let ntt_at_layer_4_plus
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -197,13 +277,8 @@ let ntt_at_layer_4_plus
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (layer v__initial_coefficient_bound: usize)
      =
-  let _:Prims.unit =
-    if true
-    then
-      let _:Prims.unit = Hax_lib.v_assert (layer >=. sz 4 <: bool) in
-      ()
-  in
   let step:usize = sz 1 <<! layer in
+  let v__zeta_i_init:usize = zeta_i in
   let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (sz 128 >>! layer <: usize)
@@ -240,7 +315,7 @@ let ntt_at_layer_4_plus
                       (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ]
                         <:
                         v_Vector)
-                      (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16)
+                      (Libcrux_ml_kem.Polynomial.zeta zeta_i <: i16)
                   in
                   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
                     {
@@ -275,6 +350,10 @@ let ntt_at_layer_4_plus
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
 
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
 let ntt_at_layer_7_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -283,17 +362,22 @@ let ntt_at_layer_7_
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
   let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in
+  let _:Prims.unit = assert (v step == 8) in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       step
-      (fun re temp_1_ ->
+      (fun re j ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
-          let _:usize = temp_1_ in
-          true)
+          let j:usize = j in
+          (v j < 8 ==>
+            (forall (i: nat).
+                (i >= v j /\ i < 8) ==>
+                ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ]))))
       re
       (fun re j ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let j:usize = j in
+          let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in
           let t:v_Vector =
             Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector
               #FStar.Tactics.Typeclasses.solve
@@ -341,6 +425,10 @@ let ntt_at_layer_7_
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   re
 
+#pop-options
+
+#push-options "--z3rlimit 200"
+
 let ntt_binomially_sampled_ring_element
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -353,49 +441,54 @@ let ntt_binomially_sampled_ring_element
   in
   let zeta_i:usize = sz 1 in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 11207)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 11207 +! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 11207 +! (sz 2 *! sz 3328 <: usize) <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3)
+    ntt_at_layer_3_ #v_Vector zeta_i re (sz 11207 +! (sz 3 *! sz 3328 <: usize) <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3)
+    ntt_at_layer_2_ #v_Vector zeta_i re (sz 11207 +! (sz 4 *! sz 3328 <: usize) <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3)
+    ntt_at_layer_1_ #v_Vector zeta_i re (sz 11207 +! (sz 5 *! sz 3328 <: usize) <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
-  let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-  =
-    (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re
+  let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+    (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re
     <:
     (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
   re
 
+#pop-options
+
+#push-options "--z3rlimit 200"
+
 let ntt_vector_u
       (v_VECTOR_U_COMPRESSION_FACTOR: usize)
       (#v_Vector: Type0)
@@ -412,45 +505,48 @@ let ntt_vector_u
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3328)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 2 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3328)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3328)
+    ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 4 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3328)
+    ntt_at_layer_3_ #v_Vector zeta_i re (sz 5 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3328)
+    ntt_at_layer_2_ #v_Vector zeta_i re (sz 6 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
   let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
-    ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3328)
+    ntt_at_layer_1_ #v_Vector zeta_i re (sz 7 *! sz 3328 <: usize)
   in
   let zeta_i:usize = tmp0 in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in
   let _:Prims.unit = () in
-  let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-  =
-    (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re
+  let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+    (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re
     <:
     (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
   in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
   re
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
index 2e535adc9..7f10c45bd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -14,37 +14,97 @@ val ntt_layer_int_vec_step
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (a b: v_Vector)
       (zeta_r: i16)
-    : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (v_Vector & v_Vector)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta_r /\
+        (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in
+          (forall i.
+              i < 16 ==>
+              Spec.Utils.is_intb (pow2 15 - 1)
+                (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) -
+                  v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
+          (forall i.
+              i < 16 ==>
+              Spec.Utils.is_intb (pow2 15 - 1)
+                (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
+                  v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))))
+      (fun _ -> Prims.l_True)
+
+[@@ "opaque_to_smt"]
+    let ntt_re_range_1 (#v_Vector: Type0)
+            {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+            (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+        forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
+
+[@@ "opaque_to_smt"]
+   let ntt_re_range_2 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
 
 val ntt_at_layer_1_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 63 /\ ntt_re_range_2 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          ntt_re_range_1 re_future /\ v zeta_i_future == 127)
+
+[@@ "opaque_to_smt"]
+   let ntt_re_range_3 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
 
 val ntt_at_layer_2_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 31 /\ ntt_re_range_3 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          ntt_re_range_2 re_future /\ v zeta_i_future == 63)
+
+[@@ "opaque_to_smt"]
+   let ntt_re_range_4 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
 
 val ntt_at_layer_3_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (zeta_i: usize)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (v__layer v__initial_coefficient_bound: usize)
+      (v__initial_coefficient_bound: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v zeta_i == 15 /\ ntt_re_range_4 re)
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          ntt_re_range_3 re_future /\ v zeta_i_future == 31)
 
 val ntt_at_layer_4_plus
       (#v_Vector: Type0)
@@ -53,15 +113,46 @@ val ntt_at_layer_4_plus
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (layer v__initial_coefficient_bound: usize)
     : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        v layer >= 4 /\ v layer <= 7 /\
+        ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\
+          (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0)))
+      (ensures
+        fun temp_0_ ->
+          let zeta_i_future, re_future:(usize &
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+            temp_0_
+          in
+          ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\
+          (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\
+          (v layer == 7 ==> v zeta_i_future == 1))
+
+[@@ "opaque_to_smt"]
+   let ntt_layer_7_pre (#v_Vector: Type0)
+        {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+        (re_0 re_1: v_Vector) =
+    (forall i. i < 16 ==>
+      Spec.Utils.is_intb (pow2 15 - 1)
+      (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\
+    (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in
+    (forall i. i < 16 ==> 
+      Spec.Utils.is_intb (pow2 15 - 1) 
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - 
+          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
+    (forall i. i < 16 ==> 
+      Spec.Utils.is_intb (pow2 15 - 1) 
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + 
+          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))
 
 val ntt_at_layer_7_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires
+        forall i.
+          i < 8 ==>
+          ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ]))
       (fun _ -> Prims.l_True)
 
 val ntt_binomially_sampled_ring_element
@@ -69,8 +160,16 @@ val ntt_binomially_sampled_ring_element
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        forall i.
+          i < 8 ==>
+          ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ]))
+      (ensures
+        fun re_future ->
+          let re_future:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re_future in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_future ==
+          Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re) /\
+          Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #v_Vector re_future)
 
 val ntt_vector_u
       (v_VECTOR_U_COMPRESSION_FACTOR: usize)
@@ -79,4 +178,8 @@ val ntt_vector_u
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun re_future ->
+          let re_future:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re_future in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_future ==
+          Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
index 3cb84c2ef..4cad63238 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Polynomial
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -9,56 +9,75 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let impl__ZERO
+let zeta (i: usize) =
+  let result:i16 = v_ZETAS_TIMES_MONTGOMERY_R.[ i ] in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl':
+    #v_Vector: Type0 ->
+    {| i1: Core.Clone.t_Clone v_Vector |} ->
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  -> Core.Clone.t_Clone (t_PolynomialRingElement v_Vector)
+
+let impl
       (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
+          i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (_: Prims.unit)
-     =
-  {
-    f_coefficients
-    =
-    Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
-          #FStar.Tactics.Typeclasses.solve
-          ()
-        <:
-        v_Vector)
-      (sz 16)
-  }
-  <:
-  t_PolynomialRingElement v_Vector
+     = impl' #v_Vector #i1 #i2
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1':
+    #v_Vector: Type0 ->
+    {| i1: Core.Marker.t_Copy v_Vector |} ->
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  -> Core.Marker.t_Copy (t_PolynomialRingElement v_Vector)
 
-let impl__add_error_reduce
+let impl_1
       (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_Vector)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i2:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self error: t_PolynomialRingElement v_Vector)
+     = impl_1' #v_Vector #i1 #i2
+
+#push-options "--admit_smt_queries true"
+
+let add_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself error: t_PolynomialRingElement v_Vector)
      =
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self j ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself j ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let j:usize = j in
           let coefficient_normal_form:v_Vector =
             Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              (self.f_coefficients.[ j ] <: v_Vector)
+              (myself.f_coefficients.[ j ] <: v_Vector)
               1441s
           in
-          let self:t_PolynomialRingElement v_Vector =
+          let myself:t_PolynomialRingElement v_Vector =
             {
-              self with
+              myself with
               f_coefficients
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
                 j
                 (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                     #FStar.Tactics.Typeclasses.solve
@@ -74,17 +93,31 @@ let impl__add_error_reduce
             <:
             t_PolynomialRingElement v_Vector
           in
-          self)
+          myself)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
+  myself
+
+#pop-options
+
+let impl_2__add_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self error: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in
   self
 
-let impl__add_message_error_reduce
+#push-options "--admit_smt_queries true"
+
+let add_message_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self message result: t_PolynomialRingElement v_Vector)
+      (myself message result: t_PolynomialRingElement v_Vector)
      =
   let result:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -106,7 +139,7 @@ let impl__add_message_error_reduce
           let tmp:v_Vector =
             Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              (self.f_coefficients.[ i ] <: v_Vector)
+              (myself.f_coefficients.[ i ] <: v_Vector)
               (message.f_coefficients.[ i ] <: v_Vector)
           in
           let tmp:v_Vector =
@@ -135,34 +168,46 @@ let impl__add_message_error_reduce
   in
   result
 
-let impl__add_standard_error_reduce
+#pop-options
+
+let impl_2__add_message_error_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self error: t_PolynomialRingElement v_Vector)
+      (self message result: t_PolynomialRingElement v_Vector)
+     = add_message_error_reduce #v_Vector self message result
+
+#push-options "--admit_smt_queries true"
+
+let add_standard_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself error: t_PolynomialRingElement v_Vector)
      =
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self j ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself j ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let j:usize = j in
           let coefficient_normal_form:v_Vector =
             Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector
-              (self.f_coefficients.[ j ] <: v_Vector)
+              (myself.f_coefficients.[ j ] <: v_Vector)
           in
-          let self:t_PolynomialRingElement v_Vector =
+          let myself:t_PolynomialRingElement v_Vector =
             {
-              self with
+              myself with
               f_coefficients
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
                 j
                 (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                     #FStar.Tactics.Typeclasses.solve
@@ -178,40 +223,52 @@ let impl__add_standard_error_reduce
             <:
             t_PolynomialRingElement v_Vector
           in
-          self)
+          myself)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
+  myself
+
+#pop-options
+
+let impl_2__add_standard_error_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self error: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in
   self
 
-let impl__add_to_ring_element
+#push-options "--admit_smt_queries true"
+
+let poly_barrett_reduce
       (#v_Vector: Type0)
-      (v_K: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self rhs: t_PolynomialRingElement v_Vector)
+      (myself: t_PolynomialRingElement v_Vector)
      =
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize)
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      v_VECTORS_IN_RING_ELEMENT
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self i ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself i ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let i:usize = i in
           {
-            self with
+            myself with
             f_coefficients
             =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
               i
-              (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
+              (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
-                  (rhs.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
                 <:
                 v_Vector)
             <:
@@ -221,16 +278,129 @@ let impl__add_to_ring_element
           t_PolynomialRingElement v_Vector)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
+  myself
+
+#pop-options
+
+let impl_2__poly_barrett_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self: t_PolynomialRingElement v_Vector)
+     =
+  let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in
   self
 
-let impl__from_i16_array
+#push-options "--admit_smt_queries true"
+
+let subtract_reduce
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself b: t_PolynomialRingElement v_Vector)
+     =
+  let b:t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      v_VECTORS_IN_RING_ELEMENT
+      (fun b temp_1_ ->
+          let b:t_PolynomialRingElement v_Vector = b in
+          let _:usize = temp_1_ in
+          true)
+      b
+      (fun b i ->
+          let b:t_PolynomialRingElement v_Vector = b in
+          let i:usize = i in
+          let coefficient_normal_form:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              (b.f_coefficients.[ i ] <: v_Vector)
+              1441s
+          in
+          let b:t_PolynomialRingElement v_Vector =
+            {
+              b with
+              f_coefficients
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients
+                i
+                (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
+                    #FStar.Tactics.Typeclasses.solve
+                    (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector
+                        #FStar.Tactics.Typeclasses.solve
+                        (myself.f_coefficients.[ i ] <: v_Vector)
+                        coefficient_normal_form
+                      <:
+                      v_Vector)
+                  <:
+                  v_Vector)
+            }
+            <:
+            t_PolynomialRingElement v_Vector
+          in
+          b)
+  in
+  b
+
+#pop-options
+
+let impl_2__subtract_reduce
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (self b: t_PolynomialRingElement v_Vector)
+     = subtract_reduce #v_Vector self b
+
+let impl_2__ZERO
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (_: Prims.unit)
+     =
+  {
+    f_coefficients
+    =
+    Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
+          #FStar.Tactics.Typeclasses.solve
+          ()
+        <:
+        v_Vector)
+      (sz 16)
+  }
+  <:
+  t_PolynomialRingElement v_Vector
+
+let v_ZERO
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (_: Prims.unit)
+     =
+  {
+    f_coefficients
+    =
+    Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
+          #FStar.Tactics.Typeclasses.solve
+          ()
+        <:
+        v_Vector)
+      (sz 16)
+  }
+  <:
+  t_PolynomialRingElement v_Vector
+
+let from_i16_array
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (a: t_Slice i16)
      =
-  let result:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in
+  let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
   let result:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -268,14 +438,24 @@ let impl__from_i16_array
   in
   result
 
-let impl__ntt_multiply
+let impl_2__from_i16_array
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self rhs: t_PolynomialRingElement v_Vector)
+      (a: t_Slice i16)
+     = from_i16_array #v_Vector a
+
+#push-options "--admit_smt_queries true"
+
+let ntt_multiply
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself rhs: t_PolynomialRingElement v_Vector)
      =
-  let out:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in
+  let out:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
   let out:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       v_VECTORS_IN_RING_ELEMENT
@@ -295,24 +475,12 @@ let impl__ntt_multiply
               i
               (Libcrux_ml_kem.Vector.Traits.f_ntt_multiply #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
                   (rhs.f_coefficients.[ i ] <: v_Vector)
-                  (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 4 *! i <: usize) <: usize ] <: i16)
-                  (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1
-                      <:
-                      usize ]
-                    <:
-                    i16)
-                  (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2
-                      <:
-                      usize ]
-                    <:
-                    i16)
-                  (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3
-                      <:
-                      usize ]
-                    <:
-                    i16)
+                  (zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16)
+                  (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16)
+                  (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16)
+                  (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16)
                 <:
                 v_Vector)
             <:
@@ -323,33 +491,47 @@ let impl__ntt_multiply
   in
   out
 
-let impl__poly_barrett_reduce
+#pop-options
+
+let impl_2__ntt_multiply
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self: t_PolynomialRingElement v_Vector)
+      (self rhs: t_PolynomialRingElement v_Vector)
+     = ntt_multiply #v_Vector self rhs
+
+#push-options "--admit_smt_queries true"
+
+let add_to_ring_element
+      (#v_Vector: Type0)
+      (v_K: usize)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (myself rhs: t_PolynomialRingElement v_Vector)
      =
-  let self:t_PolynomialRingElement v_Vector =
+  let myself:t_PolynomialRingElement v_Vector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_VECTORS_IN_RING_ELEMENT
-      (fun self temp_1_ ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize)
+      (fun myself temp_1_ ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let _:usize = temp_1_ in
           true)
-      self
-      (fun self i ->
-          let self:t_PolynomialRingElement v_Vector = self in
+      myself
+      (fun myself i ->
+          let myself:t_PolynomialRingElement v_Vector = myself in
           let i:usize = i in
           {
-            self with
+            myself with
             f_coefficients
             =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
               i
-              (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
+              (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
                   #FStar.Tactics.Typeclasses.solve
-                  (self.f_coefficients.[ i ] <: v_Vector)
+                  (myself.f_coefficients.[ i ] <: v_Vector)
+                  (rhs.f_coefficients.[ i ] <: v_Vector)
                 <:
                 v_Vector)
             <:
@@ -359,53 +541,17 @@ let impl__poly_barrett_reduce
           t_PolynomialRingElement v_Vector)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  self
+  myself
+
+#pop-options
 
-let impl__subtract_reduce
+let impl_2__add_to_ring_element
       (#v_Vector: Type0)
+      (v_K: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
+          i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (self b: t_PolynomialRingElement v_Vector)
+      (self rhs: t_PolynomialRingElement v_Vector)
      =
-  let b:t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      v_VECTORS_IN_RING_ELEMENT
-      (fun b temp_1_ ->
-          let b:t_PolynomialRingElement v_Vector = b in
-          let _:usize = temp_1_ in
-          true)
-      b
-      (fun b i ->
-          let b:t_PolynomialRingElement v_Vector = b in
-          let i:usize = i in
-          let coefficient_normal_form:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              (b.f_coefficients.[ i ] <: v_Vector)
-              1441s
-          in
-          let b:t_PolynomialRingElement v_Vector =
-            {
-              b with
-              f_coefficients
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients
-                i
-                (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
-                    #FStar.Tactics.Typeclasses.solve
-                    (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector
-                        #FStar.Tactics.Typeclasses.solve
-                        (self.f_coefficients.[ i ] <: v_Vector)
-                        coefficient_normal_form
-                      <:
-                      v_Vector)
-                  <:
-                  v_Vector)
-            }
-            <:
-            t_PolynomialRingElement v_Vector
-          in
-          b)
-  in
-  b
+  let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in
+  self
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
index 51dae0e12..7f60ace38 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Polynomial
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,6 +10,7 @@ let _ =
   ()
 
 let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) =
+  let _:Prims.unit = assert_norm (pow2 16 == 65536) in
   let list =
     [
       (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s;
@@ -28,53 +29,143 @@ let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) =
   FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128);
   Rust_primitives.Hax.array_of_list 128 list
 
-let v_VECTORS_IN_RING_ELEMENT: usize =
-  Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /!
-  Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
+val zeta (i: usize)
+    : Prims.Pure i16
+      (requires i <. sz 128)
+      (ensures
+        fun result ->
+          let result:i16 = result in
+          Spec.Utils.is_i16b 1664 result)
 
 type t_PolynomialRingElement
   (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
   = { f_coefficients:t_Array v_Vector (sz 16) }
 
-val impl__ZERO:
-    #v_Vector: Type0 ->
-    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
-    Prims.unit
-  -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+let to_spec_poly_t (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial =
+    createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe 
+                                (Seq.index (i2._super_8706949974463268012.f_repr 
+                                    (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))
+
+let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r =
+    createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))
 
-val impl__add_error_reduce
+let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r =
+    createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))
+
+let v_VECTORS_IN_RING_ELEMENT: usize =
+  Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /!
+  Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl
       (#v_Vector: Type0)
+      {| i1: Core.Clone.t_Clone v_Vector |}
       {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Clone.t_Clone (t_PolynomialRingElement v_Vector)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1
+      (#v_Vector: Type0)
+      {| i1: Core.Marker.t_Copy v_Vector |}
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    : Core.Marker.t_Copy (t_PolynomialRingElement v_Vector)
+
+val add_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself error: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self error: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-val impl__add_message_error_reduce
+val add_message_error_reduce
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself message result: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_message_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self message result: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-val impl__add_standard_error_reduce
+val add_standard_error_reduce
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself error: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_standard_error_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self error: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
-/// sum of their constituent coefficients.
-val impl__add_to_ring_element
+val poly_barrett_reduce
       (#v_Vector: Type0)
-      (v_K: usize)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self rhs: t_PolynomialRingElement v_Vector)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-val impl__from_i16_array
+val impl_2__poly_barrett_reduce
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (a: t_Slice i16)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
+val subtract_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself b: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__subtract_reduce
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self b: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__ZERO:
+    #v_Vector: Type0 ->
+    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+    Prims.unit
+  -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val v_ZERO:
+    #v_Vector: Type0 ->
+    {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+    Prims.unit
+  -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val from_i16_array
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (a: t_Slice i16)
+    : Prims.Pure (t_PolynomialRingElement v_Vector)
+      (requires
+        (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
+      (fun _ -> Prims.l_True)
+
+val impl_2__from_i16_array
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (a: t_Slice i16)
+    : Prims.Pure (t_PolynomialRingElement v_Vector)
+      (requires
+        (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
+      (fun _ -> Prims.l_True)
+
 /// Given two `KyberPolynomialRingElement`s in their NTT representations,
 /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
 /// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
@@ -95,20 +186,32 @@ val impl__from_i16_array
 /// this function are in the Montgomery domain.
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-val impl__ntt_multiply
+val ntt_multiply
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself rhs: t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__ntt_multiply
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (self rhs: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-val impl__poly_barrett_reduce
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+val add_to_ring_element
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self: t_PolynomialRingElement v_Vector)
+      (v_K: usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (myself rhs: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
 
-val impl__subtract_reduce
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+val impl_2__add_to_ring_element
       (#v_Vector: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (self b: t_PolynomialRingElement v_Vector)
+      (v_K: usize)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (self rhs: t_PolynomialRingElement v_Vector)
     : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst
index 9c52850fc..c50a5c96b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -144,6 +144,106 @@ let sample_from_uniform_distribution_next
   <:
   (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool)
 
+#push-options "--admit_smt_queries true"
+
+let sample_from_xof
+      (v_K: usize)
+      (#v_Vector #v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (seeds: t_Array (t_Array u8 (sz 34)) v_K)
+     =
+  let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K =
+    Rust_primitives.Hax.repeat (sz 0) v_K
+  in
+  let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K =
+    Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K
+  in
+  let xof_state:v_Hasher =
+    Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      seeds
+  in
+  let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) =
+    Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher
+      #v_K
+      #FStar.Tactics.Typeclasses.solve
+      xof_state
+  in
+  let xof_state:v_Hasher = tmp0 in
+  let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in
+  let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) =
+    sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out
+  in
+  let sampled_coefficients:t_Array usize v_K = tmp0 in
+  let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in
+  let done:bool = out1 in
+  let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
+    t_Array usize v_K &
+    v_Hasher) =
+    Rust_primitives.f_while_loop (fun temp_0_ ->
+          let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
+            t_Array usize v_K &
+            v_Hasher) =
+            temp_0_
+          in
+          ~.done <: bool)
+      (done, out, sampled_coefficients, xof_state
+        <:
+        (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher))
+      (fun temp_0_ ->
+          let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
+            t_Array usize v_K &
+            v_Hasher) =
+            temp_0_
+          in
+          let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) =
+            Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher
+              #v_K
+              #FStar.Tactics.Typeclasses.solve
+              xof_state
+          in
+          let xof_state:v_Hasher = tmp0 in
+          let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in
+          let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) =
+            sample_from_uniform_distribution_next #v_Vector
+              v_K
+              (sz 168)
+              randomness
+              sampled_coefficients
+              out
+          in
+          let sampled_coefficients:t_Array usize v_K = tmp0 in
+          let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in
+          let done:bool = out1 in
+          done, out, sampled_coefficients, xof_state
+          <:
+          (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher))
+  in
+  Core.Array.impl_23__map #(t_Array i16 (sz 272))
+    v_K
+    #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+    out
+    (fun s ->
+        let s:t_Array i16 (sz 272) = s in
+        Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector
+          (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice i16)
+        <:
+        Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+
+#pop-options
+
+#push-options "--z3rlimit 800"
+
 let sample_from_binomial_distribution_2_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -151,6 +251,10 @@ let sample_from_binomial_distribution_2_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (randomness: t_Slice u8)
      =
+  let _:Prims.unit =
+    assert (v (sz 2 *! sz 64) == 128);
+    assert (Seq.length randomness == 128)
+  in
   let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in
   let sampled_i16s:t_Array i16 (sz 256) =
     Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
@@ -175,6 +279,10 @@ let sample_from_binomial_distribution_2_
           in
           let even_bits:u32 = random_bits_as_u32 &. 1431655765ul in
           let odd_bits:u32 = (random_bits_as_u32 >>! 1l <: u32) &. 1431655765ul in
+          let _:Prims.unit =
+            logand_lemma random_bits_as_u32 1431655765ul;
+            logand_lemma (random_bits_as_u32 >>! 1l) 1431655765ul
+          in
           let coin_toss_outcomes:u32 = even_bits +! odd_bits in
           Rust_primitives.Hax.Folds.fold_range_step_by 0ul
             Core.Num.impl__u32__BITS
@@ -195,6 +303,15 @@ let sample_from_binomial_distribution_2_
                   <:
                   i16
                 in
+                let _:Prims.unit =
+                  logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 3ul;
+                  logand_lemma (coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) 3ul;
+                  assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 3);
+                  assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 3);
+                  assert (v chunk_number <= 31);
+                  assert (v (sz 8 *! chunk_number <: usize) <= 248);
+                  assert (v (cast (outcome_set >>! 2l <: u32) <: usize) <= 7)
+                in
                 let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in
                 let sampled_i16s:t_Array i16 (sz 256) =
                   Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s
@@ -203,7 +320,11 @@ let sample_from_binomial_distribution_2_
                 in
                 sampled_i16s))
   in
-  Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16)
+  Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16)
+
+#pop-options
+
+#push-options "--z3rlimit 800"
 
 let sample_from_binomial_distribution_3_
       (#v_Vector: Type0)
@@ -212,6 +333,10 @@ let sample_from_binomial_distribution_3_
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (randomness: t_Slice u8)
      =
+  let _:Prims.unit =
+    assert (v (sz 3 *! sz 64) == 192);
+    assert (Seq.length randomness == 192)
+  in
   let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in
   let sampled_i16s:t_Array i16 (sz 256) =
     Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 3)
@@ -234,6 +359,11 @@ let sample_from_binomial_distribution_3_
           let first_bits:u32 = random_bits_as_u24 &. 2396745ul in
           let second_bits:u32 = (random_bits_as_u24 >>! 1l <: u32) &. 2396745ul in
           let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in
+          let _:Prims.unit =
+            logand_lemma random_bits_as_u24 2396745ul;
+            logand_lemma (random_bits_as_u24 >>! 1l <: u32) 2396745ul;
+            logand_lemma (random_bits_as_u24 >>! 2l <: u32) 2396745ul
+          in
           let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in
           Rust_primitives.Hax.Folds.fold_range_step_by 0l
             24l
@@ -254,6 +384,15 @@ let sample_from_binomial_distribution_3_
                   <:
                   i16
                 in
+                let _:Prims.unit =
+                  logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 7ul;
+                  logand_lemma (coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) 7ul;
+                  assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 7);
+                  assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 7);
+                  assert (v chunk_number <= 63);
+                  assert (v (sz 4 *! chunk_number <: usize) <= 252);
+                  assert (v (cast (outcome_set /! 6l <: i32) <: usize) <= 3)
+                in
                 let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in
                 let sampled_i16s:t_Array i16 (sz 256) =
                   Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s
@@ -262,7 +401,9 @@ let sample_from_binomial_distribution_3_
                 in
                 sampled_i16s))
   in
-  Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16)
+  Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16)
+
+#pop-options
 
 let sample_from_binomial_distribution
       (v_ETA: usize)
@@ -272,105 +413,16 @@ let sample_from_binomial_distribution
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (randomness: t_Slice u8)
      =
-  match cast (v_ETA <: usize) <: u32 with
-  | 2ul -> sample_from_binomial_distribution_2_ #v_Vector randomness
-  | 3ul -> sample_from_binomial_distribution_3_ #v_Vector randomness
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let _:Prims.unit = assert ((v (cast v_ETA <: u32) == 2) \/ (v (cast v_ETA <: u32) == 3)) in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    match cast (v_ETA <: usize) <: u32 with
+    | 2ul -> sample_from_binomial_distribution_2_ #v_Vector randomness
+    | 3ul -> sample_from_binomial_distribution_3_ #v_Vector randomness
+    | _ ->
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
 
-        <:
-        Rust_primitives.Hax.t_Never)
-
-let sample_from_xof
-      (v_K: usize)
-      (#v_Vector #v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i2:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (seeds: t_Array (t_Array u8 (sz 34)) v_K)
-     =
-  let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K =
-    Rust_primitives.Hax.repeat (sz 0) v_K
-  in
-  let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K =
-    Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K
-  in
-  let xof_state:v_Hasher =
-    Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb #v_Hasher
-      #v_K
-      #FStar.Tactics.Typeclasses.solve
-      seeds
-  in
-  let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) =
-    Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_three_blocks #v_Hasher
-      #v_K
-      #FStar.Tactics.Typeclasses.solve
-      xof_state
-  in
-  let xof_state:v_Hasher = tmp0 in
-  let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in
-  let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) =
-    sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out
-  in
-  let sampled_coefficients:t_Array usize v_K = tmp0 in
-  let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in
-  let done:bool = out1 in
-  let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
-    t_Array usize v_K &
-    v_Hasher) =
-    Rust_primitives.f_while_loop (fun temp_0_ ->
-          let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
-            t_Array usize v_K &
-            v_Hasher) =
-            temp_0_
-          in
-          ~.done <: bool)
-      (done, out, sampled_coefficients, xof_state
-        <:
-        (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher))
-      (fun temp_0_ ->
-          let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K &
-            t_Array usize v_K &
-            v_Hasher) =
-            temp_0_
-          in
-          let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) =
-            Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_block #v_Hasher
-              #v_K
-              #FStar.Tactics.Typeclasses.solve
-              xof_state
-          in
-          let xof_state:v_Hasher = tmp0 in
-          let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in
-          let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) =
-            sample_from_uniform_distribution_next #v_Vector
-              v_K
-              (sz 168)
-              randomness
-              sampled_coefficients
-              out
-          in
-          let sampled_coefficients:t_Array usize v_K = tmp0 in
-          let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in
-          let done:bool = out1 in
-          done, out, sampled_coefficients, xof_state
           <:
-          (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher))
+          Rust_primitives.Hax.t_Never)
   in
-  Core.Array.impl_23__map #(t_Array i16 (sz 272))
-    v_K
-    #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    out
-    (fun s ->
-        let s:t_Array i16 (sz 272) = s in
-        Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector
-          (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice i16)
-        <:
-        Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti
index 5f5ac19d3..ecaa33053 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -54,6 +54,16 @@ val sample_from_uniform_distribution_next
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val sample_from_xof
+      (v_K: usize)
+      (#v_Vector #v_Hasher: Type0)
+      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+      (seeds: t_Array (t_Array u8 (sz 34)) v_K)
+    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 /// Given a series of uniformly random bytes in `randomness`, for some number `eta`,
 /// the `sample_from_binomial_distribution_{eta}` functions sample
 /// a ring element from a binomial distribution centered at 0 that uses two sets
@@ -114,15 +124,15 @@ val sample_from_binomial_distribution
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (randomness: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-val sample_from_xof
-      (v_K: usize)
-      (#v_Vector #v_Hasher: Type0)
-      {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
-      (seeds: t_Array (t_Array u8 (sz 34)) v_K)
-    : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        (v_ETA =. sz 2 || v_ETA =. sz 3) &&
+        (Core.Slice.impl__len #u8 randomness <: usize) =. (v_ETA *! sz 64 <: usize))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          (forall (i: nat).
+              i < 8 ==>
+              Libcrux_ml_kem.Ntt.ntt_layer_7_pre (result.f_coefficients.[ sz i ])
+                (result.f_coefficients.[ sz i +! sz 8 ])) /\
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+          Spec.MLKEM.sample_poly_cbd v_ETA randomness)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
index f90c60055..5de9a6d47 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -9,353 +9,192 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let compress_then_serialize_10_
-      (v_OUT_LEN: usize)
+let to_unsigned_field_modulus
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (a: v_Vector)
      =
-  let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
-  let serialized:t_Array u8 v_OUT_LEN =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
-      (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUT_LEN = serialized in
+  let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in
+  let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let deserialize_then_decompress_10_
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (serialized: t_Slice u8)
+     =
+  let _:Prims.unit =
+    assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20)
+      serialized
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let _:usize = temp_1_ in
           true)
-      serialized
-      (fun serialized i ->
-          let serialized:t_Array u8 v_OUT_LEN = serialized in
-          let i:usize = i in
+      re
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+          let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              10l
-              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
-                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-                <:
-                v_Vector)
-          in
-          let bytes:t_Array u8 (sz 20) =
-            Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector
+            Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              coefficient
+              bytes
           in
-          let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = sz 20 *! i <: usize;
-                  Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = sz 20 *! i <: usize;
-                        Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (bytes <: t_Slice u8)
-                <:
-                t_Slice u8)
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            {
+              re with
+              Libcrux_ml_kem.Polynomial.f_coefficients
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux_ml_kem.Polynomial.f_coefficients
+                i
+                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+                    #FStar.Tactics.Typeclasses.solve
+                    10l
+                    coefficient
+                  <:
+                  v_Vector)
+            }
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
-          serialized)
+          re)
   in
-  serialized
+  re
 
-let compress_then_serialize_11_
-      (v_OUT_LEN: usize)
+#push-options "--admit_smt_queries true"
+
+let deserialize_then_decompress_11_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (serialized: t_Slice u8)
      =
-  let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
-  let serialized:t_Array u8 v_OUT_LEN =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
-      (fun serialized temp_1_ ->
-          let serialized:t_Array u8 v_OUT_LEN = serialized in
+  let _:Prims.unit =
+    assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22)
+      serialized
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let _:usize = temp_1_ in
           true)
-      serialized
-      (fun serialized i ->
-          let serialized:t_Array u8 v_OUT_LEN = serialized in
-          let i:usize = i in
+      re
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+          let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              11l
-              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
-                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-                <:
-                v_Vector)
-          in
-          let bytes:t_Array u8 (sz 22) =
-            Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector
+            Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              coefficient
+              bytes
           in
-          let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = sz 22 *! i <: usize;
-                  Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = sz 22 *! i <: usize;
-                        Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (bytes <: t_Slice u8)
-                <:
-                t_Slice u8)
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            {
+              re with
+              Libcrux_ml_kem.Polynomial.f_coefficients
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux_ml_kem.Polynomial.f_coefficients
+                i
+                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+                    #FStar.Tactics.Typeclasses.solve
+                    11l
+                    coefficient
+                  <:
+                  v_Vector)
+            }
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
-          serialized)
+          re)
   in
-  serialized
+  re
 
-let compress_then_serialize_4_
+#pop-options
+
+let deserialize_then_decompress_4_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (serialized: t_Slice u8)
      =
-  let serialized:t_Slice u8 =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
-      (fun serialized temp_1_ ->
-          let serialized:t_Slice u8 = serialized in
+  let _:Prims.unit =
+    assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8)
+      serialized
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let _:usize = temp_1_ in
           true)
-      serialized
-      (fun serialized i ->
-          let serialized:t_Slice u8 = serialized in
-          let i:usize = i in
+      re
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+          let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              4l
-              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
-                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-                <:
-                v_Vector)
-          in
-          let bytes:t_Array u8 (sz 8) =
-            Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector
+            Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              coefficient
+              bytes
           in
-          let serialized:t_Slice u8 =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = sz 8 *! i <: usize;
-                  Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = sz 8 *! i <: usize;
-                        Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (bytes <: t_Slice u8)
-                <:
-                t_Slice u8)
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            {
+              re with
+              Libcrux_ml_kem.Polynomial.f_coefficients
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux_ml_kem.Polynomial.f_coefficients
+                i
+                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+                    #FStar.Tactics.Typeclasses.solve
+                    4l
+                    coefficient
+                  <:
+                  v_Vector)
+            }
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
-          serialized)
+          re)
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  serialized
+  re
 
-let compress_then_serialize_5_
+#push-options "--admit_smt_queries true"
+
+let deserialize_then_decompress_5_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (serialized: t_Slice u8)
      =
-  let serialized:t_Slice u8 =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
-      (fun serialized temp_1_ ->
-          let serialized:t_Slice u8 = serialized in
-          let _:usize = temp_1_ in
-          true)
-      serialized
-      (fun serialized i ->
-          let serialized:t_Slice u8 = serialized in
-          let i:usize = i in
-          let coefficients:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              5l
-              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
-                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-                <:
-                v_Vector)
-          in
-          let bytes:t_Array u8 (sz 10) =
-            Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              coefficients
-          in
-          let serialized:t_Slice u8 =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = sz 10 *! i <: usize;
-                  Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = sz 10 *! i <: usize;
-                        Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (bytes <: t_Slice u8)
-                <:
-                t_Slice u8)
-          in
-          serialized)
-  in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  serialized
-
-let compress_then_serialize_message
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-     =
-  let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let serialized:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 16)
-      (fun serialized temp_1_ ->
-          let serialized:t_Array u8 (sz 32) = serialized in
-          let _:usize = temp_1_ in
-          true)
-      serialized
-      (fun serialized i ->
-          let serialized:t_Array u8 (sz 32) = serialized in
-          let i:usize = i in
-          let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
-              (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-          in
-          let coefficient_compressed:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              coefficient
-          in
-          let bytes:t_Array u8 (sz 2) =
-            Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              coefficient_compressed
-          in
-          let serialized:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
-              ({
-                  Core.Ops.Range.f_start = sz 2 *! i <: usize;
-                  Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
-                }
-                <:
-                Core.Ops.Range.t_Range usize)
-              (Core.Slice.impl__copy_from_slice #u8
-                  (serialized.[ {
-                        Core.Ops.Range.f_start = sz 2 *! i <: usize;
-                        Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
-                      }
-                      <:
-                      Core.Ops.Range.t_Range usize ]
-                    <:
-                    t_Slice u8)
-                  (bytes <: t_Slice u8)
-                <:
-                t_Slice u8)
-          in
-          serialized)
-  in
-  serialized
-
-let compress_then_serialize_ring_element_u
-      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-     =
-  match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
-  | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re
-  | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-        <:
-        Rust_primitives.Hax.t_Never)
-
-let compress_then_serialize_ring_element_v
-      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (out: t_Slice u8)
-     =
-  let out, hax_temp_output:(t_Slice u8 & Prims.unit) =
-    match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
-    | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
-    | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
-    | _ ->
-      out,
-      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-          <:
-          Rust_primitives.Hax.t_Never)
-      <:
-      (t_Slice u8 & Prims.unit)
+  let _:Prims.unit =
+    assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)
   in
-  out
-
-let deserialize_then_decompress_10_
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
-     =
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
   in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20)
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10)
       serialized
       (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
@@ -365,10 +204,22 @@ let deserialize_then_decompress_10_
       (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector
-              #FStar.Tactics.Typeclasses.solve
-              bytes
+          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+            {
+              re with
+              Libcrux_ml_kem.Polynomial.f_coefficients
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux_ml_kem.Polynomial.f_coefficients
+                i
+                (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector
+                    #FStar.Tactics.Typeclasses.solve
+                    bytes
+                  <:
+                  v_Vector)
+            }
+            <:
+            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
           in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
@@ -380,8 +231,8 @@ let deserialize_then_decompress_10_
                 i
                 (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
                     #FStar.Tactics.Typeclasses.solve
-                    10l
-                    coefficient
+                    5l
+                    (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
                   <:
                   v_Vector)
             }
@@ -392,31 +243,40 @@ let deserialize_then_decompress_10_
   in
   re
 
-let deserialize_then_decompress_11_
+#pop-options
+
+let deserialize_then_decompress_message
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
+      (serialized: t_Array u8 (sz 32))
      =
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
   in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22)
-      serialized
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      (sz 16)
       (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let _:usize = temp_1_ in
           true)
       re
-      (fun re temp_1_ ->
+      (fun re i ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
-          let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector
+          let i:usize = i in
+          let coefficient_compressed:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              bytes
+              (serialized.[ {
+                    Core.Ops.Range.f_start = sz 2 *! i <: usize;
+                    Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize ]
+                <:
+                t_Slice u8)
           in
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
             {
@@ -426,10 +286,7 @@ let deserialize_then_decompress_11_
               Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                   .Libcrux_ml_kem.Polynomial.f_coefficients
                 i
-                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
-                    #FStar.Tactics.Typeclasses.solve
-                    11l
-                    coefficient
+                (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed
                   <:
                   v_Vector)
             }
@@ -438,20 +295,73 @@ let deserialize_then_decompress_11_
           in
           re)
   in
-  re
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
-let deserialize_then_decompress_4_
+let deserialize_then_decompress_ring_element_u
+      (v_COMPRESSION_FACTOR: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (serialized: t_Slice u8)
+     =
+  let _:Prims.unit =
+    assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/
+        (v (cast v_COMPRESSION_FACTOR <: u32) == 11))
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+    | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized
+    | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized
+    | _ ->
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+          <:
+          Rust_primitives.Hax.t_Never)
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let deserialize_then_decompress_ring_element_v
+      (v_K v_COMPRESSION_FACTOR: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (serialized: t_Slice u8)
+     =
+  let _:Prims.unit =
+    assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
+        (v (cast v_COMPRESSION_FACTOR <: u32) == 5))
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+    | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized
+    | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized
+    | _ ->
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+          <:
+          Rust_primitives.Hax.t_Never)
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let deserialize_to_reduced_ring_element
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (serialized: t_Slice u8)
      =
+  let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
   in
   let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8)
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
       serialized
       (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
@@ -462,7 +372,7 @@ let deserialize_then_decompress_4_
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector
+            Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
               #FStar.Tactics.Typeclasses.solve
               bytes
           in
@@ -474,9 +384,8 @@ let deserialize_then_decompress_4_
               Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                   .Libcrux_ml_kem.Polynomial.f_coefficients
                 i
-                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+                (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector
                     #FStar.Tactics.Typeclasses.solve
-                    4l
                     coefficient
                   <:
                   v_Vector)
@@ -486,22 +395,90 @@ let deserialize_then_decompress_4_
           in
           re)
   in
-  re
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
-let deserialize_then_decompress_5_
+let deserialize_ring_elements_reduced
+      (v_K: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
+      (public_key: t_Slice u8)
+      (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
      =
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-  in
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10)
-      serialized
-      (fun re temp_1_ ->
+  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
+      public_key
+      (fun deserialized_pk temp_1_ ->
+          let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+            v_K =
+            deserialized_pk
+          in
+          let _:usize = temp_1_ in
+          true)
+      deserialized_pk
+      (fun deserialized_pk temp_1_ ->
+          let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+            v_K =
+            deserialized_pk
+          in
+          let i, ring_element:(usize & t_Slice u8) = temp_1_ in
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk
+            i
+            (deserialize_to_reduced_ring_element #v_Vector ring_element
+              <:
+              Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          <:
+          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+  in
+  let result:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
+  deserialized_pk
+
+let deserialize_ring_elements_reduced_out
+      (v_K: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (public_key: t_Slice u8)
+     =
+  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      v_K
+      (fun v__i ->
+          let v__i:usize = v__i in
+          Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+          <:
+          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  in
+  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk
+  in
+  let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+    deserialized_pk
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let deserialize_to_uncompressed_ring_element
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (serialized: t_Slice u8)
+     =
+  let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+  in
+  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
+      serialized
+      (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let _:usize = temp_1_ in
           true)
@@ -509,277 +486,410 @@ let deserialize_then_decompress_5_
       (fun re temp_1_ ->
           let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            {
-              re with
-              Libcrux_ml_kem.Polynomial.f_coefficients
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                  .Libcrux_ml_kem.Polynomial.f_coefficients
-                i
-                (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector
-                    #FStar.Tactics.Typeclasses.solve
-                    bytes
-                  <:
-                  v_Vector)
-            }
+          {
+            re with
+            Libcrux_ml_kem.Polynomial.f_coefficients
+            =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                .Libcrux_ml_kem.Polynomial.f_coefficients
+              i
+              (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
+                  #FStar.Tactics.Typeclasses.solve
+                  bytes
+                <:
+                v_Vector)
             <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+            t_Array v_Vector (sz 16)
+          }
+          <:
+          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  in
+  let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let compress_then_serialize_10_
+      (v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+     =
+  let _:Prims.unit = assert_norm (pow2 10 == 1024) in
+  let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
+  let serialized:t_Array u8 v_OUT_LEN =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+      (fun serialized i ->
+          let serialized:t_Array u8 v_OUT_LEN = serialized in
+          let i:usize = i in
+          v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re)
+      serialized
+      (fun serialized i ->
+          let serialized:t_Array u8 v_OUT_LEN = serialized in
+          let i:usize = i in
+          let _:Prims.unit = assert (20 * v i + 20 <= 320) in
+          let _:Prims.unit =
+            reveal_opaque (`%coefficients_field_modulus_range)
+              (coefficients_field_modulus_range #v_Vector)
           in
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            {
-              re with
-              Libcrux_ml_kem.Polynomial.f_coefficients
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                  .Libcrux_ml_kem.Polynomial.f_coefficients
-                i
-                (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
-                    #FStar.Tactics.Typeclasses.solve
-                    5l
-                    (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
-                  <:
-                  v_Vector)
-            }
-            <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+          let coefficient:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              10l
+              (to_unsigned_field_modulus #v_Vector
+                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+                <:
+                v_Vector)
           in
-          re)
+          let bytes:t_Array u8 (sz 20) =
+            Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficient
+          in
+          let serialized:t_Array u8 v_OUT_LEN =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+              ({
+                  Core.Ops.Range.f_start = sz 20 *! i <: usize;
+                  Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = sz 20 *! i <: usize;
+                        Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (bytes <: t_Slice u8)
+                <:
+                t_Slice u8)
+          in
+          serialized)
   in
-  re
+  let result:t_Array u8 v_OUT_LEN = serialized in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
-let deserialize_then_decompress_message
+#push-options "--admit_smt_queries true"
+
+let compress_then_serialize_11_
+      (v_OUT_LEN: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Array u8 (sz 32))
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-  in
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+  let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
+  let serialized:t_Array u8 v_OUT_LEN =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 16)
-      (fun re temp_1_ ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+      (fun serialized temp_1_ ->
+          let serialized:t_Array u8 v_OUT_LEN = serialized in
           let _:usize = temp_1_ in
           true)
-      re
-      (fun re i ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+      serialized
+      (fun serialized i ->
+          let serialized:t_Array u8 v_OUT_LEN = serialized in
           let i:usize = i in
-          let coefficient_compressed:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector
+          let coefficient:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              (serialized.[ {
-                    Core.Ops.Range.f_start = sz 2 *! i <: usize;
-                    Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize ]
+              11l
+              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
+                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+                <:
+                v_Vector)
+          in
+          let bytes:t_Array u8 (sz 22) =
+            Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficient
+          in
+          let serialized:t_Array u8 v_OUT_LEN =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+              ({
+                  Core.Ops.Range.f_start = sz 22 *! i <: usize;
+                  Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = sz 22 *! i <: usize;
+                        Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (bytes <: t_Slice u8)
                 <:
                 t_Slice u8)
           in
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            {
-              re with
-              Libcrux_ml_kem.Polynomial.f_coefficients
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                  .Libcrux_ml_kem.Polynomial.f_coefficients
-                i
-                (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed
-                  <:
-                  v_Vector)
-            }
-            <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+          serialized)
+  in
+  serialized
+
+#pop-options
+
+let compress_then_serialize_4_
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (serialized: t_Slice u8)
+     =
+  let _:Prims.unit = assert_norm (pow2 4 == 16) in
+  let serialized:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+      (fun serialized i ->
+          let serialized:t_Slice u8 = serialized in
+          let i:usize = i in
+          v i >= 0 /\ v i <= 16 /\ v i < 16 ==>
+          (Seq.length serialized == 128 /\ coefficients_field_modulus_range re))
+      serialized
+      (fun serialized i ->
+          let serialized:t_Slice u8 = serialized in
+          let i:usize = i in
+          let _:Prims.unit = assert (8 * v i + 8 <= 128) in
+          let _:Prims.unit =
+            reveal_opaque (`%coefficients_field_modulus_range)
+              (coefficients_field_modulus_range #v_Vector)
+          in
+          let coefficient:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              4l
+              (to_unsigned_field_modulus #v_Vector
+                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+                <:
+                v_Vector)
+          in
+          let bytes:t_Array u8 (sz 8) =
+            Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficient
+          in
+          let serialized:t_Slice u8 =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+              ({
+                  Core.Ops.Range.f_start = sz 8 *! i <: usize;
+                  Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = sz 8 *! i <: usize;
+                        Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (bytes <: t_Slice u8)
+                <:
+                t_Slice u8)
           in
-          re)
+          serialized)
   in
-  re
-
-let deserialize_then_decompress_ring_element_u
-      (v_COMPRESSION_FACTOR: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
-     =
-  match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
-  | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized
-  | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
-        <:
-        Rust_primitives.Hax.t_Never)
-
-let deserialize_then_decompress_ring_element_v
-      (v_COMPRESSION_FACTOR: usize)
-      (#v_Vector: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
-     =
-  match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
-  | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized
-  | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized
-  | _ ->
-    Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+  let result:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
+  serialized
 
-        <:
-        Rust_primitives.Hax.t_Never)
+#push-options "--admit_smt_queries true"
 
-let deserialize_to_reduced_ring_element
+let compress_then_serialize_5_
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       (serialized: t_Slice u8)
      =
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-  in
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
-      serialized
-      (fun re temp_1_ ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+  let serialized:t_Slice u8 =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+      (fun serialized temp_1_ ->
+          let serialized:t_Slice u8 = serialized in
           let _:usize = temp_1_ in
           true)
-      re
-      (fun re temp_1_ ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
-          let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
+      serialized
+      (fun serialized i ->
+          let serialized:t_Slice u8 = serialized in
+          let i:usize = i in
+          let coefficients:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector
               #FStar.Tactics.Typeclasses.solve
-              bytes
+              5l
+              (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
+                  (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+                <:
+                v_Vector)
           in
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-            {
-              re with
-              Libcrux_ml_kem.Polynomial.f_coefficients
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                  .Libcrux_ml_kem.Polynomial.f_coefficients
-                i
-                (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector
-                    #FStar.Tactics.Typeclasses.solve
-                    coefficient
-                  <:
-                  v_Vector)
-            }
-            <:
-            Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+          let bytes:t_Array u8 (sz 10) =
+            Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficients
           in
-          re)
+          let serialized:t_Slice u8 =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+              ({
+                  Core.Ops.Range.f_start = sz 10 *! i <: usize;
+                  Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = sz 10 *! i <: usize;
+                        Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (bytes <: t_Slice u8)
+                <:
+                t_Slice u8)
+          in
+          serialized)
   in
-  re
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  serialized
 
-let deserialize_ring_elements_reduced
-      (v_PUBLIC_KEY_SIZE v_K: usize)
+#pop-options
+
+let compress_then_serialize_message
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (public_key: t_Slice u8)
-      (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
-  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
-      public_key
-      (fun deserialized_pk temp_1_ ->
-          let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-            v_K =
-            deserialized_pk
+  let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+  let serialized:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      (sz 16)
+      (fun serialized i ->
+          let serialized:t_Array u8 (sz 32) = serialized in
+          let i:usize = i in
+          v i < 16 ==> coefficients_field_modulus_range re)
+      serialized
+      (fun serialized i ->
+          let serialized:t_Array u8 (sz 32) = serialized in
+          let i:usize = i in
+          let _:Prims.unit = assert (2 * v i + 2 <= 32) in
+          let _:Prims.unit =
+            reveal_opaque (`%coefficients_field_modulus_range)
+              (coefficients_field_modulus_range #v_Vector)
           in
-          let _:usize = temp_1_ in
-          true)
-      deserialized_pk
-      (fun deserialized_pk temp_1_ ->
-          let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-            v_K =
-            deserialized_pk
+          let coefficient:v_Vector =
+            to_unsigned_field_modulus #v_Vector
+              (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
           in
-          let i, ring_element:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk
-            i
-            (deserialize_to_reduced_ring_element #v_Vector ring_element
-              <:
-              Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-          <:
-          t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+          let coefficient_compressed:v_Vector =
+            Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficient
+          in
+          let bytes:t_Array u8 (sz 2) =
+            Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector
+              #FStar.Tactics.Typeclasses.solve
+              coefficient_compressed
+          in
+          let serialized:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+              ({
+                  Core.Ops.Range.f_start = sz 2 *! i <: usize;
+                  Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+                }
+                <:
+                Core.Ops.Range.t_Range usize)
+              (Core.Slice.impl__copy_from_slice #u8
+                  (serialized.[ {
+                        Core.Ops.Range.f_start = sz 2 *! i <: usize;
+                        Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+                      }
+                      <:
+                      Core.Ops.Range.t_Range usize ]
+                    <:
+                    t_Slice u8)
+                  (bytes <: t_Slice u8)
+                <:
+                t_Slice u8)
+          in
+          serialized)
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  deserialized_pk
+  let result:t_Array u8 (sz 32) = serialized in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
-let deserialize_ring_elements_reduced_out
-      (v_PUBLIC_KEY_SIZE v_K: usize)
+let compress_then_serialize_ring_element_u
+      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (public_key: t_Slice u8)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
-  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      v_K
-      (fun v__i ->
-          let v__i:usize = v__i in
-          Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
-          <:
-          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+  let _:Prims.unit =
+    assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/
+        (v (cast v_COMPRESSION_FACTOR <: u32) == 11));
+    Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
   in
-  let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
-    deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE v_K #v_Vector public_key deserialized_pk
+  let result:t_Array u8 v_OUT_LEN =
+    match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+    | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re
+    | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re
+    | _ ->
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+          <:
+          Rust_primitives.Hax.t_Never)
   in
-  deserialized_pk
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
-let deserialize_to_uncompressed_ring_element
+let compress_then_serialize_ring_element_v
+      (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize)
       (#v_Vector: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
-      (serialized: t_Slice u8)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (out: t_Slice u8)
      =
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector ()
+  let _:Prims.unit =
+    assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
+        (v (cast v_COMPRESSION_FACTOR <: u32) == 5));
+    Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
   in
-  let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
-    Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
-      serialized
-      (fun re temp_1_ ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re temp_1_ ->
-          let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
-          let i, bytes:(usize & t_Slice u8) = temp_1_ in
-          {
-            re with
-            Libcrux_ml_kem.Polynomial.f_coefficients
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                .Libcrux_ml_kem.Polynomial.f_coefficients
-              i
-              (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
-                  #FStar.Tactics.Typeclasses.solve
-                  bytes
-                <:
-                v_Vector)
-            <:
-            t_Array v_Vector (sz 16)
-          }
+  let out, result:(t_Slice u8 & Prims.unit) =
+    match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+    | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
+    | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
+    | _ ->
+      out,
+      Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
           <:
-          Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+          Rust_primitives.Hax.t_Never)
+      <:
+      (t_Slice u8 & Prims.unit)
   in
-  re
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  let hax_temp_output:Prims.unit = result in
+  out
 
 let serialize_uncompressed_ring_element
       (#v_Vector: Type0)
@@ -788,20 +898,26 @@ let serialize_uncompressed_ring_element
           Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
      =
+  let _:Prims.unit = assert_norm (pow2 12 == 4096) in
   let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in
   let serialized:t_Array u8 (sz 384) =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
-      (fun serialized temp_1_ ->
+      (fun serialized i ->
           let serialized:t_Array u8 (sz 384) = serialized in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re)
       serialized
       (fun serialized i ->
           let serialized:t_Array u8 (sz 384) = serialized in
           let i:usize = i in
+          let _:Prims.unit = assert (24 * v i + 24 <= 384) in
+          let _:Prims.unit =
+            reveal_opaque (`%coefficients_field_modulus_range)
+              (coefficients_field_modulus_range #v_Vector)
+          in
           let coefficient:v_Vector =
-            Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector
+            to_unsigned_field_modulus #v_Vector
               (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
           in
           let bytes:t_Array u8 (sz 24) =
@@ -832,4 +948,6 @@ let serialize_uncompressed_ring_element
           in
           serialized)
   in
-  serialized
+  let result:t_Array u8 (sz 384) = serialized in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
index b320a6fd9..ba52b97a2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -9,61 +9,41 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-val compress_then_serialize_10_
-      (v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
+[@@ "opaque_to_smt"]
+let field_modulus_range (#v_Vector: Type0)
+        {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+        (a: v_Vector) =
+    let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in
+    forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\
+        v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
 
-val compress_then_serialize_11_
-      (v_OUT_LEN: usize)
-      (#v_Vector: Type0)
+[@@ "opaque_to_smt"]
+let coefficients_field_modulus_range (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+    forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)
 
-val compress_then_serialize_4_
+val to_unsigned_field_modulus
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (serialized: t_Slice u8)
-    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val compress_then_serialize_5_
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (serialized: t_Slice u8)
-    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val compress_then_serialize_message
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-val compress_then_serialize_ring_element_u
-      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
-
-val compress_then_serialize_ring_element_v
-      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (#v_Vector: Type0)
-      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
-      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      (out: t_Slice u8)
-    : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+      (a: v_Vector)
+    : Prims.Pure v_Vector
+      (requires field_modulus_range a)
+      (ensures
+        fun result ->
+          let result:v_Vector = result in
+          forall (i: nat).
+            i < 16 ==>
+            v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\
+            v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) <
+            v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
 
 val deserialize_then_decompress_10_
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320)
       (fun _ -> Prims.l_True)
 
 val deserialize_then_decompress_11_
@@ -71,7 +51,7 @@ val deserialize_then_decompress_11_
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352)
       (fun _ -> Prims.l_True)
 
 val deserialize_then_decompress_4_
@@ -79,7 +59,7 @@ val deserialize_then_decompress_4_
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128)
       (fun _ -> Prims.l_True)
 
 val deserialize_then_decompress_5_
@@ -87,7 +67,7 @@ val deserialize_then_decompress_5_
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160)
       (fun _ -> Prims.l_True)
 
 val deserialize_then_decompress_message
@@ -96,7 +76,11 @@ val deserialize_then_decompress_message
       (serialized: t_Array u8 (sz 32))
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+          Spec.MLKEM.decode_then_decompress_message serialized)
 
 val deserialize_then_decompress_ring_element_u
       (v_COMPRESSION_FACTOR: usize)
@@ -104,17 +88,30 @@ val deserialize_then_decompress_ring_element_u
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) &&
+        (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+          Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized)
 
 val deserialize_then_decompress_ring_element_v
-      (v_COMPRESSION_FACTOR: usize)
+      (v_K v_COMPRESSION_FACTOR: usize)
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        Seq.length serialized == 32 * v v_COMPRESSION_FACTOR)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+          Spec.MLKEM.decode_then_decompress_v #v_K serialized)
 
 /// Only use with public values.
 /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`.
@@ -123,42 +120,161 @@ val deserialize_to_reduced_ring_element
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires
+        (Core.Slice.impl__len #u8 serialized <: usize) =.
+        Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
       (fun _ -> Prims.l_True)
 
 /// See [deserialize_ring_elements_reduced_out].
 val deserialize_ring_elements_reduced
-      (v_PUBLIC_KEY_SIZE v_K: usize)
+      (v_K: usize)
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (public_key: t_Slice u8)
       (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K))
+      (ensures
+        fun deserialized_pk_future ->
+          let deserialized_pk_future:t_Array
+            (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            deserialized_pk_future
+          in
+          Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector deserialized_pk_future ==
+          Spec.MLKEM.vector_decode_12 #v_K public_key)
 
 /// This function deserializes ring elements and reduces the result by the field
 /// modulus.
 /// This function MUST NOT be used on secret inputs.
 val deserialize_ring_elements_reduced_out
-      (v_PUBLIC_KEY_SIZE v_K: usize)
+      (v_K: usize)
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (public_key: t_Slice u8)
     : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K))
+      (ensures
+        fun result ->
+          let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+            result
+          in
+          forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i))
 
 val deserialize_to_uncompressed_ring_element
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (serialized: t_Slice u8)
     : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-      Prims.l_True
+      (requires
+        (Core.Slice.impl__len #u8 serialized <: usize) =.
+        Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+          Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+          Spec.MLKEM.byte_decode 12 serialized)
+
+val compress_then_serialize_10_
+      (v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_Array u8 v_OUT_LEN)
+      (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re)
       (fun _ -> Prims.l_True)
 
+val compress_then_serialize_11_
+      (v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
+
+val compress_then_serialize_4_
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8)
+      (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re)
+      (ensures
+        fun serialized_future ->
+          let serialized_future:t_Slice u8 = serialized_future in
+          Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized)
+
+val compress_then_serialize_5_
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (serialized: t_Slice u8)
+    : Prims.Pure (t_Slice u8)
+      (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160)
+      (ensures
+        fun serialized_future ->
+          let serialized_future:t_Slice u8 = serialized_future in
+          Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized)
+
+val compress_then_serialize_message
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_Array u8 (sz 32))
+      (requires coefficients_field_modulus_range re)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 32) = result in
+          result ==
+          Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector
+                re))
+
+val compress_then_serialize_ring_element_u
+      (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+    : Prims.Pure (t_Array u8 v_OUT_LEN)
+      (requires
+        (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\
+        v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_OUT_LEN = result in
+          result ==
+          Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+            (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
+
+val compress_then_serialize_ring_element_v
+      (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize)
+      (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+      (out: t_Slice u8)
+    : Prims.Pure (t_Slice u8)
+      (requires
+        Spec.MLKEM.is_rank v_K /\
+        v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+        Seq.length out == v v_OUT_LEN /\ v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\
+        coefficients_field_modulus_range re)
+      (ensures
+        fun out_future ->
+          let out_future:t_Slice u8 = out_future in
+          Core.Slice.impl__len #u8 out_future == Core.Slice.impl__len #u8 out /\
+          out_future ==
+          Spec.MLKEM.compress_then_encode_v #v_K
+            (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
+
 val serialize_uncompressed_ring_element
       (#v_Vector: Type0)
       {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
       (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
-    : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array u8 (sz 384))
+      (requires coefficients_field_modulus_range re)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 384) = result in
+          result ==
+          Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti
new file mode 100644
index 000000000..1910c0b08
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti
@@ -0,0 +1,48 @@
+module Libcrux_ml_kem.Types.Unpacked
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Vector.Traits in
+  ()
+
+/// An unpacked ML-KEM IND-CPA Private Key
+type t_IndCpaPrivateKeyUnpacked
+  (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K }
+
+/// An unpacked ML-KEM IND-CPA Private Key
+type t_IndCpaPublicKeyUnpacked
+  (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  = {
+  f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K;
+  f_seed_for_A:t_Array u8 (sz 32);
+  f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K
+}
+
+/// An unpacked ML-KEM IND-CCA Private Key
+type t_MlKemPrivateKeyUnpacked
+  (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  = {
+  f_ind_cpa_private_key:t_IndCpaPrivateKeyUnpacked v_K v_Vector;
+  f_implicit_rejection_value:t_Array u8 (sz 32)
+}
+
+/// An unpacked ML-KEM IND-CCA Private Key
+type t_MlKemPublicKeyUnpacked
+  (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  = {
+  f_ind_cpa_public_key:t_IndCpaPublicKeyUnpacked v_K v_Vector;
+  f_public_key_hash:t_Array u8 (sz 32)
+}
+
+/// An unpacked ML-KEM KeyPair
+type t_MlKemKeyPairUnpacked
+  (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+  = {
+  f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector;
+  f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector
+}
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
index c3f5d2135..d4dea7527 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
@@ -1,53 +1,180 @@
 module Libcrux_ml_kem.Types
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let impl_7__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let impl_14__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let impl_21__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+/// The number of bytes
+let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
 
-let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8) =
-  let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8 private_key v_CPA_SECRET_KEY_SIZE
-  in
-  let ind_cpa_public_key, secret_key:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8 secret_key v_PUBLIC_KEY_SIZE
-  in
-  let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) =
-    Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
-  in
-  ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
-  <:
-  (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
+///An ML-KEM Ciphertext
+type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemCiphertext v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+///An ML-KEM Private key
+type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
-let impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPrivateKey v_SIZE
+  }
 
-let impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
+  }
 
-let impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+///An ML-KEM Public key
+type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
 
-let impl__from
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_from
+    =
+    fun (value: t_Array u8 v_SIZE) ->
+      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
+      <:
+      t_MlKemPublicKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
+    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
+    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+  {
+    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+    f_from_post
+    =
+    (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
+    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
+  }
+
+/// A reference to the raw byte slice.
+let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
+    : Prims.Pure (t_Array u8 v_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_SIZE = result in
+          result == self.f_value) = self.f_value
+
+/// An ML-KEM key pair
+type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = {
+  f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE;
+  f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE
+}
+
+/// Create a new [`MlKemKeyPair`] from the secret and public key.
+let impl_21__from
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
       (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-     = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
+    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in
+          result.f_sk == sk /\ result.f_pk == pk) =
+  { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
 
-let impl__into_parts
+/// Separate this key into the public and private key.
+let impl_21__into_parts
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     =
+    : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
   self.f_sk, self.f_pk
   <:
   (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
 
-let impl__new
+/// Creates a new [`MlKemKeyPair`].
+let impl_21__new
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (sk: t_Array u8 v_PRIVATE_KEY_SIZE)
       (pk: t_Array u8 v_PUBLIC_KEY_SIZE)
-     =
+    : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE =
   {
     f_sk
     =
@@ -65,22 +192,225 @@ let impl__new
   <:
   t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
 
-let impl__pk
+/// Get a reference to the raw public key bytes.
+let impl_21__pk
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = impl_21__as_slice v_PUBLIC_KEY_SIZE self.f_pk
+    : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk
 
-let impl__private_key
+/// Get a reference to the [`MlKemPrivateKey<PRIVATE_KEY_SIZE>`].
+let impl_21__private_key
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = self.f_sk
+    : t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk
 
-let impl__public_key
+/// Get a reference to the [`MlKemPublicKey<PUBLIC_KEY_SIZE>`].
+let impl_21__public_key
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = self.f_pk
+    : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk
 
-let impl__sk
+/// Get a reference to the raw private key bytes.
+let impl_21__sk
       (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
       (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-     = impl_14__as_slice v_PRIVATE_KEY_SIZE self.f_sk
+    : t_Array u8 v_PRIVATE_KEY_SIZE = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk
+
+/// Unpack an incoming private key into it\'s different parts.
+/// We have this here in types to extract into a common core for C.
+let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8)
+    : Prims.Pure (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
+      (requires
+        Seq.length private_key >=
+        v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
+      (ensures
+        fun result ->
+          let result:(t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) = result in
+          let ind_cpa_secret_key_s, rest = split private_key v_CPA_SECRET_KEY_SIZE in
+          let ind_cpa_public_key_s, rest = split rest v_PUBLIC_KEY_SIZE in
+          let ind_cpa_public_key_hash_s, implicit_rejection_value_s =
+            split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+          in
+          let
+          ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
+          =
+            result
+          in
+          ind_cpa_secret_key_s == ind_cpa_secret_key /\ ind_cpa_public_key_s == ind_cpa_public_key /\
+          ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\
+          implicit_rejection_value_s == implicit_rejection_value /\
+          Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\
+          Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\
+          Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\
+          Seq.length implicit_rejection_value ==
+          Seq.length private_key -
+          (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE +
+            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) =
+  let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8 private_key v_CPA_SECRET_KEY_SIZE
+  in
+  let ind_cpa_public_key, secret_key:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8 secret_key v_PUBLIC_KEY_SIZE
+  in
+  let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) =
+    Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+  in
+  ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
+  <:
+  (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
+  {
+    f_default_pre = (fun (_: Prims.unit) -> true);
+    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
+    f_default
+    =
+    fun (_: Prims.unit) ->
+      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+  {
+    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
+    f_as_ref_post
+    =
+    (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+  {
+    f_Error = Core.Array.t_TryFromSliceError;
+    f_try_from_pre = (fun (value: t_Slice u8) -> true);
+    f_try_from_post
+    =
+    (fun
+        (value: t_Slice u8)
+        (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
+        ->
+        true);
+    f_try_from
+    =
+    fun (value: t_Slice u8) ->
+      match
+        Core.Convert.f_try_into #(t_Slice u8)
+          #(t_Array u8 v_SIZE)
+          #FStar.Tactics.Typeclasses.solve
+          value
+      with
+      | Core.Result.Result_Ok value ->
+        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
+        <:
+        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
+      | Core.Result.Result_Err e ->
+        Core.Result.Result_Err e
+        <:
+        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
deleted file mode 100644
index 8cf66b7dd..000000000
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti
+++ /dev/null
@@ -1,338 +0,0 @@
-module Libcrux_ml_kem.Types
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
-open Core
-open FStar.Mul
-
-/// The number of bytes
-val impl_7__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_14__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_21__len: v_SIZE: usize -> Prims.unit
-  -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// Unpack an incoming private key into it's different parts.
-///
-/// We have this here in types to extract into a common core for C.
-val unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8)
-    : Prims.Pure (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-///An ML-KEM Ciphertext
-type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_2 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
-    f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true);
-    f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemCiphertext v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value
-  }
-
-/// A reference to the raw byte slice.
-val impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-///An ML-KEM Private key
-type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_8 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_9 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
-    f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true);
-    f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPrivateKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value
-  }
-
-/// A reference to the raw byte slice.
-val impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-///An ML-KEM Public key
-type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_15 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
-  {
-    f_default_pre = (fun (_: Prims.unit) -> true);
-    f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_default
-    =
-    fun (_: Prims.unit) ->
-      { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_16 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
-  {
-    f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
-    f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true);
-    f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
-    f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true);
-    f_from
-    =
-    fun (value: t_Array u8 v_SIZE) ->
-      { f_value = Core.Clone.f_clone #(t_Array u8 v_SIZE) #FStar.Tactics.Typeclasses.solve value }
-      <:
-      t_MlKemPublicKey v_SIZE
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) =
-  {
-    f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true);
-    f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true);
-    f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value
-  }
-
-/// A reference to the raw byte slice.
-val impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
-    : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_6 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_13 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
-  }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_20 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
-  {
-    f_Error = Core.Array.t_TryFromSliceError;
-    f_try_from_pre = (fun (value: t_Slice u8) -> true);
-    f_try_from_post
-    =
-    (fun
-        (value: t_Slice u8)
-        (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
-        ->
-        true);
-    f_try_from
-    =
-    fun (value: t_Slice u8) ->
-      match
-        Core.Convert.f_try_into #(t_Slice u8)
-          #(t_Array u8 v_SIZE)
-          #FStar.Tactics.Typeclasses.solve
-          value
-      with
-      | Core.Result.Result_Ok value ->
-        Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
-        <:
-        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
-      | Core.Result.Result_Err e ->
-        Core.Result.Result_Err e
-        <:
-        Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
-  }
-
-/// An ML-KEM key pair
-type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = {
-  f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE;
-  f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE
-}
-
-/// Create a new [`MlKemKeyPair`] from the secret and public key.
-val impl__from
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
-      (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Separate this key into the public and private key.
-val impl__into_parts
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Creates a new [`MlKemKeyPair`].
-val impl__new
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (sk: t_Array u8 v_PRIVATE_KEY_SIZE)
-      (pk: t_Array u8 v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-/// Get a reference to the raw public key bytes.
-val impl__pk
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the [`MlKemPrivateKey<PRIVATE_KEY_SIZE>`].
-val impl__private_key
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the [`MlKemPublicKey<PUBLIC_KEY_SIZE>`].
-val impl__public_key
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get a reference to the raw private key bytes.
-val impl__sk
-      (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
-      (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
-    : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
index 7af62082c..84b152b40 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
@@ -1,8 +1,55 @@
 module Libcrux_ml_kem.Utils
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+#push-options "--z3rlimit 200"
+
+let prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8) =
+  let v__domain_separator_init:u8 = domain_separator in
+  let v__prf_inputs_init:t_Array (t_Array u8 (sz 33)) v_K =
+    Core.Clone.f_clone #(t_Array (t_Array u8 (sz 33)) v_K)
+      #FStar.Tactics.Typeclasses.solve
+      prf_inputs
+  in
+  let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) =
+    Rust_primitives.Hax.Folds.fold_range (sz 0)
+      v_K
+      (fun temp_0_ i ->
+          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
+          let i:usize = i in
+          v domain_separator == v v__domain_separator_init + v i /\
+          (v i < v v_K ==>
+            (forall (j: nat).
+                (j >= v i /\ j < v v_K) ==> prf_inputs.[ sz j ] == v__prf_inputs_init.[ sz j ])) /\
+          (forall (j: nat).
+              j < v i ==>
+              v (Seq.index (Seq.index prf_inputs j) 32) == v v__domain_separator_init + j /\
+              Seq.slice (Seq.index prf_inputs j) 0 32 ==
+              Seq.slice (Seq.index v__prf_inputs_init j) 0 32))
+      (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
+      (fun temp_0_ i ->
+          let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in
+          let i:usize = i in
+          let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_inputs
+              i
+              (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (prf_inputs.[ i ]
+                    <:
+                    t_Array u8 (sz 33))
+                  (sz 32)
+                  domain_separator
+                <:
+                t_Array u8 (sz 33))
+          in
+          let domain_separator:u8 = domain_separator +! 1uy in
+          domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K))
+  in
+  let hax_temp_output:u8 = domain_separator in
+  prf_inputs, hax_temp_output <: (t_Array (t_Array u8 (sz 33)) v_K & u8)
+
+#pop-options
+
 let into_padded_array (v_LEN: usize) (slice: t_Slice u8) =
   let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in
   let out:t_Array u8 v_LEN =
@@ -26,4 +73,21 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) =
         <:
         t_Slice u8)
   in
+  let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in
+  let _:Prims.unit =
+    assert (Seq.slice out (Seq.length slice) (v v_LEN) ==
+        Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))
+  in
+  let _:Prims.unit =
+    assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          (i >= Seq.length slice && i < v v_LEN) ==>
+          Seq.index out i ==
+          Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))
+  in
   out
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
index df9ce411d..033a1e9d3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
@@ -1,10 +1,27 @@
 module Libcrux_ml_kem.Utils
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+val prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8)
+    : Prims.Pure (t_Array (t_Array u8 (sz 33)) v_K & u8)
+      (requires range (v domain_separator + v v_K) u8_inttype)
+      (ensures
+        fun temp_0_ ->
+          let prf_inputs_future, ds:(t_Array (t_Array u8 (sz 33)) v_K & u8) = temp_0_ in
+          v ds == v domain_separator + v v_K /\
+          (forall (i: nat).
+              i < v v_K ==>
+              v (Seq.index (Seq.index prf_inputs_future i) 32) == v domain_separator + i /\
+              Seq.slice (Seq.index prf_inputs_future i) 0 32 ==
+              Seq.slice (Seq.index prf_inputs i) 0 32))
+
 /// Pad the `slice` with `0`s at the end.
 val into_padded_array (v_LEN: usize) (slice: t_Slice u8)
     : Prims.Pure (t_Array u8 v_LEN)
       (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN)
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:t_Array u8 v_LEN = result in
+          result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy)
+      )
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fst
new file mode 100644
index 000000000..dcdeb0041
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fst
@@ -0,0 +1,166 @@
+module Libcrux_ml_kem.Variant
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Hash_functions in
+  ()
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: t_Variant t_MlKem =
+  {
+    f_kdf_pre
+    =
+    (fun
+        (v_K: usize)
+        (v_CIPHERTEXT_SIZE: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (shared_secret: t_Slice u8)
+        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+        ->
+        (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32);
+    f_kdf_post
+    =
+    (fun
+        (v_K: usize)
+        (v_CIPHERTEXT_SIZE: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (shared_secret: t_Slice u8)
+        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+        (res: t_Array u8 (sz 32))
+        ->
+        res == shared_secret);
+    f_kdf
+    =
+    (fun
+        (v_K: usize)
+        (v_CIPHERTEXT_SIZE: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (shared_secret: t_Slice u8)
+        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+        ->
+        let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+        let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out shared_secret in
+        out);
+    f_entropy_preprocess_pre
+    =
+    (fun
+        (v_K: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (randomness: t_Slice u8)
+        ->
+        (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32);
+    f_entropy_preprocess_post
+    =
+    (fun
+        (v_K: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (randomness: t_Slice u8)
+        (res: t_Array u8 (sz 32))
+        ->
+        res == randomness);
+    f_entropy_preprocess
+    =
+    (fun
+        (v_K: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (randomness: t_Slice u8)
+        ->
+        let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+        let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out randomness in
+        out);
+    f_cpa_keygen_seed_pre
+    =
+    (fun
+        (v_K: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (key_generation_seed: t_Slice u8)
+        ->
+        (Core.Slice.impl__len #u8 key_generation_seed <: usize) =. sz 32);
+    f_cpa_keygen_seed_post
+    =
+    (fun
+        (v_K: usize)
+        (#v_Hasher: Type0)
+        (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i3:
+          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+        (key_generation_seed: t_Slice u8)
+        (res: t_Array u8 (sz 64))
+        ->
+        Seq.length key_generation_seed == 32 ==>
+        res == Spec.Utils.v_G (Seq.append key_generation_seed (Seq.create 1 (cast v_K <: u8))));
+    f_cpa_keygen_seed
+    =
+    fun
+      (v_K: usize)
+      (#v_Hasher: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+        i3:
+        Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+      (key_generation_seed: t_Slice u8)
+      ->
+      let seed:t_Array u8 (sz 33) = Rust_primitives.Hax.repeat 0uy (sz 33) in
+      let seed:t_Array u8 (sz 33) =
+        Rust_primitives.Hax.Monomorphized_update_at.update_at_range seed
+          ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+          (Core.Slice.impl__copy_from_slice #u8
+              (seed.[ {
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end
+                    =
+                    Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize ]
+                <:
+                t_Slice u8)
+              key_generation_seed
+            <:
+            t_Slice u8)
+      in
+      let seed:t_Array u8 (sz 33) =
+        Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed
+          Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
+          (cast (v_K <: usize) <: u8)
+      in
+      let _:Prims.unit =
+        Lib.Sequence.eq_intro #u8
+          #33
+          seed
+          (Seq.append key_generation_seed (Seq.create 1 (cast v_K <: u8)))
+      in
+      Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
+        #v_K
+        #FStar.Tactics.Typeclasses.solve
+        (seed <: t_Slice u8)
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
index 4d6616fd4..9f3dc29f3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Variant
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -27,18 +27,18 @@ class t_Variant (v_Self: Type0) = {
       v_CIPHERTEXT_SIZE: usize ->
       #v_Hasher: Type0 ->
       {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8 ->
-      Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE
-    -> Type0;
+      shared_secret: t_Slice u8 ->
+      ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE
+    -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred};
   f_kdf_post:
       v_K: usize ->
       v_CIPHERTEXT_SIZE: usize ->
       #v_Hasher: Type0 ->
       {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8 ->
-      Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE ->
-      t_Array u8 (sz 32)
-    -> Type0;
+      shared_secret: t_Slice u8 ->
+      ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE ->
+      res: t_Array u8 (sz 32)
+    -> pred: Type0{pred ==> res == shared_secret};
   f_kdf:
       v_K: usize ->
       v_CIPHERTEXT_SIZE: usize ->
@@ -53,15 +53,15 @@ class t_Variant (v_Self: Type0) = {
       v_K: usize ->
       #v_Hasher: Type0 ->
       {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8
-    -> Type0;
+      randomness: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred};
   f_entropy_preprocess_post:
       v_K: usize ->
       #v_Hasher: Type0 ->
       {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8 ->
-      t_Array u8 (sz 32)
-    -> Type0;
+      randomness: t_Slice u8 ->
+      res: t_Array u8 (sz 32)
+    -> pred: Type0{pred ==> res == randomness};
   f_entropy_preprocess:
       v_K: usize ->
       #v_Hasher: Type0 ->
@@ -73,171 +73,29 @@ class t_Variant (v_Self: Type0) = {
   f_cpa_keygen_seed_pre:
       v_K: usize ->
       #v_Hasher: Type0 ->
-      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8
-    -> Type0;
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
+      seed: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 seed <: usize) =. sz 32 ==> pred};
   f_cpa_keygen_seed_post:
       v_K: usize ->
       #v_Hasher: Type0 ->
-      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
-      t_Slice u8 ->
-      t_Array u8 (sz 64)
-    -> Type0;
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
+      seed: t_Slice u8 ->
+      res: t_Array u8 (sz 64)
+    -> pred:
+      Type0
+        { pred ==>
+          Seq.length seed == 32 ==>
+          res == Spec.Utils.v_G (Seq.append seed (Seq.create 1 (cast v_K <: u8))) };
   f_cpa_keygen_seed:
       v_K: usize ->
       #v_Hasher: Type0 ->
-      {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
+      {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} ->
       x0: t_Slice u8
     -> Prims.Pure (t_Array u8 (sz 64))
-        (f_cpa_keygen_seed_pre v_K #v_Hasher #i4 x0)
-        (fun result -> f_cpa_keygen_seed_post v_K #v_Hasher #i4 x0 result)
+        (f_cpa_keygen_seed_pre v_K #v_Hasher #i3 x0)
+        (fun result -> f_cpa_keygen_seed_post v_K #v_Hasher #i3 x0 result)
 }
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: t_Variant t_MlKem =
-  {
-    f_kdf_pre
-    =
-    (fun
-        (v_K: usize)
-        (v_CIPHERTEXT_SIZE: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (shared_secret: t_Slice u8)
-        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-        ->
-        true);
-    f_kdf_post
-    =
-    (fun
-        (v_K: usize)
-        (v_CIPHERTEXT_SIZE: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (shared_secret: t_Slice u8)
-        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-        (out1: t_Array u8 (sz 32))
-        ->
-        true);
-    f_kdf
-    =
-    (fun
-        (v_K: usize)
-        (v_CIPHERTEXT_SIZE: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (shared_secret: t_Slice u8)
-        (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
-        ->
-        let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-        let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out shared_secret in
-        out);
-    f_entropy_preprocess_pre
-    =
-    (fun
-        (v_K: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (randomness: t_Slice u8)
-        ->
-        true);
-    f_entropy_preprocess_post
-    =
-    (fun
-        (v_K: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (randomness: t_Slice u8)
-        (out1: t_Array u8 (sz 32))
-        ->
-        true);
-    f_entropy_preprocess
-    =
-    (fun
-        (v_K: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i3:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (randomness: t_Slice u8)
-        ->
-        let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-        let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out randomness in
-        out);
-    f_cpa_keygen_seed_pre
-    =
-    (fun
-        (v_K: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (key_generation_seed: t_Slice u8)
-        ->
-        true);
-    f_cpa_keygen_seed_post
-    =
-    (fun
-        (v_K: usize)
-        (#v_Hasher: Type0)
-        (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i4:
-          Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-        (key_generation_seed: t_Slice u8)
-        (out: t_Array u8 (sz 64))
-        ->
-        true);
-    f_cpa_keygen_seed
-    =
-    fun
-      (v_K: usize)
-      (#v_Hasher: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-        i4:
-        Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
-      (key_generation_seed: t_Slice u8)
-      ->
-      let seed:t_Array u8 (sz 33) = Rust_primitives.Hax.repeat 0uy (sz 33) in
-      let seed:t_Array u8 (sz 33) =
-        Rust_primitives.Hax.Monomorphized_update_at.update_at_range seed
-          ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-          (Core.Slice.impl__copy_from_slice #u8
-              (seed.[ {
-                    Core.Ops.Range.f_start = sz 0;
-                    Core.Ops.Range.f_end
-                    =
-                    Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize ]
-                <:
-                t_Slice u8)
-              key_generation_seed
-            <:
-            t_Slice u8)
-      in
-      let seed:t_Array u8 (sz 33) =
-        Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed
-          Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE
-          (cast (v_K <: usize) <: u8)
-      in
-      Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
-        #v_K
-        #FStar.Tactics.Typeclasses.solve
-        (seed <: t_Slice u8)
-  }
+val impl:t_Variant t_MlKem
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
index 81d8b74e0..a80c67948 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
@@ -1,59 +1,204 @@
 module Libcrux_ml_kem.Vector.Avx2.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
+let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))))
+  (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) ==
+            (v (get_lane lhs i) + v (get_lane rhs i))))
+  [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()
 
-let bitwise_and_with_constant (vector: u8) (constant: i16) =
-  Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8)
+let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i);
+    assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))
+  in
+  result
 
-let multiply_by_constant (vector: u8) (constant: i16) =
-  Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8)
+let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) =
+  let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)
+      (Spec.Utils.map_array (fun x -> x &. constant)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+  in
+  result
 
-let shift_right (v_SHIFT_BY: i32) (vector: u8) =
-  Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector
+let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16):  Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c)))
+  (ensures (v (mul_mod (get_lane lhs i) c) ==
+            (v (get_lane lhs i) * v c)))
+  [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()
 
-let sub (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs
+let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) =
+  let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector cv
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro (vec256_as_i16x16 result)
+      (Spec.Utils.map_array (fun x -> x *. constant)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane result i == get_lane vector i *. constant);
+    assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant);
+    assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)
+  in
+  result
 
-let barrett_reduce (vector: u8) =
-  let t:u8 =
+let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)
+      (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+  in
+  result
+
+let lemma_sub_i (lhs rhs: t_Vec256) (i:nat):  Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
+  (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) ==
+            (v (get_lane lhs i) - v (get_lane rhs i))))
+  [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()
+
+let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
+    assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))
+  in
+  result
+
+#push-options "--z3rlimit 200"
+
+let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane t0 i ==
+          (cast (((cast (get_lane vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l)
+            <:
+            i16))
+  in
+  let t512:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s
   in
-  let t:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s <: u8)
+  let _:Prims.unit = assert (forall i. get_lane t512 i == 512s) in
+  let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 t512
   in
-  let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t in
-  let quotient_times_field_modulus:u8 =
+  let _:Prims.unit = assert (forall i. get_lane t1 i == get_lane t0 i +. 512s) in
+  let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t1
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane quotient i == (((get_lane t1 i) <: i16) >>! (10l <: i32)))
+  in
+  let quotient_times_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 quotient
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane quotient_times_field_modulus i ==
+          get_lane quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
   in
-  Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane result i == get_lane vector i -. get_lane quotient_times_field_modulus i);
+    assert (forall i. get_lane result i == Spec.Utils.barrett_red (get_lane vector i));
+    assert (forall i. v (get_lane result i) % 3329 == v (get_lane vector i) % 3329);
+    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result))
+  in
+  result
+
+#pop-options
 
-let cond_subtract_3329_ (vector: u8) =
-  let field_modulus:u8 =
+#push-options "--z3rlimit 100"
+
+let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
   in
-  let vv_minus_field_modulus:u8 =
+  let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in
+  let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus
   in
-  let sign_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus in
-  let conditional_add_field_modulus:u8 =
+  let _:Prims.unit =
+    assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s)
+  in
+  let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l))
+  in
+  let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus
   in
-  Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus
-    conditional_add_field_modulus
+  let _:Prims.unit =
+    assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s))
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus
+      conditional_add_field_modulus
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane result i ==
+          (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i));
+    assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i));
+    assert (forall i.
+          get_lane result i ==
+          (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i))
+  in
+  result
+
+#pop-options
 
-let montgomery_multiply_by_constant (vector: u8) (constant: i16) =
-  let constant:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant in
-  let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector constant in
-  let k:u8 =
+#push-options "--z3rlimit 100 --ext context_pruning"
+
+let montgomery_multiply_by_constant
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (constant: i16)
+     =
+  let vec_constant:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant
+  in
+  let _:Prims.unit = assert (forall i. get_lane vec_constant i == constant) in
+  let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector vec_constant
+  in
+  let _:Prims.unit = assert (forall i. get_lane value_low i == get_lane vector i *. constant) in
+  let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
                 <:
@@ -61,20 +206,68 @@ let montgomery_multiply_by_constant (vector: u8) (constant: i16) =
             <:
             i16)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k_times_modulus:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
-        <:
-        u8)
+  let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in
+  let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
   in
-  let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector constant in
-  Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+  let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in
+  let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus
+  in
+  let _:Prims.unit =
+    assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus ==
+        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus));
+    assert (forall i.
+          get_lane k_times_modulus i ==
+          (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l)
+            <:
+            i16))
+  in
+  let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector vec_constant
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane value_high i ==
+          (cast (((cast (get_lane vector i) <: i32) *. (cast (get_lane vec_constant i) <: i32)) >>!
+                16l)
+            <:
+            i16))
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+  in
+  let _:Prims.unit =
+    Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+    assert (v (cast 3329s <: i32) == 3329);
+    assert ((cast 3329s <: i32) == 3329l);
+    assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i));
+    assert (forall i. get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vector i) constant);
+    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result));
+    assert (forall i.
+          v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329))
+  in
+  result
+
+#pop-options
 
-let montgomery_multiply_by_constants (v c: u8) =
-  let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v c in
-  let k:u8 =
+#push-options "--z3rlimit 100"
+
+let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec constants
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane value_low i == get_lane vec i *. get_lane constants i)
+  in
+  let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
                 <:
@@ -82,20 +275,69 @@ let montgomery_multiply_by_constants (v c: u8) =
             <:
             i16)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k_times_modulus:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k
-      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
-        <:
-        u8)
+  let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in
+  let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+  in
+  let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in
+  let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus
+  in
+  let _:Prims.unit =
+    assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus ==
+        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus));
+    assert (forall i.
+          get_lane k_times_modulus i ==
+          (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l)
+            <:
+            i16))
+  in
+  let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vec constants
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane value_high i ==
+          (cast (((cast (get_lane vec i) <: i32) *. (cast (get_lane constants i) <: i32)) >>! 16l)
+            <:
+            i16))
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+  in
+  let _:Prims.unit =
+    Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+    assert (v (cast 3329s <: i32) == 3329);
+    assert ((cast 3329s <: i32) == 3329l);
+    assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i));
+    assert (forall i.
+          get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vec i) (get_lane constants i));
+    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i));
+    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result));
+    assert (forall i.
+          v (get_lane result i) % 3329 ==
+          ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329))
   in
-  let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 v c in
-  Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+  result
 
-let montgomery_multiply_m128i_by_constants (v c: u8) =
-  let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 v c in
-  let k:u8 =
+#pop-options
+
+#push-options "--z3rlimit 100"
+
+let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+  let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 vec constants
+  in
+  let _:Prims.unit =
+    assert (forall i. get_lane128 value_low i == get_lane128 vec i *. get_lane128 constants i)
+  in
+  let k:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 value_low
       (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
                 <:
@@ -103,29 +345,74 @@ let montgomery_multiply_m128i_by_constants (v c: u8) =
             <:
             i16)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
   in
-  let k_times_modulus:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k
-      (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
-        <:
-        u8)
+  let _:Prims.unit = assert (forall i. get_lane128 k i == get_lane128 value_low i *. (neg 3327s)) in
+  let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+  in
+  let _:Prims.unit = assert (forall i. get_lane128 modulus i == 3329s) in
+  let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k modulus
+  in
+  let _:Prims.unit =
+    assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k_times_modulus ==
+        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+          (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k)
+          (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 modulus));
+    assert (forall i.
+          get_lane128 k_times_modulus i ==
+          (cast (((cast (get_lane128 k i) <: i32) *. (cast (get_lane128 modulus i) <: i32)) >>! 16l)
+            <:
+            i16))
   in
-  let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 v c in
-  Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus
+  let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 vec constants
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          get_lane128 value_high i ==
+          (cast (((cast (get_lane128 vec i) <: i32) *. (cast (get_lane128 constants i) <: i32)) >>!
+                16l)
+            <:
+            i16))
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus
+  in
+  let _:Prims.unit =
+    Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+    assert (v (cast 3329s <: i32) == 3329);
+    assert ((cast 3329s <: i32) == 3329l);
+    assert (forall i.
+          get_lane128 result i == (get_lane128 value_high i) -. (get_lane128 k_times_modulus i));
+    assert (forall i.
+          get_lane128 result i ==
+          Spec.Utils.mont_mul_red_i16 (get_lane128 vec i) (get_lane128 constants i));
+    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 result i));
+    assert (forall (i: nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 result i));
+    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result));
+    assert (forall i.
+          v (get_lane128 result i) % 3329 ==
+          ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))
+  in
+  result
 
-let montgomery_reduce_i32s (v: u8) =
-  let k:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v
+#pop-options
+
+let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
                 <:
                 u32)
             <:
             i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let k_times_modulus:u8 =
+  let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k
       (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
                 <:
@@ -133,9 +420,19 @@ let montgomery_reduce_i32s (v: u8) =
             <:
             i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result
+  in
+  let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result
   in
-  let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l v in
-  let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus in
-  let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result in
-  Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
index ad8d448c9..6cfb8659a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
@@ -1,34 +1,139 @@
 module Libcrux_ml_kem.Vector.Avx2.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 let v_BARRETT_MULTIPLIER: i16 = 20159s
 
-val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+open Libcrux_intrinsics.Avx2_extract
 
-val bitwise_and_with_constant (vector: u8) (constant: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        forall i.
+          i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i)))
 
-val multiply_by_constant (vector: u8) (constant: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result ==
+          Spec.Utils.map_array (fun x -> x &. constant)
+            (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
 
-val shift_right (v_SHIFT_BY: i32) (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane vector i) * v constant))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant))
 
-val sub (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+          Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result ==
+          Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY)
+            (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+
+val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        forall i.
+          i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i)))
 
 /// See Section 3.2 of the implementation notes document for an explanation
 /// of this code.
-val barrett_reduce (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\
+          (forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329)))
 
-val cond_subtract_3329_ (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b_array (pow2 12 - 1)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall i.
+            i < 16 ==>
+            get_lane result i ==
+            (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i
+            ))
 
-val montgomery_multiply_by_constant (vector: u8) (constant: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply_by_constant
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (constant: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Spec.Utils.is_i16b 1664 constant)
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\
+          (forall i.
+              i < 16 ==>
+              v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329)))
 
-val montgomery_multiply_by_constants (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 constants))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\
+          (forall i.
+              i < 16 ==>
+              v (get_lane result i) % 3329 ==
+              ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329)))
 
-val montgomery_multiply_m128i_by_constants (v c: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128
+      (requires
+        Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in
+          Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\
+          (forall i.
+              i < 8 ==>
+              v (get_lane128 result i) % 3329 ==
+              ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)))
 
-val montgomery_reduce_i32s (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b_array (3328 * pow2 16)
+          (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec))
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          Spec.Utils.is_i16b_array (3328 + 1665)
+            (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\
+          (Spec.Utils.is_i16b_array (3328 * pow2 15)
+              (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec) ==>
+            Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\
+          (forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329))
+      )
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
index d40f2d67a..849da1049 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
@@ -1,27 +1,36 @@
 module Libcrux_ml_kem.Vector.Avx2.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let mulhi_mm256_epi32 (lhs rhs: u8) =
-  let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs in
-  let prod13:u8 =
+let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs
+  in
+  let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
           245l
           lhs
         <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi32
         prod02
         prod13
       <:
-      u8)
-    (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 <: u8)
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) =
-  let field_modulus_halved:u8 =
+let compress_ciphertext_coefficient
+      (v_COEFFICIENT_BITS: i32)
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+     =
+  let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
                 <:
                 i16)
@@ -34,47 +43,63 @@ let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) =
         <:
         i32)
   in
-  let compression_factor:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l in
-  let coefficient_bits_mask:u8 =
+  let compression_factor:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l
+  in
+  let coefficient_bits_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l <<! v_COEFFICIENT_BITS <: i32) -! 1l
         <:
         i32)
   in
-  let coefficients_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in
-  let coefficients_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_low in
-  let compressed_low:u8 =
+  let coefficients_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
+  in
+  let coefficients_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_low
+  in
+  let compressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_COEFFICIENT_BITS coefficients_low
   in
-  let compressed_low:u8 =
+  let compressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 compressed_low field_modulus_halved
   in
-  let compressed_low:u8 = mulhi_mm256_epi32 compressed_low compression_factor in
-  let compressed_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 3l compressed_low in
-  let compressed_low:u8 =
+  let compressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mulhi_mm256_epi32 compressed_low compression_factor
+  in
+  let compressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 3l compressed_low
+  in
+  let compressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 compressed_low coefficient_bits_mask
   in
-  let coefficients_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in
-  let coefficients_high:u8 =
+  let coefficients_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
+  in
+  let coefficients_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_high
   in
-  let compressed_high:u8 =
+  let compressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_COEFFICIENT_BITS coefficients_high
   in
-  let compressed_high:u8 =
+  let compressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 compressed_high field_modulus_halved
   in
-  let compressed_high:u8 = mulhi_mm256_epi32 compressed_high compression_factor in
-  let compressed_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 3l compressed_high in
-  let compressed_high:u8 =
+  let compressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mulhi_mm256_epi32 compressed_high compression_factor
+  in
+  let compressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 3l compressed_high
+  in
+  let compressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_and_si256 compressed_high coefficient_bits_mask
   in
-  let compressed:u8 =
+  let compressed:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_packs_epi32 compressed_low compressed_high
   in
   Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l compressed
 
-let compress_message_coefficient (vector: u8) =
-  let field_modulus_halved:u8 =
+let compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
           1s
           <:
@@ -83,7 +108,7 @@ let compress_message_coefficient (vector: u8) =
         <:
         i16)
   in
-  let field_modulus_quartered:u8 =
+  let field_modulus_quartered:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
           1s
           <:
@@ -92,58 +117,77 @@ let compress_message_coefficient (vector: u8) =
         <:
         i16)
   in
-  let shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector in
-  let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted in
-  let shifted_to_positive:u8 = Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted in
-  let shifted_to_positive_in_range:u8 =
+  let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector
+  in
+  let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted
+  in
+  let shifted_to_positive:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted
+  in
+  let shifted_to_positive_in_range:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 shifted_to_positive field_modulus_quartered
   in
   Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l shifted_to_positive_in_range
 
-let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) =
-  let field_modulus:u8 =
+let decompress_ciphertext_coefficient
+      (v_COEFFICIENT_BITS: i32)
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+     =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
             <:
             i16)
         <:
         i32)
   in
-  let two_pow_coefficient_bits:u8 =
+  let two_pow_coefficient_bits:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <<! v_COEFFICIENT_BITS <: i32)
   in
-  let coefficients_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in
-  let coefficients_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_low in
-  let decompressed_low:u8 =
+  let coefficients_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
+  in
+  let coefficients_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_low
+  in
+  let decompressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients_low field_modulus
   in
-  let decompressed_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l decompressed_low in
-  let decompressed_low:u8 =
+  let decompressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l decompressed_low
+  in
+  let decompressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 decompressed_low two_pow_coefficient_bits
   in
-  let decompressed_low:u8 =
+  let decompressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 v_COEFFICIENT_BITS decompressed_low
   in
-  let decompressed_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 1l decompressed_low in
-  let coefficients_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in
-  let coefficients_high:u8 =
+  let decompressed_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 1l decompressed_low
+  in
+  let coefficients_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
+  in
+  let coefficients_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 coefficients_high
   in
-  let decompressed_high:u8 =
+  let decompressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients_high field_modulus
   in
-  let decompressed_high:u8 =
+  let decompressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l decompressed_high
   in
-  let decompressed_high:u8 =
+  let decompressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 decompressed_high two_pow_coefficient_bits
   in
-  let decompressed_high:u8 =
+  let decompressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 v_COEFFICIENT_BITS decompressed_high
   in
-  let decompressed_high:u8 =
+  let decompressed_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 1l decompressed_high
   in
-  let compressed:u8 =
+  let compressed:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_packs_epi32 decompressed_low decompressed_high
   in
   Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l compressed
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
index c33fe6f5b..267f93c47 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
@@ -1,14 +1,26 @@
 module Libcrux_ml_kem.Vector.Avx2.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-val mulhi_mm256_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val compress_ciphertext_coefficient
+      (v_COEFFICIENT_BITS: i32)
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype /\
+        range (v (1l <<! v_COEFFICIENT_BITS) - 1) i32_inttype)
+      (fun _ -> Prims.l_True)
 
-val compress_message_coefficient (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
 
-val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val decompress_ciphertext_coefficient
+      (v_COEFFICIENT_BITS: i32)
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype)
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
index 68f788df8..6d1f1794f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
@@ -1,76 +1,118 @@
 module Libcrux_ml_kem.Vector.Avx2.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) =
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in
-  let rhs:u8 =
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_1_step
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1 zeta2 zeta3: i16)
+     =
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s)
           (-1s) 1s 1s (-1s) (-1s) 1s 1s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in
-  let sum_times_zetas:u8 =
+  let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
+  in
+  let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta3 zeta3 0s 0s zeta2 zeta2 0s 0s zeta1
           zeta1 0s 0s zeta0 zeta0 0s 0s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum
   in
-  let sum:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 204l sum sum_times_zetas
 
-let inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) =
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector in
-  let rhs:u8 =
+#pop-options
+
+let inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) =
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s (-1s)
           (-1s) (-1s) (-1s) 1s 1s 1s 1s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
   in
-  let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in
-  let sum_times_zetas:u8 =
+  let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta1 zeta1 zeta1 zeta1 0s 0s 0s 0s zeta0
           zeta0 zeta0 zeta0 0s 0s 0s 0s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 240l sum sum_times_zetas
 
-let inv_ntt_layer_3_step (vector: u8) (zeta: i16) =
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in
-  let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in
-  let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in
-  let upper_coefficients:u8 =
+let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) =
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
+  in
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants upper_coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients
   in
-  let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in
   Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
 
-let ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) =
-  let zetas:u8 =
+let ntt_layer_1_step
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1 zeta2 zeta3: i16)
+     =
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16)
       (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16)
       (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
       (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16)
       (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0
   in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in
-  let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
+  in
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
 
-let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) =
-  let zetas:u8 =
+let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) =
+  let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
       (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16)
       (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1
@@ -78,44 +120,94 @@ let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) =
       (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0
       zeta0
   in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector in
-  let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
+  in
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
 
-let ntt_layer_3_step (vector: u8) (zeta: i16) =
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in
-  let rhs:u8 =
+let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) =
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
+  in
+  let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs
-      (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
+  in
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs
+  in
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients
   in
-  let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in
-  let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in
-  let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in
-  let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in
   Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
 
-let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) =
-  let shuffle_with:u8 =
+#push-options "--admit_smt_queries true"
+
+let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) =
+  let shuffle_with:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y
       1y 0y 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y
   in
-  let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with in
-  let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled in
-  let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled in
-  let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens in
-  let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled in
-  let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds in
-  let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with in
-  let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled in
-  let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled in
-  let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens in
-  let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled in
-  let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds in
-  let left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens in
-  let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds in
-  let right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right in
-  let right:u8 =
+  let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with
+  in
+  let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled
+  in
+  let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled
+  in
+  let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens
+  in
+  let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled
+  in
+  let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds
+  in
+  let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with
+  in
+  let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled
+  in
+  let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled
+  in
+  let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens
+  in
+  let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled
+  in
+  let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds
+  in
+  let left:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens
+  in
+  let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds
+  in
+  let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right
+  in
+  let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 right
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg (cast (zeta3 <: i16)
                 <:
@@ -130,24 +222,30 @@ let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) =
           (Core.Ops.Arith.Neg.neg (cast (zeta0 <: i16) <: i32) <: i32)
           (cast (zeta0 <: i16) <: i32)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right
   in
-  let products_left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right in
-  let products_left:u8 =
+  let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_left
   in
-  let rhs_adjacent_swapped:u8 =
+  let rhs_adjacent_swapped:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y
           0y 3y 2y 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let products_right:u8 =
+  let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 lhs rhs_adjacent_swapped
   in
-  let products_right:u8 =
+  let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_right
   in
-  let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right in
+  let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right
+  in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 170l products_left products_right
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
index e86b8344d..e2cfc07ca 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
@@ -1,26 +1,51 @@
 module Libcrux_ml_kem.Vector.Avx2.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 let ntt_multiply__PERMUTE_WITH: i32 = 216l
 
-val inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val inv_ntt_layer_3_step (vector: u8) (zeta: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val ntt_layer_3_step (vector: u8) (zeta: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val inv_ntt_layer_1_step
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3)
+      (fun _ -> Prims.l_True)
+
+val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1)
+      (fun _ -> Prims.l_True)
+
+val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Spec.Utils.is_i16b 1664 zeta)
+      (fun _ -> Prims.l_True)
+
+val ntt_layer_1_step
+      (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+      (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3)
+      (fun _ -> Prims.l_True)
+
+val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1)
+      (fun _ -> Prims.l_True)
+
+val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Spec.Utils.is_i16b 1664 zeta)
+      (fun _ -> Prims.l_True)
+
+val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3)
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti
new file mode 100644
index 000000000..fe64003c4
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti
@@ -0,0 +1,30 @@
+module Libcrux_ml_kem.Vector.Avx2.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+open Core
+open FStar.Mul
+
+val deserialize_11_int (bytes: t_Slice u8)
+    : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val serialize_11_int (v: t_Slice i16)
+    : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+type t_PortableVector = { f_elements:t_Array i16 (sz 16) }
+
+val from_i16_array (array: t_Array i16 (sz 16))
+    : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_11_ (v: t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+val to_i16_array (v: t_PortableVector)
+    : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
+
+val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_11_ (bytes: t_Slice u8)
+    : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst
index 33c894793..b41e18824 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst
@@ -1,19 +1,36 @@
 module Libcrux_ml_kem.Vector.Avx2.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+#push-options "--admit_smt_queries true"
+
 let rejection_sample (input: t_Slice u8) (output: t_Slice i16) =
-  let field_modulus:u8 =
+  let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
   in
-  let potential_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input in
-  let compare_with_field_modulus:u8 =
+  let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input
+  in
+  let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi16 field_modulus potential_coefficients
   in
   let good:t_Array u8 (sz 2) =
     Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ compare_with_field_modulus
   in
+  let _:Prims.unit =
+    assert (v (cast (good.[ sz 0 ] <: u8) <: usize) < 256);
+    assert (v (cast (good.[ sz 1 ] <: u8) <: usize) < 256);
+    assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) <= 8);
+    assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 1 ]) <: usize) <= 8);
+    assume (Core.Ops.Index.f_index_pre output
+          ({
+              Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize;
+              Core.Ops.Range.f_end
+              =
+              (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) +! sz 8
+            }))
+  in
   let lower_shuffles:t_Array u8 (sz 16) =
     Libcrux_ml_kem.Vector.Rej_sample_table.v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 0 ]
           <:
@@ -21,13 +38,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) =
       <:
       usize ]
   in
-  let lower_shuffles:u8 =
+  let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8)
   in
-  let lower_coefficients:u8 =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients
   in
-  let lower_coefficients:u8 =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles
   in
   let output:t_Slice i16 =
@@ -43,13 +60,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) =
       <:
       usize ]
   in
-  let upper_shuffles:u8 =
+  let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8)
   in
-  let upper_coefficients:u8 =
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients
   in
-  let upper_coefficients:u8 =
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles
   in
   let output:t_Slice i16 =
@@ -76,3 +93,5 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) =
     sampled_count +! (cast (Core.Num.impl__u8__count_ones (good.[ sz 1 ] <: u8) <: u32) <: usize)
   in
   output, hax_temp_output <: (t_Slice i16 & usize)
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti
index 361ba6196..767350ac5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti
@@ -1,7 +1,14 @@
 module Libcrux_ml_kem.Vector.Avx2.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 val rejection_sample (input: t_Slice u8) (output: t_Slice i16)
-    : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Slice i16 & usize)
+      (requires
+        (Core.Slice.impl__len #u8 input <: usize) =. sz 24 &&
+        (Core.Slice.impl__len #i16 output <: usize) =. sz 16)
+      (ensures
+        fun temp_0_ ->
+          let output_future, res:(t_Slice i16 & usize) = temp_0_ in
+          Seq.length output_future == Seq.length output /\ v res <= 16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
index 01639f725..87cf7addd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Avx2.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,236 +10,217 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let deserialize_1_ (bytes: t_Slice u8) =
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16)
-      (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16)
-      (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16)
-      (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16)
-      (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16)
-      (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16)
-      (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16)
-      (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16)
-      (cast (bytes.[ sz 0 ] <: u8) <: i16)
-  in
-  let shift_lsb_to_msb:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 8l <: i16) (1s <<! 9l <: i16)
-      (1s <<! 10l <: i16) (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16)
-      (1s <<! 14l <: i16) (-32768s) (1s <<! 8l <: i16) (1s <<! 9l <: i16) (1s <<! 10l <: i16)
-      (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16) (1s <<! 14l <: i16) (-32768s)
-  in
-  let coefficients_in_msb:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsb_to_msb
-  in
-  Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb
+[@@"opaque_to_smt"]
 
-let deserialize_10_ (bytes: t_Slice u8) =
-  let shift_lsbs_to_msbs:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 2l <: i16)
-      (1s <<! 4l <: i16) (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16)
-      (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16) (1s <<! 6l <: i16)
-      (1s <<! 0l <: i16) (1s <<! 2l <: i16) (1s <<! 4l <: i16) (1s <<! 6l <: i16)
-  in
-  let lower_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 16
-          }
-          <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice u8)
+#push-options "--ext context_pruning"
+
+let deserialize_1___deserialize_1_i16s (a b: i16) =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a
   in
-  let lower_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy
-          2uy 1uy 1uy 0uy
+  let coefficients_in_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 8l <: i16) (1s <<! 9l <: i16)
+          (1s <<! 10l <: i16) (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16)
+          (1s <<! 14l <: i16) (-32768s) (1s <<! 8l <: i16) (1s <<! 9l <: i16) (1s <<! 10l <: i16)
+          (1s <<! 11l <: i16) (1s <<! 12l <: i16) (1s <<! 13l <: i16) (1s <<! 14l <: i16) (-32768s)
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let upper_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
-            Core.Ops.Range.f_start = sz 4;
-            Core.Ops.Range.f_end = sz 20
-          }
-          <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice u8)
+  Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb
+
+#pop-options
+
+[@@"opaque_to_smt"]
+
+let deserialize_1___deserialize_1_u8s (a b: u8) =
+  deserialize_1___deserialize_1_i16s (cast (a <: u8) <: i16) (cast (b <: u8) <: i16)
+
+#restart-solver
+
+let deserialize_1_ (bytes: t_Slice u8) =
+  deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8)
+
+[@@"opaque_to_smt"]
+
+let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0
   in
-  let upper_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy
-          9uy 8uy 8uy 7uy 7uy 6uy
+  let coefficients_in_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16)
         <:
-        u8)
-  in
-  let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients upper_coefficients
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs
+  let coefficients_in_lsb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients_in_msb
   in
-  let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 6l coefficients in
-  Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 10l <: i16) -! 1s <: i16) <: u8)
+  Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients_in_lsb
+    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 4l <: i16) -! 1s <: i16)
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec256)
 
-let deserialize_12_ (bytes: t_Slice u8) =
-  let shift_lsbs_to_msbs:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 4l <: i16)
-      (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16)
-      (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
-      (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+[@@"opaque_to_smt"]
+
+let deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) =
+  deserialize_4___deserialize_4_i16s (cast (b0 <: u8) <: i16)
+    (cast (b1 <: u8) <: i16)
+    (cast (b2 <: u8) <: i16)
+    (cast (b3 <: u8) <: i16)
+    (cast (b4 <: u8) <: i16)
+    (cast (b5 <: u8) <: i16)
+    (cast (b6 <: u8) <: i16)
+    (cast (b7 <: u8) <: i16)
+
+#restart-solver
+
+let deserialize_4_ (bytes: t_Slice u8) =
+  deserialize_4___deserialize_4_u8s (bytes.[ sz 0 ] <: u8)
+    (bytes.[ sz 1 ] <: u8)
+    (bytes.[ sz 2 ] <: u8)
+    (bytes.[ sz 3 ] <: u8)
+    (bytes.[ sz 4 ] <: u8)
+    (bytes.[ sz 5 ] <: u8)
+    (bytes.[ sz 6 ] <: u8)
+    (bytes.[ sz 7 ] <: u8)
+
+#push-options "--ext context_pruning --compat_pre_core 0"
+
+let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector
   in
-  let lower_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 16
-          }
-          <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice u8)
+  let low_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb
   in
-  let lower_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy
-          3uy 2uy 1uy 1uy 0uy
-        <:
-        u8)
+  let high_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb
   in
-  let upper_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 24
-          }
-          <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice u8)
+  let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs
   in
-  let upper_coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy
-          8uy 7uy 6uy 5uy 5uy 4uy
-        <:
-        u8)
+  let _:Prims.unit =
+    let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in
+    FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}).
+          bits_packed' i = vector ((i / 1) * 16 + i % 1))
+      (fun _ ->
+          ();
+          (Tactics.Utils.prove_forall_nat_pointwise (fun _ ->
+                  Tactics.compute ();
+                  Tactics.smt_sync ())))
   in
-  let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients upper_coefficients
+  let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in
+  let result:t_Array u8 (sz 2) =
+    let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+    Rust_primitives.Hax.array_of_list 2 list
   in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs
+  let _:Prims.unit =
+    assert (forall (i: nat{i < 8}).
+          get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8)))
   in
-  let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients in
-  Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 12l <: i16) -! 1s <: i16) <: u8)
+  result
 
-let deserialize_4_ (bytes: t_Slice u8) =
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 7 ] <: u8) <: i16)
-      (cast (bytes.[ sz 7 ] <: u8) <: i16) (cast (bytes.[ sz 6 ] <: u8) <: i16)
-      (cast (bytes.[ sz 6 ] <: u8) <: i16) (cast (bytes.[ sz 5 ] <: u8) <: i16)
-      (cast (bytes.[ sz 5 ] <: u8) <: i16) (cast (bytes.[ sz 4 ] <: u8) <: i16)
-      (cast (bytes.[ sz 4 ] <: u8) <: i16) (cast (bytes.[ sz 3 ] <: u8) <: i16)
-      (cast (bytes.[ sz 3 ] <: u8) <: i16) (cast (bytes.[ sz 2 ] <: u8) <: i16)
-      (cast (bytes.[ sz 2 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16)
-      (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16)
-      (cast (bytes.[ sz 0 ] <: u8) <: i16)
-  in
-  let shift_lsbs_to_msbs:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 4l <: i16)
-      (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16)
-      (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
-      (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
-  in
-  let coefficients_in_msb:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs
-  in
-  let coefficients_in_lsb:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients_in_msb
-  in
-  Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients_in_lsb
-    (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 4l <: i16) -! 1s <: i16) <: u8)
+#pop-options
 
-let deserialize_5_ (bytes: t_Slice u8) =
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8)
-      (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8)
-      (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8)
-      (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8)
-      (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8)
-  in
-  let coefficients_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 coefficients in
-  let coefficients_loaded:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients_loaded coefficients
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_concat_pairs_n 10uy vector
   in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y
-          10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let coefficients:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 5l <: i16)
-          (1s <<! 2l <: i16) (1s <<! 7l <: i16) (1s <<! 4l <: i16) (1s <<! 9l <: i16)
-          (1s <<! 6l <: i16) (1s <<! 11l <: i16) (1s <<! 0l <: i16) (1s <<! 5l <: i16)
-          (1s <<! 2l <: i16) (1s <<! 7l <: i16) (1s <<! 4l <: i16) (1s <<! 9l <: i16)
-          (1s <<! 6l <: i16) (1s <<! 11l <: i16)
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined
+  in
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y
+          10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y
+          0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients
-
-let serialize_1_ (vector: u8) =
-  let lsb_to_msb:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector in
-  let low_msbs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb in
-  let high_msbs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb in
-  let msbs:u8 = Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs in
-  let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in
-  let serialized:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in
-  let serialized:t_Array u8 (sz 2) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-      (sz 0)
-      (cast (bits_packed <: i32) <: u8)
+  let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined
   in
-  let serialized:t_Array u8 (sz 2) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
-      (sz 1)
-      (cast (bits_packed >>! 8l <: i32) <: u8)
+  let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
   in
-  serialized
+  let _:Prims.unit =
+    introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10)
+    with assert_norm (BitVec.Utils.forall_n 80
+          (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10)));
+    introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)
+    with assert_norm (BitVec.Utils.forall_n 80
+          (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)))
+  in
+  lower_8_, upper_8_
+  <:
+  (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
 
-let serialize_10_ (vector: u8) =
-  let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let adjacent_2_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 10l <: i16) 1s (1s <<! 10l <: i16) 1s
-          (1s <<! 10l <: i16) 1s (1s <<! 10l <: i16) 1s (1s <<! 10l <: i16) 1s (1s <<! 10l <: i16)
-          1s (1s <<! 10l <: i16) 1s (1s <<! 10l <: i16) 1s
-        <:
-        u8)
+#pop-options
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_concat_pairs_n 12uy vector
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined
   in
-  let adjacent_8_combined:u8 =
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y
-          10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y
-          0y
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y
+          5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined
+  in
+  let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
+  in
+  let _:Prims.unit =
+    introduce forall (i: nat{i < 96}) . lower_8_ i = vector ((i / 12) * 16 + i % 12)
+    with assert_norm (BitVec.Utils.forall_n 96
+          (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12)));
+    introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)
+    with assert_norm (BitVec.Utils.forall_n 96
+          (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)))
+  in
+  lower_8_, upper_8_
+  <:
+  (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
+
+#pop-options
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+  let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
+    Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+    serialize_10___serialize_10_vec vector
   in
-  let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in
+  let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -257,9 +238,6 @@ let serialize_10_ (vector: u8) =
         <:
         t_Slice u8)
   in
-  let upper_8_:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
-  in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 }
@@ -290,33 +268,15 @@ let serialize_10_ (vector: u8) =
       <:
       Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError)
 
-let serialize_12_ (vector: u8) =
+#pop-options
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let adjacent_2_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 12l <: i16) 1s (1s <<! 12l <: i16) 1s
-          (1s <<! 12l <: i16) 1s (1s <<! 12l <: i16) 1s (1s <<! 12l <: i16) 1s (1s <<! 12l <: i16)
-          1s (1s <<! 12l <: i16) 1s (1s <<! 12l <: i16) 1s
-        <:
-        u8)
-  in
-  let adjacent_4_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l <: u8)
-  in
-  let adjacent_4_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined
-  in
-  let adjacent_8_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y
-          5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y
-        <:
-        u8)
-  in
-  let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in
-  let upper_8_:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
+  let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
+    Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+    serialize_12___serialize_12_vec vector
   in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
@@ -365,34 +325,42 @@ let serialize_12_ (vector: u8) =
       <:
       Core.Result.t_Result (t_Array u8 (sz 24)) Core.Array.t_TryFromSliceError)
 
-let serialize_5_ (vector: u8) =
+#pop-options
+
+let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
-  let adjacent_2_combined:u8 =
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 5l <: i16) 1s (1s <<! 5l <: i16) 1s
           (1s <<! 5l <: i16) 1s (1s <<! 5l <: i16) 1s (1s <<! 5l <: i16) 1s (1s <<! 5l <: i16) 1s
           (1s <<! 5l <: i16) 1s (1s <<! 5l <: i16) 1s
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_4_combined:u8 =
+  let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_4_combined
   in
-  let adjacent_8_combined:u8 =
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 8l adjacent_4_combined
   in
-  let adjacent_8_combined:u8 =
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_8_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 12l 0l 0l 0l 12l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 12l 0l 0l 0l 12l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let adjacent_8_combined:u8 =
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_8_combined
   in
-  let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in
+  let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined
+  in
   let serialized:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -410,7 +378,7 @@ let serialize_5_ (vector: u8) =
         <:
         t_Slice u8)
   in
-  let upper_8_:u8 =
+  let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
     Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
   in
   let serialized:t_Array u8 (sz 32) =
@@ -443,32 +411,40 @@ let serialize_5_ (vector: u8) =
       <:
       Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError)
 
-let serialize_4_ (vector: u8) =
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let adjacent_2_combined:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
-          (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
-          (1s <<! 4l <: i16) 1s (1s <<! 4l <: i16) 1s
-        <:
-        u8)
+  let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_concat_pairs_n 4uy vector
   in
-  let adjacent_8_combined:u8 =
+  let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
       (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
           (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
           (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y
         <:
-        u8)
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
   in
-  let combined:u8 =
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
     Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined
-      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l <: u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined
   in
-  let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined in
   let serialized:t_Array u8 (sz 16) =
     Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined
   in
+  let _:Prims.unit =
+    assert (forall (i: nat{i < 64}). combined i == bit_vec_of_int_t_array serialized 8 i);
+    introduce forall (i: nat{i < 64}) . combined i = vector ((i / 4) * 16 + i % 4)
+    with assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4)));
+    assert (forall (i: nat{i < 64}).
+          bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4))
+  in
   Core.Result.impl__unwrap #(t_Array u8 (sz 8))
     #Core.Array.t_TryFromSliceError
     (Core.Convert.f_try_into #(t_Slice u8)
@@ -482,6 +458,186 @@ let serialize_4_ (vector: u8) =
       <:
       Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError)
 
+#pop-options
+
+[@@"opaque_to_smt"]
+
+let deserialize_10___deserialize_10_vec
+      (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+     =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0
+      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy
+          2uy 1uy 1uy 0uy
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0
+      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy
+          9uy 8uy 8uy 7uy 7uy 6uy
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_si256_from_two_si128 lower_coefficients upper_coefficients
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 2l <: i16)
+          (1s <<! 4l <: i16) (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16)
+          (1s <<! 4l <: i16) (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16)
+          (1s <<! 4l <: i16) (1s <<! 6l <: i16) (1s <<! 0l <: i16) (1s <<! 2l <: i16)
+          (1s <<! 4l <: i16) (1s <<! 6l <: i16)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 6l coefficients
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 10l <: i16) -! 1s <: i16)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let _:Prims.unit =
+    assert_norm (BitVec.Utils.forall256 (fun i ->
+              coefficients i =
+              (if i % 16 < 10
+                then
+                  let j = (i / 16) * 10 + i % 16 in
+                  if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32)
+                else 0)))
+  in
+  coefficients
+
+let deserialize_10_ (bytes: t_Slice u8) =
+  let lower_coefficients:t_Slice u8 =
+    bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
+      <:
+      Core.Ops.Range.t_Range usize ]
+  in
+  let upper_coefficients:t_Slice u8 =
+    bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 }
+      <:
+      Core.Ops.Range.t_Range usize ]
+  in
+  deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients
+
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec128)
+    (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients
+      <:
+      Libcrux_intrinsics.Avx2_extract.t_Vec128)
+
+[@@"opaque_to_smt"]
+
+let deserialize_12___deserialize_12_vec
+      (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+     =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0
+      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy
+          3uy 2uy 1uy 1uy 0uy
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0
+      (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy
+          8uy 7uy 6uy 5uy 5uy 4uy
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec128)
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_si256_from_two_si128 lower_coefficients upper_coefficients
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16) (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+          (1s <<! 0l <: i16) (1s <<! 4l <: i16)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <<! 12l <: i16) -! 1s <: i16)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let _:Prims.unit =
+    assert_norm (BitVec.Utils.forall256 (fun i ->
+              coefficients i =
+              (if i % 16 < 12
+                then
+                  let j = (i / 16) * 12 + i % 16 in
+                  if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64)
+                else 0)))
+  in
+  coefficients
+
+let deserialize_12_ (bytes: t_Slice u8) =
+  let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
+            Core.Ops.Range.f_start = sz 0;
+            Core.Ops.Range.f_end = sz 16
+          }
+          <:
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+  in
+  let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ {
+            Core.Ops.Range.f_start = sz 8;
+            Core.Ops.Range.f_end = sz 24
+          }
+          <:
+          Core.Ops.Range.t_Range usize ]
+        <:
+        t_Slice u8)
+  in
+  deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients
+
+let deserialize_5_ (bytes: t_Slice u8) =
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+    Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8)
+      (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8)
+      (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8)
+      (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8)
+      (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8)
+  in
+  let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    mm256_si256_from_two_si128 coefficients coefficients
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y
+          10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+      (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <<! 0l <: i16) (1s <<! 5l <: i16)
+          (1s <<! 2l <: i16) (1s <<! 7l <: i16) (1s <<! 4l <: i16) (1s <<! 9l <: i16)
+          (1s <<! 6l <: i16) (1s <<! 11l <: i16) (1s <<! 0l <: i16) (1s <<! 5l <: i16)
+          (1s <<! 2l <: i16) (1s <<! 7l <: i16) (1s <<! 4l <: i16) (1s <<! 9l <: i16)
+          (1s <<! 6l <: i16) (1s <<! 11l <: i16)
+        <:
+        Libcrux_intrinsics.Avx2_extract.t_Vec256)
+  in
+  Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients
+
+#push-options "--admit_smt_queries true"
+
 let deserialize_11_ (bytes: t_Slice u8) =
   let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
@@ -495,7 +651,11 @@ let deserialize_11_ (bytes: t_Slice u8) =
   in
   Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 (array <: t_Slice i16)
 
-let serialize_11_ (vector: u8) =
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
   let array:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
   let array:t_Array i16 (sz 16) =
     Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 array vector
@@ -508,3 +668,5 @@ let serialize_11_ (vector: u8) =
   Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
     #FStar.Tactics.Typeclasses.solve
     input
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti
index 653eb0818..f91497b5d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Avx2.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,29 +10,236 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-val deserialize_1_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_1___deserialize_1_i16s (a b: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 >= 1
+              then 0
+              else
+                let j = (i / 16) * 1 + i % 16 in
+                if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8))))
 
-val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_1___deserialize_1_u8s (a b: u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 >= 1
+              then 0
+              else
+                let j = (i / 16) * 1 + i % 16 in
+                if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8))))
 
-val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_1_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2)
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 >= 1
+              then 0
+              else
+                let j = (i / 16) * 1 + i % 16 in
+                bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j))
 
-val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 < 4
+              then
+                let j = (i / 16) * 4 + i % 16 in
+                (match i / 32 with
+                  | 0 -> get_bit b0 (sz j)
+                  | 1 -> get_bit b1 (sz (j - 8))
+                  | 2 -> get_bit b2 (sz (j - 16))
+                  | 3 -> get_bit b3 (sz (j - 24))
+                  | 4 -> get_bit b4 (sz (j - 32))
+                  | 5 -> get_bit b5 (sz (j - 40))
+                  | 6 -> get_bit b6 (sz (j - 48))
+                  | 7 -> get_bit b7 (sz (j - 56)))
+              else 0))
 
-val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 < 4
+              then
+                let j = (i / 16) * 4 + i % 16 in
+                (match i / 32 with
+                  | 0 -> get_bit b0 (sz j)
+                  | 1 -> get_bit b1 (sz (j - 8))
+                  | 2 -> get_bit b2 (sz (j - 16))
+                  | 3 -> get_bit b3 (sz (j - 24))
+                  | 4 -> get_bit b4 (sz (j - 32))
+                  | 5 -> get_bit b5 (sz (j - 40))
+                  | 6 -> get_bit b6 (sz (j - 48))
+                  | 7 -> get_bit b7 (sz (j - 56)))
+              else 0))
 
-val serialize_1_ (vector: u8) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_4_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall (i: nat{i < 256}).
+            result i =
+            (if i % 16 >= 4
+              then 0
+              else
+                let j = (i / 16) * 4 + i % 16 in
+                bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j))
 
-val serialize_10_ (vector: u8)
-    : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_concat_pairs_n}
 
-val serialize_12_ (vector: u8)
-    : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 2))
+      (requires forall i. i % 16 >= 1 ==> vector i == 0)
+      (ensures
+        fun result ->
+          let result:t_Array u8 (sz 2) = result in
+          forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16))
 
-val serialize_5_ (vector: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
+      (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0)
+      (ensures
+        fun temp_0_ ->
+          let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
+            Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+            temp_0_
+          in
+          forall (i: nat{i < 160}).
+            vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80)))
 
-val serialize_4_ (vector: u8) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure
+      (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
+      (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0)
+      (ensures
+        fun temp_0_ ->
+          let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
+            Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+            temp_0_
+          in
+          forall (i: nat{i < 192}).
+            vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96)))
 
-val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 20))
+      (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0)
+      (ensures
+        fun r ->
+          let r:t_Array u8 (sz 20) = r in
+          forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10))
 
-val serialize_11_ (vector: u8)
+val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 24))
+      (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0)
+      (ensures
+        fun r ->
+          let r:t_Array u8 (sz 24) = r in
+          forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12))
+
+val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+    : Prims.Pure (t_Array u8 (sz 8))
+      (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0)
+      (ensures
+        fun r ->
+          let r:t_Array u8 (sz 8) = r in
+          forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4))
+
+include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128}
+
+val deserialize_10___deserialize_10_vec
+      (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 >= 10
+              then 0
+              else
+                let j = (i / 16) * 10 + i % 16 in
+                if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32)))
+
+val deserialize_10_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Seq.length bytes == 20)
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall (i: nat{i < 256}).
+            result i =
+            (if i % 16 >= 10
+              then 0
+              else
+                let j = (i / 16) * 10 + i % 16 in
+                bit_vec_of_int_t_array (bytes <: t_Array _ (sz 20)) 8 j))
+
+val deserialize_12___deserialize_12_vec
+      (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      Prims.l_True
+      (ensures
+        fun coefficients ->
+          let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in
+          forall (i: nat{i < 256}).
+            coefficients i =
+            (if i % 16 >= 12
+              then 0
+              else
+                let j = (i / 16) * 12 + i % 16 in
+                if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64)))
+
+val deserialize_12_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Seq.length bytes == 24)
+      (ensures
+        fun result ->
+          let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+          forall (i: nat{i < 256}).
+            result i =
+            (if i % 16 >= 12
+              then 0
+              else
+                let j = (i / 16) * 12 + i % 16 in
+                bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j))
+
+val deserialize_5_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+      (requires Seq.length bytes == 10)
+      (fun _ -> Prims.l_True)
+
+val deserialize_11_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
     : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
index 1aa183708..b0b8981ad 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
@@ -1,17 +1,673 @@
 module Libcrux_ml_kem.Vector.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let from_i16_array (array: t_Slice i16) =
-  { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Vector.Traits in
+  ()
 
-let to_i16_array (v: t_SIMD256Vector) =
+#push-options "--admit_smt_queries true"
+
+let deserialize_1_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_4_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_1_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements
+
+#pop-options
+
+let vec_from_i16_array (array: t_Slice i16) =
+  let result:t_SIMD256Vector =
+    { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+let vec_zero (_: Prims.unit) =
+  let result:t_SIMD256Vector =
+    { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+#push-options "--admit_smt_queries true"
+
+let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
+      vector.f_elements
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let compress_1_ (vector: t_SIMD256Vector) =
+  {
+    f_elements = Libcrux_ml_kem.Vector.Avx2.Compress.compress_message_coefficient vector.f_elements
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let cond_subtract_3329_ (vector: t_SIMD256Vector) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+  {
+    f_elements
+    =
+    Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_multiply lhs.f_elements
+      rhs.f_elements
+      zeta0
+      zeta1
+      zeta2
+      zeta3
+  }
+  <:
+  t_SIMD256Vector
+
+#pop-options
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Clone.t_Clone t_SIMD256Vector
+
+let impl_1 = impl_1'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Core.Marker.t_Copy t_SIMD256Vector
+
+let impl_2 = impl_2'
+
+#push-options "--admit_smt_queries true"
+
+let serialize_10_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_12_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let serialize_4_ (vector: t_SIMD256Vector) =
+  Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements
+
+#pop-options
+
+let vec_to_i16_array (v: t_SIMD256Vector) =
   let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
   let output:t_Array i16 (sz 16) =
     Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements
   in
-  output
+  let result:t_Array i16 (sz 16) = output in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    f_repr_pre = (fun (x: t_SIMD256Vector) -> true);
+    f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true);
+    f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x
+  }
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_10_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes } <: t_SIMD256Vector
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_12_ (bytes: t_Slice u8) =
+  { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector
+
+#pop-options
 
-let zero (_: Prims.unit) =
-  { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve;
+    f_ZERO_pre = (fun (_: Prims.unit) -> true);
+    f_ZERO_post
+    =
+    (fun (_: Prims.unit) (out: t_SIMD256Vector) -> impl.f_repr out == Seq.create 16 0s);
+    f_ZERO = (fun (_: Prims.unit) -> vec_zero ());
+    f_from_i16_array_pre
+    =
+    (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16);
+    f_from_i16_array_post
+    =
+    (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> impl.f_repr out == array);
+    f_from_i16_array = (fun (array: t_Slice i16) -> vec_from_i16_array array);
+    f_to_i16_array_pre = (fun (x: t_SIMD256Vector) -> true);
+    f_to_i16_array_post
+    =
+    (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> out == impl.f_repr x);
+    f_to_i16_array = (fun (x: t_SIMD256Vector) -> vec_to_i16_array x);
+    f_add_pre
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index (impl.f_repr lhs) i) + v (Seq.index (impl.f_repr rhs) i)));
+    f_add_post
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (result: t_SIMD256Vector) ->
+        forall i.
+          i < 16 ==>
+          (v (Seq.index (impl.f_repr result) i) ==
+            v (Seq.index (impl.f_repr lhs) i) + v (Seq.index (impl.f_repr rhs) i)));
+    f_add
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.add lhs.f_elements rhs.f_elements }
+        <:
+        t_SIMD256Vector);
+    f_sub_pre
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index (impl.f_repr lhs) i) - v (Seq.index (impl.f_repr rhs) i)));
+    f_sub_post
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (result: t_SIMD256Vector) ->
+        forall i.
+          i < 16 ==>
+          (v (Seq.index (impl.f_repr result) i) ==
+            v (Seq.index (impl.f_repr lhs) i) - v (Seq.index (impl.f_repr rhs) i)));
+    f_sub
+    =
+    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.sub lhs.f_elements rhs.f_elements }
+        <:
+        t_SIMD256Vector);
+    f_multiply_by_constant_pre
+    =
+    (fun (vec: t_SIMD256Vector) (c: i16) ->
+        forall i.
+          i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr vec) i) * v c));
+    f_multiply_by_constant_post
+    =
+    (fun (vec: t_SIMD256Vector) (c: i16) (result: t_SIMD256Vector) ->
+        forall i.
+          i < 16 ==>
+          (v (Seq.index (impl.f_repr result) i) == v (Seq.index (impl.f_repr vec) i) * v c));
+    f_multiply_by_constant
+    =
+    (fun (vec: t_SIMD256Vector) (c: i16) ->
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.multiply_by_constant vec.f_elements c }
+        <:
+        t_SIMD256Vector);
+    f_bitwise_and_with_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true);
+    f_bitwise_and_with_constant_post
+    =
+    (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) ->
+        impl.f_repr out == Spec.Utils.map_array (fun x -> x &. constant) (impl.f_repr vector));
+    f_bitwise_and_with_constant
+    =
+    (fun (vector: t_SIMD256Vector) (constant: i16) ->
+        {
+          f_elements
+          =
+          Libcrux_ml_kem.Vector.Avx2.Arithmetic.bitwise_and_with_constant vector.f_elements constant
+        }
+        <:
+        t_SIMD256Vector);
+    f_shift_right_pre
+    =
+    (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l);
+    f_shift_right_post
+    =
+    (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
+        (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+        impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr vector));
+    f_shift_right
+    =
+    (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) ->
+        {
+          f_elements
+          =
+          Libcrux_ml_kem.Vector.Avx2.Arithmetic.shift_right v_SHIFT_BY vector.f_elements
+        }
+        <:
+        t_SIMD256Vector);
+    f_cond_subtract_3329_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr vector));
+    f_cond_subtract_3329_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
+        impl.f_repr out ==
+        Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr vector));
+    f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> cond_subtract_3329_ vector);
+    f_barrett_reduce_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.Utils.is_i16b_array 28296 (impl.f_repr vector));
+    f_barrett_reduce_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
+    f_barrett_reduce
+    =
+    (fun (vector: t_SIMD256Vector) ->
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce vector.f_elements }
+        <:
+        t_SIMD256Vector);
+    f_montgomery_multiply_by_constant_pre
+    =
+    (fun (vector: t_SIMD256Vector) (constant: i16) -> Spec.Utils.is_i16b 1664 constant);
+    f_montgomery_multiply_by_constant_post
+    =
+    (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true);
+    f_montgomery_multiply_by_constant
+    =
+    (fun (vector: t_SIMD256Vector) (constant: i16) ->
+        {
+          f_elements
+          =
+          Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constant vector.f_elements
+            constant
+        }
+        <:
+        t_SIMD256Vector);
+    f_compress_1_pre
+    =
+    (fun (vector: t_SIMD256Vector) ->
+        forall (i: nat).
+          i < 16 ==>
+          v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329);
+    f_compress_1_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
+        forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1);
+    f_compress_1_ = (fun (vector: t_SIMD256Vector) -> compress_1_ vector);
+    f_compress_pre
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==>
+            v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329
+        ));
+    f_compress_post
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) ==>
+        (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS))
+    );
+    f_compress
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> compress v_COEFFICIENT_BITS vector);
+    f_decompress_ciphertext_coefficient_pre
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==>
+            v (Seq.index (impl.f_repr vector) i) >= 0 /\
+            v (Seq.index (impl.f_repr vector) i) < pow2 (v v_COEFFICIENT_BITS)));
+    f_decompress_ciphertext_coefficient_post
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
+    f_decompress_ciphertext_coefficient
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
+        {
+          f_elements
+          =
+          Libcrux_ml_kem.Vector.Avx2.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS
+            vector.f_elements
+        }
+        <:
+        t_SIMD256Vector);
+    f_ntt_layer_1_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr vector));
+    f_ntt_layer_1_step_post
+    =
+    (fun
+        (vector: t_SIMD256Vector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: t_SIMD256Vector)
+        ->
+        Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out));
+    f_ntt_layer_1_step
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
+        ntt_layer_1_step vector zeta0 zeta1 zeta2 zeta3);
+    f_ntt_layer_2_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr vector));
+    f_ntt_layer_2_step_post
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) ->
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out));
+    f_ntt_layer_2_step
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> ntt_layer_2_step vector zeta0 zeta1);
+    f_ntt_layer_3_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
+        Spec.Utils.is_i16b 1664 zeta /\
+        Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr vector));
+    f_ntt_layer_3_step_post
+    =
+    (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) ->
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out));
+    f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> ntt_layer_3_step vector zeta);
+    f_inv_ntt_layer_1_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr vector));
+    f_inv_ntt_layer_1_step_post
+    =
+    (fun
+        (vector: t_SIMD256Vector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: t_SIMD256Vector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_1_step
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
+        inv_ntt_layer_1_step vector zeta0 zeta1 zeta2 zeta3);
+    f_inv_ntt_layer_2_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr vector));
+    f_inv_ntt_layer_2_step_post
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_2_step
+    =
+    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
+        inv_ntt_layer_2_step vector zeta0 zeta1);
+    f_inv_ntt_layer_3_step_pre
+    =
+    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr vector));
+    f_inv_ntt_layer_3_step_post
+    =
+    (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_3_step
+    =
+    (fun (vector: t_SIMD256Vector) (zeta: i16) -> inv_ntt_layer_3_step vector zeta);
+    f_ntt_multiply_pre
+    =
+    (fun
+        (lhs: t_SIMD256Vector)
+        (rhs: t_SIMD256Vector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs));
+    f_ntt_multiply_post
+    =
+    (fun
+        (lhs: t_SIMD256Vector)
+        (rhs: t_SIMD256Vector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: t_SIMD256Vector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_ntt_multiply
+    =
+    (fun
+        (lhs: t_SIMD256Vector)
+        (rhs: t_SIMD256Vector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3);
+    f_serialize_1_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 1 (impl.f_repr vector));
+    f_serialize_1_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) ->
+        Spec.MLKEM.serialize_pre 1 (impl.f_repr vector) ==>
+        Spec.MLKEM.serialize_post 1 (impl.f_repr vector) out);
+    f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> serialize_1_ vector);
+    f_deserialize_1_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2);
+    f_deserialize_1_post
+    =
+    (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
+        sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (impl.f_repr out));
+    f_deserialize_1_ = (fun (bytes: t_Slice u8) -> deserialize_1_ bytes);
+    f_serialize_4_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 4 (impl.f_repr vector));
+    f_serialize_4_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) ->
+        Spec.MLKEM.serialize_pre 4 (impl.f_repr vector) ==>
+        Spec.MLKEM.serialize_post 4 (impl.f_repr vector) out);
+    f_serialize_4_ = (fun (vector: t_SIMD256Vector) -> serialize_4_ vector);
+    f_deserialize_4_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8);
+    f_deserialize_4_post
+    =
+    (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
+        sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (impl.f_repr out));
+    f_deserialize_4_ = (fun (bytes: t_Slice u8) -> deserialize_4_ bytes);
+    f_serialize_5_pre = (fun (vector: t_SIMD256Vector) -> true);
+    f_serialize_5_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 10)) -> true);
+    f_serialize_5_
+    =
+    (fun (vector: t_SIMD256Vector) ->
+        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements);
+    f_deserialize_5_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10);
+    f_deserialize_5_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
+    f_deserialize_5_
+    =
+    (fun (bytes: t_Slice u8) ->
+        let _:Prims.unit = assert (v (Core.Slice.impl__len bytes) == Seq.length bytes) in
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes }
+        <:
+        t_SIMD256Vector);
+    f_serialize_10_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 10 (impl.f_repr vector));
+    f_serialize_10_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) ->
+        Spec.MLKEM.serialize_pre 10 (impl.f_repr vector) ==>
+        Spec.MLKEM.serialize_post 10 (impl.f_repr vector) out);
+    f_serialize_10_ = (fun (vector: t_SIMD256Vector) -> serialize_10_ vector);
+    f_deserialize_10_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20);
+    f_deserialize_10_post
+    =
+    (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
+        sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (impl.f_repr out));
+    f_deserialize_10_ = (fun (bytes: t_Slice u8) -> deserialize_10_ bytes);
+    f_serialize_11_pre = (fun (vector: t_SIMD256Vector) -> true);
+    f_serialize_11_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 22)) -> true);
+    f_serialize_11_
+    =
+    (fun (vector: t_SIMD256Vector) ->
+        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_11_ vector.f_elements);
+    f_deserialize_11_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 22);
+    f_deserialize_11_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
+    f_deserialize_11_
+    =
+    (fun (bytes: t_Slice u8) ->
+        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_11_ bytes }
+        <:
+        t_SIMD256Vector);
+    f_serialize_12_pre
+    =
+    (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 12 (impl.f_repr vector));
+    f_serialize_12_post
+    =
+    (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) ->
+        Spec.MLKEM.serialize_pre 12 (impl.f_repr vector) ==>
+        Spec.MLKEM.serialize_post 12 (impl.f_repr vector) out);
+    f_serialize_12_ = (fun (vector: t_SIMD256Vector) -> serialize_12_ vector);
+    f_deserialize_12_pre
+    =
+    (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24);
+    f_deserialize_12_post
+    =
+    (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) ->
+        sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (impl.f_repr out));
+    f_deserialize_12_ = (fun (bytes: t_Slice u8) -> deserialize_12_ bytes);
+    f_rej_sample_pre
+    =
+    (fun (input: t_Slice u8) (output: t_Slice i16) ->
+        (Core.Slice.impl__len #u8 input <: usize) =. sz 24 &&
+        (Core.Slice.impl__len #i16 output <: usize) =. sz 16);
+    f_rej_sample_post
+    =
+    (fun (input: t_Slice u8) (output: t_Slice i16) (output_future, result: (t_Slice i16 & usize)) ->
+        Seq.length output_future == Seq.length output /\ v result <= 16);
+    f_rej_sample
+    =
+    fun (input: t_Slice u8) (output: t_Slice i16) ->
+      let tmp0, out:(t_Slice i16 & usize) =
+        Libcrux_ml_kem.Vector.Avx2.Sampling.rejection_sample input output
+      in
+      let output:t_Slice i16 = tmp0 in
+      let hax_temp_output:usize = out in
+      output, hax_temp_output <: (t_Slice i16 & usize)
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
index 9622d0152..3ba81f3eb 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
@@ -1,397 +1,223 @@
 module Libcrux_ml_kem.Vector.Avx2
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-type t_SIMD256Vector = { f_elements:u8 }
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Vector.Traits in
+  ()
 
-val from_i16_array (array: t_Slice i16)
-    : Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True)
+noeq
 
-val to_i16_array (v: t_SIMD256Vector)
-    : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
+type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 }
 
-val zero: Prims.unit -> Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True)
+let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements
+
+val deserialize_1_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out))
+
+val deserialize_4_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out))
+
+val serialize_1_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 2))
+      (requires Spec.MLKEM.serialize_pre 1 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 2) = out in
+          Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out
+      )
+
+val vec_from_i16_array (array: t_Slice i16)
+    : Prims.Pure t_SIMD256Vector
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_SIMD256Vector = result in
+          repr result == array)
+
+val vec_zero: Prims.unit
+  -> Prims.Pure t_SIMD256Vector
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_SIMD256Vector = result in
+          repr result == Seq.create 16 0s)
+
+val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+            v v_COEFFICIENT_BITS == 11) ==>
+          (forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) (v v_COEFFICIENT_BITS)))
+
+val compress_1_ (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        forall (i: nat).
+          i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) 1)
+
+val cond_subtract_3329_ (vector: t_SIMD256Vector)
+    : Prims.Pure t_SIMD256Vector
+      (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          repr out ==
+          Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector))
+
+val inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (4 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array 3328 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out))
+
+val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out))
+
+val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out))
+
+val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+    : Prims.Pure t_SIMD256Vector
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array 3328 (repr lhs) /\ Spec.Utils.is_i16b_array 3328 (repr rhs))
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          Spec.Utils.is_i16b_array 3328 (repr out))
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Clone.t_Clone t_SIMD256Vector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Marker.t_Copy t_SIMD256Vector
+
+val serialize_10_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 20))
+      (requires Spec.MLKEM.serialize_pre 10 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 20) = out in
+          Spec.MLKEM.serialize_pre 10 (repr vector) ==>
+          Spec.MLKEM.serialize_post 10 (repr vector) out)
+
+val serialize_12_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 24))
+      (requires Spec.MLKEM.serialize_pre 12 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 24) = out in
+          Spec.MLKEM.serialize_pre 12 (repr vector) ==>
+          Spec.MLKEM.serialize_post 12 (repr vector) out)
+
+val serialize_4_ (vector: t_SIMD256Vector)
+    : Prims.Pure (t_Array u8 (sz 8))
+      (requires Spec.MLKEM.serialize_pre 4 (repr vector))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 8) = out in
+          Spec.MLKEM.serialize_pre 4 (repr vector) ==> Spec.MLKEM.serialize_post 4 (repr vector) out
+      )
+
+val vec_to_i16_array (v: t_SIMD256Vector)
+    : Prims.Pure (t_Array i16 (sz 16))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array i16 (sz 16) = result in
+          result == repr v)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector
+
+val deserialize_10_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (repr out))
+
+val deserialize_12_ (bytes: t_Slice u8)
+    : Prims.Pure t_SIMD256Vector
+      (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24)
+      (ensures
+        fun out ->
+          let out:t_SIMD256Vector = out in
+          sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (repr out))
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
-  {
-    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
-    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
-    f_ZERO_pre = (fun (_: Prims.unit) -> true);
-    f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> true);
-    f_ZERO = (fun (_: Prims.unit) -> zero ());
-    f_from_i16_array_pre = (fun (array: t_Slice i16) -> true);
-    f_from_i16_array_post = (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> true);
-    f_from_i16_array = (fun (array: t_Slice i16) -> from_i16_array array);
-    f_to_i16_array_pre = (fun (x: t_SIMD256Vector) -> true);
-    f_to_i16_array_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true);
-    f_to_i16_array = (fun (x: t_SIMD256Vector) -> to_i16_array x);
-    f_add_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true);
-    f_add_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_add
-    =
-    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.add lhs.f_elements rhs.f_elements }
-        <:
-        t_SIMD256Vector);
-    f_sub_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true);
-    f_sub_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_sub
-    =
-    (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.sub lhs.f_elements rhs.f_elements }
-        <:
-        t_SIMD256Vector);
-    f_multiply_by_constant_pre = (fun (v: t_SIMD256Vector) (c: i16) -> true);
-    f_multiply_by_constant_post = (fun (v: t_SIMD256Vector) (c: i16) (out: t_SIMD256Vector) -> true);
-    f_multiply_by_constant
-    =
-    (fun (v: t_SIMD256Vector) (c: i16) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.multiply_by_constant v.f_elements c }
-        <:
-        t_SIMD256Vector);
-    f_bitwise_and_with_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true);
-    f_bitwise_and_with_constant_post
-    =
-    (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true);
-    f_bitwise_and_with_constant
-    =
-    (fun (vector: t_SIMD256Vector) (constant: i16) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Arithmetic.bitwise_and_with_constant vector.f_elements constant
-        }
-        <:
-        t_SIMD256Vector);
-    f_shift_right_pre = (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> true);
-    f_shift_right_post
-    =
-    (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_shift_right
-    =
-    (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Arithmetic.shift_right v_SHIFT_BY vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
-    f_cond_subtract_3329_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_cond_subtract_3329_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_cond_subtract_3329_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
-        <:
-        t_SIMD256Vector);
-    f_barrett_reduce_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_barrett_reduce_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_barrett_reduce
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce vector.f_elements }
-        <:
-        t_SIMD256Vector);
-    f_montgomery_multiply_by_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true);
-    f_montgomery_multiply_by_constant_post
-    =
-    (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true);
-    f_montgomery_multiply_by_constant
-    =
-    (fun (vector: t_SIMD256Vector) (constant: i16) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constant vector.f_elements
-            constant
-        }
-        <:
-        t_SIMD256Vector);
-    f_compress_1_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_compress_1_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_compress_1_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Compress.compress_message_coefficient vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
-    f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true);
-    f_compress_post
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_compress
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
-            vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
-    f_decompress_ciphertext_coefficient_pre
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true);
-    f_decompress_ciphertext_coefficient_post
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true);
-    f_decompress_ciphertext_coefficient
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS
-            vector.f_elements
-        }
-        <:
-        t_SIMD256Vector);
-    f_ntt_layer_1_step_pre
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true);
-    f_ntt_layer_1_step_post
-    =
-    (fun
-        (vector: t_SIMD256Vector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: t_SIMD256Vector)
-        ->
-        true);
-    f_ntt_layer_1_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
-        }
-        <:
-        t_SIMD256Vector);
-    f_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true);
-    f_ntt_layer_2_step_post
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true);
-    f_ntt_layer_2_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
-        {
-          f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1
-        }
-        <:
-        t_SIMD256Vector);
-    f_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true);
-    f_ntt_layer_3_step_post
-    =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true);
-    f_ntt_layer_3_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
-        <:
-        t_SIMD256Vector);
-    f_inv_ntt_layer_1_step_pre
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true);
-    f_inv_ntt_layer_1_step_post
-    =
-    (fun
-        (vector: t_SIMD256Vector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: t_SIMD256Vector)
-        ->
-        true);
-    f_inv_ntt_layer_1_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements
-            zeta0
-            zeta1
-            zeta2
-            zeta3
-        }
-        <:
-        t_SIMD256Vector);
-    f_inv_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true);
-    f_inv_ntt_layer_2_step_post
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true);
-    f_inv_ntt_layer_2_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1
-        }
-        <:
-        t_SIMD256Vector);
-    f_inv_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true);
-    f_inv_ntt_layer_3_step_post
-    =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true);
-    f_inv_ntt_layer_3_step
-    =
-    (fun (vector: t_SIMD256Vector) (zeta: i16) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
-        <:
-        t_SIMD256Vector);
-    f_ntt_multiply_pre
-    =
-    (fun
-        (lhs: t_SIMD256Vector)
-        (rhs: t_SIMD256Vector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        true);
-    f_ntt_multiply_post
-    =
-    (fun
-        (lhs: t_SIMD256Vector)
-        (rhs: t_SIMD256Vector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: t_SIMD256Vector)
-        ->
-        true);
-    f_ntt_multiply
-    =
-    (fun
-        (lhs: t_SIMD256Vector)
-        (rhs: t_SIMD256Vector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        {
-          f_elements
-          =
-          Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_multiply lhs.f_elements
-            rhs.f_elements
-            zeta0
-            zeta1
-            zeta2
-            zeta3
-        }
-        <:
-        t_SIMD256Vector);
-    f_serialize_1_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_1_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) -> true);
-    f_serialize_1_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements);
-    f_deserialize_1_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_1_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_1_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_serialize_4_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_4_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) -> true);
-    f_serialize_4_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements);
-    f_deserialize_4_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_4_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_4_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_serialize_5_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_5_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 10)) -> true);
-    f_serialize_5_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements);
-    f_deserialize_5_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_5_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_5_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_serialize_10_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_10_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) -> true);
-    f_serialize_10_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements);
-    f_deserialize_10_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_10_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_10_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_serialize_11_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_11_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 22)) -> true);
-    f_serialize_11_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_11_ vector.f_elements);
-    f_deserialize_11_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_11_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_11_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_11_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_serialize_12_pre = (fun (vector: t_SIMD256Vector) -> true);
-    f_serialize_12_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) -> true);
-    f_serialize_12_
-    =
-    (fun (vector: t_SIMD256Vector) ->
-        Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements);
-    f_deserialize_12_pre = (fun (bytes: t_Slice u8) -> true);
-    f_deserialize_12_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true);
-    f_deserialize_12_
-    =
-    (fun (bytes: t_Slice u8) ->
-        { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes }
-        <:
-        t_SIMD256Vector);
-    f_rej_sample_pre = (fun (input: t_Slice u8) (output: t_Slice i16) -> true);
-    f_rej_sample_post
-    =
-    (fun (input: t_Slice u8) (output: t_Slice i16) (out1: (t_Slice i16 & usize)) -> true);
-    f_rej_sample
-    =
-    fun (input: t_Slice u8) (output: t_Slice i16) ->
-      let tmp0, out:(t_Slice i16 & usize) =
-        Libcrux_ml_kem.Vector.Avx2.Sampling.rejection_sample input output
-      in
-      let output:t_Slice i16 = tmp0 in
-      let hax_temp_output:usize = out in
-      output, hax_temp_output <: (t_Slice i16 & usize)
-  }
+val impl_3:Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
index 37938e8f6..1139236f7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
@@ -1,52 +1,8 @@
 module Libcrux_ml_kem.Vector.Neon.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let barrett_reduce_int16x8_t (v: u8) =
-  let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in
-  let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in
-  let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in
-  let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in
-  let sub:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient
-      Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
-  in
-  Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub
-
-let montgomery_reduce_int16x8_t (low high: u8) =
-  let k:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16
-          (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8)
-          (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16)
-        <:
-        u8)
-  in
-  let c:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
-      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k
-          Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
-        <:
-        u8)
-  in
-  Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c
-
-let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) =
-  let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in
-  let vv_high:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
-      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8)
-  in
-  montgomery_reduce_int16x8_t vv_low vv_high
-
-let montgomery_multiply_int16x8_t (v c: u8) =
-  let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in
-  let vv_high:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
-      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8)
-  in
-  montgomery_reduce_int16x8_t vv_low vv_high
-
 let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
     {
@@ -73,29 +29,6 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   in
   lhs
 
-let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-      =
-      barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      =
-      barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  v
-
 let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
   let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in
   let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
@@ -161,32 +94,6 @@ let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vect
   in
   v
 
-let montgomery_multiply_by_constant
-      (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (c: i16)
-     =
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-      =
-      montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      =
-      montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  v
-
 let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
   let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
     {
@@ -263,3 +170,96 @@ let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
     Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
   in
   lhs
+
+let barrett_reduce_int16x8_t (v: u8) =
+  let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in
+  let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in
+  let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in
+  let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in
+  let sub:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient
+      Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+  in
+  Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub
+
+let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+      =
+      barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      =
+      barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  v
+
+let montgomery_reduce_int16x8_t (low high: u8) =
+  let k:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16
+          (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8)
+          (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16)
+        <:
+        u8)
+  in
+  let c:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
+      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k
+          Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+        <:
+        u8)
+  in
+  Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c
+
+let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) =
+  let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in
+  let vv_high:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
+      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8)
+  in
+  montgomery_reduce_int16x8_t vv_low vv_high
+
+let montgomery_multiply_by_constant
+      (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (c: i16)
+     =
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+      =
+      montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      =
+      montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  v
+
+let montgomery_multiply_int16x8_t (v c: u8) =
+  let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in
+  let vv_high:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
+      (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8)
+  in
+  montgomery_reduce_int16x8_t vv_low vv_high
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
index aa297220e..91b5164fe 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
@@ -1,57 +1,57 @@
 module Libcrux_ml_kem.Vector.Neon.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 let v_BARRETT_MULTIPLIER: i16 = 20159s
 
-val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
 val add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
+val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val montgomery_multiply_by_constant
-      (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-      (c: i16)
+val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
+val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16)
+    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val montgomery_multiply_by_constant
+      (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+      (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
       (fun _ -> Prims.l_True)
+
+val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
index e039518f2..29ffc7ec4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -24,19 +24,6 @@ let mask_n_least_significant_bits (coefficient_bits: i16) =
   | 11s -> 2047s
   | x -> (1s <<! x <: i16) -! 1s
 
-let decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) =
-  let coeff:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u32 (1ul <<! (v_COEFFICIENT_BITS -! 1l <: i32)
-        <:
-        u32)
-  in
-  let decompressed:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u32 v
-      (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u32)
-  in
-  let decompressed:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_u32 decompressed coeff in
-  Libcrux_intrinsics.Arm64_extract.v__vshrq_n_u32 v_COEFFICIENT_BITS decompressed
-
 let compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   let mask:u8 =
     Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (mask_n_least_significant_bits (cast (v_COEFFICIENT_BITS
@@ -171,6 +158,19 @@ let compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   in
   v
 
+let decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) =
+  let coeff:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u32 (1ul <<! (v_COEFFICIENT_BITS -! 1l <: i32)
+        <:
+        u32)
+  in
+  let decompressed:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u32 v
+      (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u32)
+  in
+  let decompressed:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_u32 decompressed coeff in
+  Libcrux_intrinsics.Arm64_extract.v__vshrq_n_u32 v_COEFFICIENT_BITS decompressed
+
 let decompress_ciphertext_coefficient
       (v_COEFFICIENT_BITS: i32)
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti
index 84e59e0c0..55a0e76b6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -9,9 +9,6 @@ val compress_int32x4_t (v_COEFFICIENT_BITS: i32) (v: u8)
 val mask_n_least_significant_bits (coefficient_bits: i16)
     : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
 
-val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8)
-    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
 val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
@@ -22,6 +19,9 @@ val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8)
+    : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
 val decompress_ciphertext_coefficient
       (v_COEFFICIENT_BITS: i32)
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
index dc8d03610..36abe54f2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
@@ -1,8 +1,66 @@
 module Libcrux_ml_kem.Vector.Neon.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
+  let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
+  let b_minus_a:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+      =
+      Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+        v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      =
+      Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  v
+
+let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
+  let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
+  let t:u8 =
+    Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v
+        .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      zeta
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      =
+      Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+    {
+      v with
+      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+      =
+      Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
+    }
+    <:
+    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+  in
+  v
+
 let inv_ntt_layer_1_step
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
@@ -142,35 +200,6 @@ let inv_ntt_layer_2_step
   in
   v
 
-let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
-  let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
-  let b_minus_a:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-      =
-      Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-        v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      =
-      Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  v
-
 let ntt_layer_1_step
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
@@ -306,35 +335,6 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
   in
   v
 
-let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
-  let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
-  let t:u8 =
-    Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v
-        .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      zeta
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      =
-      Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-      =
-      Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
-    }
-    <:
-    Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-  in
-  v
-
 let ntt_multiply
       (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
index 46ca8d3df..8beabc8b6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
@@ -1,8 +1,18 @@
 module Libcrux_ml_kem.Vector.Neon.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
+    : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
+    : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val inv_ntt_layer_1_step
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
@@ -17,11 +27,6 @@ val inv_ntt_layer_2_step
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
-    : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
 val ntt_layer_1_step
       (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
@@ -34,11 +39,6 @@ val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
-    : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
 val ntt_multiply
       (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
       (zeta1 zeta2 zeta3 zeta4: i16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
index f2b1f9206..2bda9f7e7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,145 +10,6 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
-let deserialize_1_ (a: t_Slice u8) =
-  let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in
-  let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in
-  let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in
-  let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
-    let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in
-    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
-    Rust_primitives.Hax.array_of_list 8 list
-  in
-  let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
-  let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in
-  let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in
-  {
-    Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-    =
-    Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one;
-    Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-    =
-    Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one
-  }
-  <:
-  Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-
-let deserialize_12_ (v: t_Slice u8) =
-  let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) =
-    let list =
-      [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy]
-    in
-    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
-    Rust_primitives.Hax.array_of_list 16 list
-  in
-  let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in
-  let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
-    let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in
-    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
-    Rust_primitives.Hax.array_of_list 8 list
-  in
-  let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in
-  let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in
-  let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let input0:t_Array u8 (sz 16) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0
-      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
-        <:
-        Core.Ops.Range.t_Range usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-          (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-        <:
-        t_Slice u8)
-  in
-  let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in
-  let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
-  let input1:t_Array u8 (sz 16) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1
-      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
-        <:
-        Core.Ops.Range.t_Range usize)
-      (Core.Slice.impl__copy_from_slice #u8
-          (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-          (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-        <:
-        t_Slice u8)
-  in
-  let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in
-  let moved0:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8
-          input_vec0
-          index_vec
-        <:
-        u8)
-  in
-  let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in
-  let low:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16
-          shifted0
-          mask12
-        <:
-        u8)
-  in
-  let moved1:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8
-          input_vec1
-          index_vec
-        <:
-        u8)
-  in
-  let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in
-  let high:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16
-          shifted1
-          mask12
-        <:
-        u8)
-  in
-  {
-    Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low;
-    Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high
-  }
-  <:
-  Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
-
-let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
-  let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
-    let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in
-    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
-    Rust_primitives.Hax.array_of_list 8 list
-  in
-  let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
-  let low:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
-      shift
-  in
-  let high:u8 =
-    Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
-      shift
-  in
-  let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in
-  let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in
-  let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in
-  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
-  Rust_primitives.Hax.array_of_list 2 list
-
 let serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   let low0:u8 =
     Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s16
@@ -499,6 +360,145 @@ let serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   in
   result
 
+let deserialize_1_ (a: t_Slice u8) =
+  let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in
+  let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in
+  let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in
+  let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+    let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+    Rust_primitives.Hax.array_of_list 8 list
+  in
+  let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
+  let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in
+  let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in
+  {
+    Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+    =
+    Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one;
+    Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+    =
+    Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one
+  }
+  <:
+  Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+
+let deserialize_12_ (v: t_Slice u8) =
+  let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) =
+    let list =
+      [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  in
+  let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in
+  let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+    let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+    Rust_primitives.Hax.array_of_list 8 list
+  in
+  let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in
+  let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in
+  let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+  let input0:t_Array u8 (sz 16) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0
+      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
+        <:
+        Core.Ops.Range.t_Range usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice u8)
+          (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice u8)
+        <:
+        t_Slice u8)
+  in
+  let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in
+  let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+  let input1:t_Array u8 (sz 16) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1
+      ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
+        <:
+        Core.Ops.Range.t_Range usize)
+      (Core.Slice.impl__copy_from_slice #u8
+          (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice u8)
+          (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 }
+              <:
+              Core.Ops.Range.t_Range usize ]
+            <:
+            t_Slice u8)
+        <:
+        t_Slice u8)
+  in
+  let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in
+  let moved0:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8
+          input_vec0
+          index_vec
+        <:
+        u8)
+  in
+  let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in
+  let low:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16
+          shifted0
+          mask12
+        <:
+        u8)
+  in
+  let moved1:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8
+          input_vec1
+          index_vec
+        <:
+        u8)
+  in
+  let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in
+  let high:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16
+          shifted1
+          mask12
+        <:
+        u8)
+  in
+  {
+    Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low;
+    Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high
+  }
+  <:
+  Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+
+let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+  let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+    let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+    Rust_primitives.Hax.array_of_list 8 list
+  in
+  let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
+  let low:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+      shift
+  in
+  let high:u8 =
+    Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+      shift
+  in
+  let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in
+  let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in
+  let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+  Rust_primitives.Hax.array_of_list 2 list
+
 let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
   let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
     let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti
index b9219f5ed..7610cd889 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -10,6 +10,12 @@ let _ =
   let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+    : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
+
 val deserialize_1_ (a: t_Slice u8)
     : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
       Prims.l_True
@@ -23,12 +29,6 @@ val deserialize_12_ (v: t_Slice u8)
 val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-    : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
-
 val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
     : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
index 12686d3bb..761d0a4b3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
@@ -1,41 +1,63 @@
 module Libcrux_ml_kem.Vector.Neon.Vector_type
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+let repr (x:t_SIMD128Vector) = admit()
+
 let v_ZERO (_: Prims.unit) =
-  {
-    f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s;
-    f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s
-  }
-  <:
-  t_SIMD128Vector
+  let result:t_SIMD128Vector =
+    {
+      f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s;
+      f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s
+    }
+    <:
+    t_SIMD128Vector
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
 
 let from_i16_array (array: t_Slice i16) =
-  {
-    f_low
-    =
-    Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 8
-          }
+  let result:t_SIMD128Vector =
+    {
+      f_low
+      =
+      Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 8
+            }
+            <:
+            Core.Ops.Range.t_Range usize ]
           <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice i16);
-    f_high
-    =
-    Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 16
-          }
+          t_Slice i16);
+      f_high
+      =
+      Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
+              Core.Ops.Range.f_start = sz 8;
+              Core.Ops.Range.f_end = sz 16
+            }
+            <:
+            Core.Ops.Range.t_Range usize ]
           <:
-          Core.Ops.Range.t_Range usize ]
-        <:
-        t_Slice i16)
-  }
-  <:
-  t_SIMD128Vector
+          t_Slice i16)
+    }
+    <:
+    t_SIMD128Vector
+  in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_SIMD128Vector
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_SIMD128Vector
+
+let impl_1 = impl_1'
 
 let to_i16_array (v: t_SIMD128Vector) =
   let out:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
@@ -73,4 +95,6 @@ let to_i16_array (v: t_SIMD128Vector) =
         <:
         t_Slice i16)
   in
-  out
+  let result:t_Array i16 (sz 16) = out in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
index d80603ff5..ce6c9b299 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon.Vector_type
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -8,10 +8,34 @@ type t_SIMD128Vector = {
   f_high:u8
 }
 
-val v_ZERO: Prims.unit -> Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True)
+val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)
+
+val v_ZERO: Prims.unit
+  -> Prims.Pure t_SIMD128Vector
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_SIMD128Vector = result in
+          repr result == Seq.create 16 0s)
 
 val from_i16_array (array: t_Slice i16)
-    : Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure t_SIMD128Vector
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_SIMD128Vector = result in
+          repr result == array)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_SIMD128Vector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_SIMD128Vector
 
 val to_i16_array (v: t_SIMD128Vector)
-    : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array i16 (sz 16))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array i16 (sz 16) = result in
+          result == repr v)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
index d33fcee14..7697d036c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -7,6 +7,7 @@ let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
   let open Libcrux_ml_kem.Vector.Neon.Vector_type in
+  let open Libcrux_ml_kem.Vector.Traits in
   ()
 
 let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
@@ -46,3 +47,494 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
   in
   let hax_temp_output:usize = sampled in
   result, hax_temp_output <: (t_Slice i16 & usize)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_repr_post
+    =
+    (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) ->
+        true);
+    f_repr
+    =
+    fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+      Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x
+  }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations
+Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve;
+    f_ZERO_pre = (fun (_: Prims.unit) -> true);
+    f_ZERO_post
+    =
+    (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        impl.f_repr out == Seq.create 16 0s);
+    f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Neon.Vector_type.v_ZERO ());
+    f_from_i16_array_pre
+    =
+    (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16);
+    f_from_i16_array_post
+    =
+    (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        impl.f_repr out == array);
+    f_from_i16_array
+    =
+    (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Neon.Vector_type.from_i16_array array);
+    f_to_i16_array_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_to_i16_array_post
+    =
+    (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) ->
+        out == impl.f_repr x);
+    f_to_i16_array
+    =
+    (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x);
+    f_add_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_add_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_add
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.add lhs rhs);
+    f_sub_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_sub_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_sub
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.sub lhs rhs);
+    f_multiply_by_constant_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
+    f_multiply_by_constant_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (c: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_multiply_by_constant
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.multiply_by_constant v c);
+    f_bitwise_and_with_constant_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
+    f_bitwise_and_with_constant_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (c: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_bitwise_and_with_constant
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.bitwise_and_with_constant v c);
+    f_shift_right_pre
+    =
+    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_shift_right_post
+    =
+    (fun
+        (v_SHIFT_BY: i32)
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_shift_right
+    =
+    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.shift_right v_SHIFT_BY v);
+    f_cond_subtract_3329_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_cond_subtract_3329_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_cond_subtract_3329_
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.cond_subtract_3329_ v);
+    f_barrett_reduce_pre = (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_barrett_reduce_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_barrett_reduce
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce v);
+    f_montgomery_multiply_by_constant_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
+    f_montgomery_multiply_by_constant_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (c: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_montgomery_multiply_by_constant
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_by_constant v c);
+    f_compress_1_pre = (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_compress_1_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_compress_1_
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Compress.compress_1_ v);
+    f_compress_pre
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        true);
+    f_compress_post
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_compress
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Compress.compress v_COEFFICIENT_BITS v);
+    f_decompress_ciphertext_coefficient_pre
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        true);
+    f_decompress_ciphertext_coefficient_post
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_decompress_ciphertext_coefficient
+    =
+    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS v);
+    f_ntt_layer_1_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        true);
+    f_ntt_layer_1_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_ntt_layer_1_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_1_step a zeta1 zeta2 zeta3 zeta4);
+    f_ntt_layer_2_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
+        true);
+    f_ntt_layer_2_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_ntt_layer_2_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_2_step a zeta1 zeta2);
+    f_ntt_layer_3_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) -> true);
+    f_ntt_layer_3_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_ntt_layer_3_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_3_step a zeta);
+    f_inv_ntt_layer_1_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        true);
+    f_inv_ntt_layer_1_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_inv_ntt_layer_1_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_1_step a zeta1 zeta2 zeta3 zeta4);
+    f_inv_ntt_layer_2_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
+        true);
+    f_inv_ntt_layer_2_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_inv_ntt_layer_2_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_2_step a zeta1 zeta2);
+    f_inv_ntt_layer_3_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) -> true);
+    f_inv_ntt_layer_3_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_inv_ntt_layer_3_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_3_step a zeta);
+    f_ntt_multiply_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        true);
+    f_ntt_multiply_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        ->
+        true);
+    f_ntt_multiply
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (zeta4: i16)
+        ->
+        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_multiply lhs rhs zeta1 zeta2 zeta3 zeta4);
+    f_serialize_1_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_1_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 2)) ->
+        true);
+    f_serialize_1_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_1_ a);
+    f_deserialize_1_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_1_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_1_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_1_ a);
+    f_serialize_4_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_4_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 8)) ->
+        true);
+    f_serialize_4_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_4_ a);
+    f_deserialize_4_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_4_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_4_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_4_ a);
+    f_serialize_5_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_5_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 10)) ->
+        true);
+    f_serialize_5_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_5_ a);
+    f_deserialize_5_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_5_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_5_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_5_ a);
+    f_serialize_10_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_10_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 20)) ->
+        true);
+    f_serialize_10_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_10_ a);
+    f_deserialize_10_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_10_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_10_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_10_ a);
+    f_serialize_11_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_11_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 22)) ->
+        true);
+    f_serialize_11_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_11_ a);
+    f_deserialize_11_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_11_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_11_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_11_ a);
+    f_serialize_12_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_serialize_12_post
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 24)) ->
+        true);
+    f_serialize_12_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_12_ a);
+    f_deserialize_12_pre = (fun (a: t_Slice u8) -> true);
+    f_deserialize_12_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+    f_deserialize_12_
+    =
+    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_12_ a);
+    f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true);
+    f_rej_sample_post
+    =
+    (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true);
+    f_rej_sample
+    =
+    fun (a: t_Slice u8) (out: t_Slice i16) ->
+      let tmp0, out1:(t_Slice i16 & usize) = rej_sample a out in
+      let out:t_Slice i16 = tmp0 in
+      let hax_temp_output:usize = out1 in
+      out, hax_temp_output <: (t_Slice i16 & usize)
+  }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
index b68a453af..a9ba571dd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Neon
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -7,477 +7,15 @@ let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
   let open Libcrux_ml_kem.Vector.Neon.Vector_type in
+  let open Libcrux_ml_kem.Vector.Traits in
   ()
 
 val rej_sample (a: t_Slice u8) (result: t_Slice i16)
     : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True)
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Libcrux_ml_kem.Vector.Traits.t_Operations
-Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
-  {
-    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
-    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
-    f_ZERO_pre = (fun (_: Prims.unit) -> true);
-    f_ZERO_post
-    =
-    (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Neon.Vector_type.v_ZERO ());
-    f_from_i16_array_pre = (fun (array: t_Slice i16) -> true);
-    f_from_i16_array_post
-    =
-    (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_from_i16_array
-    =
-    (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Neon.Vector_type.from_i16_array array);
-    f_to_i16_array_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_to_i16_array_post
-    =
-    (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) ->
-        true);
-    f_to_i16_array
-    =
-    (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x);
-    f_add_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_add_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_add
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.add lhs rhs);
-    f_sub_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_sub_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_sub
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.sub lhs rhs);
-    f_multiply_by_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
-    f_multiply_by_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (c: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_multiply_by_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.multiply_by_constant v c);
-    f_bitwise_and_with_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
-    f_bitwise_and_with_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (c: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_bitwise_and_with_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.bitwise_and_with_constant v c);
-    f_shift_right_pre
-    =
-    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_shift_right_post
-    =
-    (fun
-        (v_SHIFT_BY: i32)
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_shift_right
-    =
-    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.shift_right v_SHIFT_BY v);
-    f_cond_subtract_3329_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_cond_subtract_3329_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_cond_subtract_3329_
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.cond_subtract_3329_ v);
-    f_barrett_reduce_pre = (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_barrett_reduce_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_barrett_reduce
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce v);
-    f_montgomery_multiply_by_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) -> true);
-    f_montgomery_multiply_by_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (c: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_montgomery_multiply_by_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_by_constant v c);
-    f_compress_1_pre = (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_compress_1_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_compress_1_
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Compress.compress_1_ v);
-    f_compress_pre
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        true);
-    f_compress_post
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_compress
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Compress.compress v_COEFFICIENT_BITS v);
-    f_decompress_ciphertext_coefficient_pre
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        true);
-    f_decompress_ciphertext_coefficient_post
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_decompress_ciphertext_coefficient
-    =
-    (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS v);
-    f_ntt_layer_1_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        true);
-    f_ntt_layer_1_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_ntt_layer_1_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_1_step a zeta1 zeta2 zeta3 zeta4);
-    f_ntt_layer_2_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
-        true);
-    f_ntt_layer_2_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_ntt_layer_2_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_2_step a zeta1 zeta2);
-    f_ntt_layer_3_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) -> true);
-    f_ntt_layer_3_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_ntt_layer_3_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_layer_3_step a zeta);
-    f_inv_ntt_layer_1_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        true);
-    f_inv_ntt_layer_1_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_inv_ntt_layer_1_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_1_step a zeta1 zeta2 zeta3 zeta4);
-    f_inv_ntt_layer_2_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
-        true);
-    f_inv_ntt_layer_2_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_inv_ntt_layer_2_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1: i16) (zeta2: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_2_step a zeta1 zeta2);
-    f_inv_ntt_layer_3_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) -> true);
-    f_inv_ntt_layer_3_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_inv_ntt_layer_3_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.inv_ntt_layer_3_step a zeta);
-    f_ntt_multiply_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        true);
-    f_ntt_multiply_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        ->
-        true);
-    f_ntt_multiply
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (zeta4: i16)
-        ->
-        Libcrux_ml_kem.Vector.Neon.Ntt.ntt_multiply lhs rhs zeta1 zeta2 zeta3 zeta4);
-    f_serialize_1_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_1_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 2)) ->
-        true);
-    f_serialize_1_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_1_ a);
-    f_deserialize_1_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_1_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_1_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_1_ a);
-    f_serialize_4_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_4_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 8)) ->
-        true);
-    f_serialize_4_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_4_ a);
-    f_deserialize_4_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_4_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_4_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_4_ a);
-    f_serialize_5_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_5_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 10)) ->
-        true);
-    f_serialize_5_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_5_ a);
-    f_deserialize_5_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_5_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_5_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_5_ a);
-    f_serialize_10_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_10_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 20)) ->
-        true);
-    f_serialize_10_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_10_ a);
-    f_deserialize_10_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_10_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_10_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_10_ a);
-    f_serialize_11_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_11_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 22)) ->
-        true);
-    f_serialize_11_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_11_ a);
-    f_deserialize_11_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_11_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_11_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_11_ a);
-    f_serialize_12_pre = (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_serialize_12_post
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array u8 (sz 24)) ->
-        true);
-    f_serialize_12_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
-        Libcrux_ml_kem.Vector.Neon.Serialize.serialize_12_ a);
-    f_deserialize_12_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_12_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
-    f_deserialize_12_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Neon.Serialize.deserialize_12_ a);
-    f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true);
-    f_rej_sample_post
-    =
-    (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true);
-    f_rej_sample
-    =
-    fun (a: t_Slice u8) (out: t_Slice i16) ->
-      let tmp0, out1:(t_Slice i16 & usize) = rej_sample a out in
-      let out:t_Slice i16 = tmp0 in
-      let hax_temp_output:usize = out1 in
-      out, hax_temp_output <: (t_Slice i16 & usize)
-  }
+val impl:Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations
+Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
index 3eb5abd35..46f0a37be 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
@@ -1,9 +1,34 @@
 module Libcrux_ml_kem.Vector.Portable.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
-let get_n_least_significant_bits (n: u8) (value: u32) = value &. ((1ul <<! n <: u32) -! 1ul <: u32)
+#push-options "--z3rlimit 150 --split_queries always"
+
+let get_n_least_significant_bits (n: u8) (value: u32) =
+  let res:u32 = value &. ((1ul <<! n <: u32) -! 1ul <: u32) in
+  let _:Prims.unit =
+    calc ( == ) {
+      v res;
+      ( == ) { () }
+      v (logand value ((1ul <<! n) -! 1ul));
+      ( == ) { mk_int_equiv_lemma #u32_inttype 1 }
+      v (logand value (((mk_int 1) <<! n) -! (mk_int 1)));
+      ( == ) { () }
+      v (logand value (mk_int ((1 * pow2 (v n)) % pow2 32) -! (mk_int 1)));
+      ( == ) { (Math.Lemmas.small_mod (pow2 (v n)) (pow2 32);
+        Math.Lemmas.pow2_lt_compat 32 (v n)) }
+      v (logand value ((mk_int (pow2 (v n))) -! (mk_int 1)));
+      ( == ) { (Math.Lemmas.pow2_lt_compat 32 (v n);
+        logand_mask_lemma value (v n)) }
+      v value % (pow2 (v n));
+    }
+  in
+  res
+
+#pop-options
+
+#push-options "--z3rlimit 150 --ext context_pruning"
 
 let barrett_reduce_element (value: i16) =
   let t:i32 =
@@ -11,10 +36,36 @@ let barrett_reduce_element (value: i16) =
       v_BARRETT_MULTIPLIER
       <:
       i32) +!
-    (v_BARRETT_R >>! 1l <: i32)
+    (Libcrux_ml_kem.Vector.Traits.v_BARRETT_R >>! 1l <: i32)
+  in
+  let _:Prims.unit =
+    assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329));
+    assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)
+  in
+  let _:Prims.unit = assert (v t / pow2 26 < 9) in
+  let _:Prims.unit = assert (v t / pow2 26 > - 9) in
+  let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in
+  let _:Prims.unit = assert (v quotient = v t / pow2 26) in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in
+  let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in
+  let _:Prims.unit =
+    calc ( == ) {
+      v result % 3329;
+      ( == ) { () }
+      (v value - (v quotient * 3329)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 }
+      (v value - (v quotient * 3329) % 3329) % 3329;
+      ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 }
+      (v value - 0) % 3329;
+      ( == ) { () }
+      (v value) % 3329;
+    }
   in
-  let quotient:i16 = cast (t >>! v_BARRETT_SHIFT <: i32) <: i16 in
-  value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16)
+  result
+
+#pop-options
+
+#push-options "--z3rlimit 500 --split_queries always"
 
 let montgomery_reduce_element (value: i32) =
   let _:i32 = v_MONTGOMERY_R in
@@ -22,181 +73,324 @@ let montgomery_reduce_element (value: i32) =
     (cast (cast (value <: i32) <: i16) <: i32) *!
     (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32)
   in
+  let _:Prims.unit =
+    assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
+    assert (v k == (v value @% pow2 16) * 62209);
+    assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16);
+    assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15);
+    assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15);
+    assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)
+  in
   let k_times_modulus:i32 =
     (cast (cast (k <: i32) <: i16) <: i32) *!
     (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)
   in
+  let _:Prims.unit =
+    Spec.Utils.lemma_mul_i16b (pow2 15)
+      (3329)
+      (cast (k <: i32) <: i16)
+      Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
+    assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)
+  in
   let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
+  let _:Prims.unit =
+    assert (v k_times_modulus < pow2 31);
+    assert (v k_times_modulus / pow2 16 < pow2 15);
+    assert (v c == (v k_times_modulus / pow2 16) @% pow2 16);
+    assert (v c == v k_times_modulus / pow2 16);
+    assert (Spec.Utils.is_i16b 1665 c)
+  in
   let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
-  value_high -! c
+  let _:Prims.unit =
+    assert (v value < pow2 31);
+    assert (v value / pow2 16 < pow2 15);
+    assert (v value_high == (v value / pow2 16) @% pow2 16);
+    Spec.Utils.lemma_div_at_percent (v value) (pow2 16);
+    assert (v value_high == (v value / pow2 16));
+    assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high);
+    assert (Spec.Utils.is_i16b 3328 value_high)
+  in
+  let res:i16 = value_high -! c in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in
+  let _:Prims.unit =
+    assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)
+  in
+  let _:Prims.unit =
+    calc ( == ) {
+      v k_times_modulus % pow2 16;
+      ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+      ((v k @% pow2 16) * 3329) % pow2 16;
+      ( == ) { assert (v k = (v value @% pow2 16) * 62209) }
+      ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329)
+        (pow2 16)
+        3329 }
+      ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) }
+      ((((v value @% pow2 16) * 62209) * 3329) % pow2 16);
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) }
+      ((v value @% pow2 16) % pow2 16);
+      ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 }
+      (v value) % pow2 16;
+    };
+    Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus);
+    assert ((v value - v k_times_modulus) % pow2 16 == 0)
+  in
+  let _:Prims.unit =
+    calc ( == ) {
+      v res % 3329;
+      ( == ) { assert (v res == v value_high - v c) }
+      (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
+      ((v value - v k_times_modulus) / pow2 16) % 3329;
+      ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
+      (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16)
+        (pow2 16 * 169)
+        3329 }
+      (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
+      ((v value - v k_times_modulus) * 169) % 3329;
+      ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+      ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) }
+      (v value * 169) % 3329;
+    }
+  in
+  res
+
+#pop-options
+
+#push-options "--z3rlimit 300"
 
 let montgomery_multiply_fe_by_fer (fe fer: i16) =
-  montgomery_reduce_element ((cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) <: i32)
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in
+  let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in
+  montgomery_reduce_element product
+
+#pop-options
+
+#push-options "--z3rlimit 150"
 
 let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
   let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun lhs temp_1_ ->
+      (fun lhs i ->
           let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          (forall j.
+              j < v i ==>
+              (Seq.index lhs.f_elements j) ==
+              (Seq.index v__lhs0.f_elements j) +! (Seq.index rhs.f_elements j)) /\
+          (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j)))
       lhs
       (fun lhs i ->
           let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
           let i:usize = i in
-          {
-            lhs with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +!
-                (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
-                <:
-                i16)
+          let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              lhs with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +!
+                  (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          lhs)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          v (Seq.index lhs.f_elements i) ==
+          v (Seq.index v__lhs0.f_elements i) + v (Seq.index rhs.f_elements i))
   in
   lhs
 
-let barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+#pop-options
+
+#push-options "--z3rlimit 150"
+
+let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              (barrett_reduce_element (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                    <:
-                    i16)
+          (forall j.
+              j < v i ==>
+              (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\
+                v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329)
+              )) /\
+          (forall j.
+              j >= v i ==>
+              (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\
+                Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j))))
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          let vi:i16 =
+            barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
                 <:
                 i16)
+          in
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              vec with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                vi
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          let _:Prims.unit =
+            assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
+            assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j));
+            assert (Spec.Utils.is_i16b 3328 vi);
+            assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i)));
+            assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))
+          in
+          vec)
   in
-  v
+  vec
+
+#pop-options
 
 let bitwise_and_with_constant
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (c: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c <: i16)
+          (forall j. j < v i ==> Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j &. c)
+          ) /\ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)
+      )
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              vec with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          vec)
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro vec.f_elements (Spec.Utils.map_array (fun x -> x &. c) v__vec0.f_elements)
   in
-  v
+  vec
 
-let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+#push-options "--z3rlimit 300"
+
+let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
-          let _:Prims.unit =
-            if true
-            then
-              let _:Prims.unit =
-                Hax_lib.v_assert (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                        <:
-                        i16) >=.
-                      0s
-                      <:
-                      bool) &&
-                    ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <. 4096s
-                      <:
-                      bool))
-              in
-              ()
-          in
-          if (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s
+          (forall j.
+              j < v i ==>
+              Seq.index vec.f_elements j ==
+              (let x = Seq.index v__vec0.f_elements j in
+                if x >=. 3329s then x -! 3329s else x)) /\
+          (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j))
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          if
+            (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s
+            <:
+            bool
           then
             {
-              v with
+              vec with
               Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
                   .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
                 i
-                ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s
+                ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s
                   <:
                   i16)
+              <:
+              t_Array i16 (sz 16)
             }
             <:
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-          else v)
+          else vec)
   in
-  v
+  let _:Prims.unit =
+    Seq.lemma_eq_intro vec.f_elements
+      (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements)
+  in
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 150"
 
 let montgomery_multiply_by_constant
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (c: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          (forall j.
+              j < v i ==>
+              (let vecj = Seq.index vec.f_elements j in
+                (Spec.Utils.is_i16b 3328 vecj /\
+                  v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\
+          (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
           {
-            v with
+            vec with
             Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
             =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
                 .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
               i
-              (montgomery_multiply_fe_by_fer (v
+              (montgomery_multiply_fe_by_fer (vec
                       .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
                     <:
                     i16)
@@ -209,93 +403,125 @@ let montgomery_multiply_by_constant
           <:
           Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
   in
-  v
+  vec
+
+#pop-options
 
-let multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c <: i16)
+          (forall j.
+              j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\
+          (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              vec with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          vec)
+  in
+  let _:Prims.unit =
+    assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c)
   in
-  v
+  vec
 
-let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! v_SHIFT_BY
-                <:
-                i16)
+          (forall j.
+              j < v i ==>
+              Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\
+          (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j))
+      vec
+      (fun vec i ->
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+          let i:usize = i in
+          let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              vec with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>!
+                  v_SHIFT_BY
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          vec)
+  in
+  let _:Prims.unit =
+    Seq.lemma_eq_intro vec.f_elements
+      (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements)
   in
-  v
+  vec
 
 let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
   let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun lhs temp_1_ ->
+      (fun lhs i ->
           let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
-          let _:usize = temp_1_ in
-          true)
+          let i:usize = i in
+          (forall j.
+              j < v i ==>
+              (Seq.index lhs.f_elements j) ==
+              (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\
+          (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j)))
       lhs
       (fun lhs i ->
           let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
           let i:usize = i in
-          {
-            lhs with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -!
-                (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
-                <:
-                i16)
+          let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              lhs with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -!
+                  (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          lhs)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          v (Seq.index lhs.f_elements i) ==
+          v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i))
   in
   lhs
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
index 860b97328..e072f08d9 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
@@ -1,30 +1,22 @@
 module Libcrux_ml_kem.Vector.Portable.Arithmetic
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋
 let v_BARRETT_MULTIPLIER: i32 = 20159l
 
-let v_BARRETT_SHIFT: i32 = 26l
-
-let v_BARRETT_R: i32 = 1l <<! v_BARRETT_SHIFT
-
 let v_MONTGOMERY_SHIFT: u8 = 16uy
 
 let v_MONTGOMERY_R: i32 = 1l <<! v_MONTGOMERY_SHIFT
 
 val get_n_least_significant_bits (n: u8) (value: u32)
     : Prims.Pure u32
-      (requires n =. 4uy || n =. 5uy || n =. 10uy || n =. 11uy || n =. v_MONTGOMERY_SHIFT)
+      (requires n <=. 16uy)
       (ensures
         fun result ->
           let result:u32 = result in
-          result <.
-          (Core.Num.impl__u32__pow 2ul
-              (Core.Convert.f_into #u8 #u32 #FStar.Tactics.Typeclasses.solve n <: u32)
-            <:
-            u32))
+          v result == v value % pow2 (v n))
 
 /// Signed Barrett Reduction
 /// Given an input `value`, `barrett_reduce` outputs a representative `result`
@@ -32,102 +24,139 @@ val get_n_least_significant_bits (n: u8) (value: u32)
 /// - result ≡ value (mod FIELD_MODULUS)
 /// - the absolute value of `result` is bound as follows:
 /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
-/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
+/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS
 val barrett_reduce_element (value: i16)
     : Prims.Pure i16
-      (requires
-        (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) >.
-        (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i32) &&
-        (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) <. v_BARRETT_R
-      )
+      (requires Spec.Utils.is_i16b 28296 value)
       (ensures
         fun result ->
           let result:i16 = result in
-          result >. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) &&
-          result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
+          Spec.Utils.is_i16b 3328 result /\ v result % 3329 == v value % 3329)
 
 /// Signed Montgomery Reduction
 /// Given an input `value`, `montgomery_reduce` outputs a representative `o`
 /// such that:
 /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
 /// - the absolute value of `o` is bound as follows:
-/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
-/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`.
+/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665
+/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`.
+/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664
 val montgomery_reduce_element (value: i32)
     : Prims.Pure i16
-      (requires
-        value >=.
-        ((Core.Ops.Arith.Neg.neg (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)
-            <:
-            i32) *!
-          v_MONTGOMERY_R
-          <:
-          i32) &&
-        value <=.
-        ((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) *! v_MONTGOMERY_R
-          <:
-          i32))
+      (requires Spec.Utils.is_i32b (3328 * pow2 16) value)
       (ensures
         fun result ->
           let result:i16 = result in
-          result >=.
-          ((Core.Ops.Arith.Neg.neg (3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16)
-              <:
-              i16) /!
-            2s
-            <:
-            i16) &&
-          result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16))
+          Spec.Utils.is_i16b (3328 + 1665) result /\
+          (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\
+          v result % 3329 == (v value * 169) % 3329)
 
-/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to
+/// If `fe` is some field element \'x\' of the Kyber field and `fer` is congruent to
 /// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to
 /// `x · y`, as follows:
 ///    `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)`
 /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative
 /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`.
 val montgomery_multiply_fe_by_fer (fe fer: i16)
-    : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure i16
+      (requires Spec.Utils.is_i16b 1664 fer)
+      (ensures
+        fun result ->
+          let result:i16 = result in
+          Spec.Utils.is_i16b 3328 result /\ v result % 3329 == (v fe * v fer * 169) % 3329)
 
 val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall i.
+            i < 16 ==>
+            (v (Seq.index result.f_elements i) ==
+              v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
 
-val barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.Utils.is_i16b_array 28296 vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements /\
+          (forall i.
+              (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329))
+      )
 
 val bitwise_and_with_constant
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
       Prims.l_True
-      (fun _ -> Prims.l_True)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements))
 
-val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+/// Note: This function is not secret independent
+/// Only use with public values.
+val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          result.f_elements ==
+          Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements))
 
 val montgomery_multiply_by_constant
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
-
-val multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16)
+      (requires Spec.Utils.is_i16b 1664 c)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements /\
+          (forall i.
+              i < 16 ==>
+              (v (Seq.index result.f_elements i) % 3329 ==
+                (v (Seq.index vec.f_elements i) * v c * 169) % 3329)))
+
+val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c)
+      )
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall i.
+            i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c))
 
-val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+          result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements))
 
 val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall i.
+            i < 16 ==>
+            (v (Seq.index result.f_elements i) ==
+              v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
index 4a470d7d1..8ccf885b5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
@@ -1,8 +1,10 @@
 module Libcrux_ml_kem.Vector.Portable.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) =
   let compressed:u64 = (cast (fe <: u16) <: u64) <<! coefficient_bits in
   let compressed:u64 = compressed +! 1664uL in
@@ -15,115 +17,264 @@ let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) =
   <:
   i16
 
+#pop-options
+
+#push-options "--z3rlimit 200 --ext context_pruning"
+
 let compress_message_coefficient (fe: u16) =
   let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in
+  let _:Prims.unit = assert (v shifted == 1664 - v fe) in
   let mask:i16 = shifted >>! 15l in
+  let _:Prims.unit =
+    assert (v mask = v shifted / pow2 15);
+    assert (if v shifted < 0 then mask = ones else mask = zero)
+  in
   let shifted_to_positive:i16 = mask ^. shifted in
+  let _:Prims.unit =
+    logxor_lemma shifted mask;
+    assert (v shifted < 0 ==> v shifted_to_positive = v (lognot shifted));
+    neg_equiv_lemma shifted;
+    assert (v (lognot shifted) = - (v shifted) - 1);
+    assert (v shifted >= 0 ==> v shifted_to_positive = v (mask `logxor` shifted));
+    assert (v shifted >= 0 ==> mask = zero);
+    assert (v shifted >= 0 ==> mask ^. shifted = shifted);
+    assert (v shifted >= 0 ==> v shifted_to_positive = v shifted);
+    assert (shifted_to_positive >=. mk_i16 0)
+  in
   let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in
-  cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8
+  let _:Prims.unit =
+    assert (1664 - v fe >= 0 ==> v shifted_positive_in_range == 832 - v fe);
+    assert (1664 - v fe < 0 ==> v shifted_positive_in_range == - 2497 + v fe)
+  in
+  let r0:i16 = shifted_positive_in_range >>! 15l in
+  let (r1: i16):i16 = r0 &. 1s in
+  let res:u8 = cast (r1 <: i16) <: u8 in
+  let _:Prims.unit =
+    assert (v r0 = v shifted_positive_in_range / pow2 15);
+    assert (if v shifted_positive_in_range < 0 then r0 = ones else r0 = zero);
+    logand_lemma (mk_i16 1) r0;
+    assert (if v shifted_positive_in_range < 0 then r1 = mk_i16 1 else r1 = mk_i16 0);
+    assert ((v fe >= 833 && v fe <= 2496) ==> r1 = mk_i16 1);
+    assert (v fe < 833 ==> r1 = mk_i16 0);
+    assert (v fe > 2496 ==> r1 = mk_i16 0);
+    assert (v res = v r1)
+  in
+  res
+
+#pop-options
+
+#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000"
 
 let compress
       (v_COEFFICIENT_BITS: i32)
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let _:Prims.unit =
+    assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS);
+    assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS);
+    assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16) == 3329)
+  in
+  let _:Prims.unit =
+    assert (forall (i: nat).
+          i < 16 ==>
+          (cast (a.f_elements.[ sz i ]) <: u16) <.
+          (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
+  in
+  let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
+          let i:usize = i in
+          (v i < 16 ==>
+            (forall (j: nat).
+                (j >= v i /\ j < 16) ==>
+                v (cast (a.f_elements.[ sz j ]) <: u16) <
+                v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\
+          (forall (j: nat).
+              j < v i ==>
+              v (a.f_elements.[ sz j ] <: i16) >= 0 /\
+              v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))))
+      a
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8)
-                  (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
-                    <:
-                    u16)
-                <:
-                i16)
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              a with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8)
+                    (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+                      <:
+                      u16)
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          let _:Prims.unit =
+            assert (v (a.f_elements.[ i ] <: i16) >= 0 /\
+                v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))
+          in
+          a)
   in
-  v
+  let _:Prims.unit =
+    assert (forall (i: nat).
+          i < 16 ==>
+          v (a.f_elements.[ sz i ] <: i16) >= 0 /\
+          v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS))
+  in
+  a
+
+#pop-options
+
+#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000"
 
-let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+let compress_message_coefficient_range_helper (fe: u16) : Lemma
+  (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
+  (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+    v (cast (compress_message_coefficient fe) <: i16) < 2) =
+  assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+    v (cast (compress_message_coefficient fe) <: i16) < 2)
+
+let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let _:Prims.unit =
+    assert (forall (i: nat).
+          i < 16 ==>
+          (cast (a.f_elements.[ sz i ]) <: u16) <.
+          (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
+  in
+  let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
+          let i:usize = i in
+          (v i < 16 ==>
+            (forall (j: nat).
+                (j >= v i /\ j < 16) ==>
+                v (cast (a.f_elements.[ sz j ]) <: u16) <
+                v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\
+          (forall (j: nat).
+              j < v i ==>
+              v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2))
+      a
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
           let i:usize = i in
-          {
-            v with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              (cast (compress_message_coefficient (cast (v
-                              .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                            <:
-                            i16)
-                        <:
-                        u16)
-                    <:
-                    u8)
-                <:
-                i16)
+          let _:Prims.unit =
+            compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16)
+          in
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+            {
+              a with
+              Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+              =
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a
+                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+                i
+                (cast (compress_message_coefficient (cast (a
+                                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
+                              <:
+                              i16)
+                          <:
+                          u16)
+                      <:
+                      u8)
+                  <:
+                  i16)
+            }
             <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+            Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+          in
+          let _:Prims.unit =
+            assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2)
+          in
+          a)
+  in
+  let _:Prims.unit =
+    assert (forall (i: nat).
+          i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2)
   in
-  v
+  a
+
+#pop-options
+
+#push-options "--z3rlimit 300 --ext context_pruning"
 
 let decompress_ciphertext_coefficient
       (v_COEFFICIENT_BITS: i32)
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let _:Prims.unit =
+    assert_norm (pow2 1 == 2);
+    assert_norm (pow2 4 == 16);
+    assert_norm (pow2 5 == 32);
+    assert_norm (pow2 10 == 1024);
+    assert_norm (pow2 11 == 2048)
+  in
+  let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun v temp_1_ ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
-          let _:usize = temp_1_ in
-          true)
-      v
-      (fun v i ->
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
+          let i:usize = i in
+          (v i < 16 ==>
+            (forall (j: nat).
+                (j >= v i /\ j < 16) ==>
+                v (Seq.index a.f_elements j) >= 0 /\
+                v (Seq.index a.f_elements j) < pow2 (v v_COEFFICIENT_BITS))) /\
+          (forall (j: nat).
+              j < v i ==>
+              v (Seq.index a.f_elements j) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS))
+      a
+      (fun a i ->
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
           let i:usize = i in
+          let _:Prims.unit =
+            assert (v (a.f_elements.[ i ] <: i16) < pow2 11);
+            assert (v (a.f_elements.[ i ] <: i16) == v (cast (a.f_elements.[ i ] <: i16) <: i32));
+            assert (v (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) ==
+                v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32));
+            assert (v ((cast (a.f_elements.[ i ] <: i16) <: i32) *!
+                    (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)) ==
+                v (cast (a.f_elements.[ i ] <: i16) <: i32) *
+                v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32))
+          in
           let decompressed:i32 =
-            (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) *!
+            (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) *!
             (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)
           in
+          let _:Prims.unit =
+            assert (v (decompressed <<! mk_i32 1) == v decompressed * 2);
+            assert (v (mk_i32 1 <<! v_COEFFICIENT_BITS) == pow2 (v v_COEFFICIENT_BITS));
+            assert (v ((decompressed <<! mk_i32 1) +! (mk_i32 1 <<! v_COEFFICIENT_BITS)) ==
+                v (decompressed <<! mk_i32 1) + v (mk_i32 1 <<! v_COEFFICIENT_BITS))
+          in
           let decompressed:i32 =
             (decompressed <<! 1l <: i32) +! (1l <<! v_COEFFICIENT_BITS <: i32)
           in
+          let _:Prims.unit =
+            assert (v (v_COEFFICIENT_BITS +! mk_i32 1) == v v_COEFFICIENT_BITS + 1);
+            assert (v (decompressed >>! (v_COEFFICIENT_BITS +! mk_i32 1 <: i32)) ==
+                v decompressed / pow2 (v v_COEFFICIENT_BITS + 1))
+          in
           let decompressed:i32 = decompressed >>! (v_COEFFICIENT_BITS +! 1l <: i32) in
-          let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+          let _:Prims.unit =
+            assert (v decompressed < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS);
+            assert (v (cast decompressed <: i16) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
+          in
+          let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
             {
-              v with
+              a with
               Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
               =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a
                   .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
                 i
                 (cast (decompressed <: i32) <: i16)
@@ -131,6 +282,8 @@ let decompress_ciphertext_coefficient
             <:
             Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
           in
-          v)
+          a)
   in
-  v
+  a
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
index 8a078f1b0..32527079f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Portable.Compress
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -36,30 +36,58 @@ val compress_message_coefficient (fe: u16)
       (ensures
         fun result ->
           let result:u8 = result in
-          Hax_lib.implies ((833us <=. fe <: bool) && (fe <=. 2596us <: bool))
+          Hax_lib.implies ((833us <=. fe <: bool) && (fe <=. 2496us <: bool))
             (fun temp_0_ ->
                 let _:Prims.unit = temp_0_ in
                 result =. 1uy <: bool) &&
-          Hax_lib.implies (~.((833us <=. fe <: bool) && (fe <=. 2596us <: bool)) <: bool)
+          Hax_lib.implies (~.((833us <=. fe <: bool) && (fe <=. 2496us <: bool)) <: bool)
             (fun temp_0_ ->
                 let _:Prims.unit = temp_0_ in
                 result =. 0uy <: bool))
 
 val compress
       (v_COEFFICIENT_BITS: i32)
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall (i: nat).
+            i < 16 ==>
+            v (result.f_elements.[ sz i ] <: i16) >= 0 /\
+            v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS))
 
-val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        forall (i: nat).
+          i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall (i: nat).
+            i < 16 ==>
+            v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2)
 
 val decompress_ciphertext_coefficient
       (v_COEFFICIENT_BITS: i32)
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==>
+            v (Seq.index a.f_elements i) >= 0 /\
+            v (Seq.index a.f_elements i) < pow2 (v v_COEFFICIENT_BITS)))
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          forall (i: nat).
+            i < 16 ==>
+            v (Seq.index result.f_elements i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
index 99ab0e5b0..72a8bfad1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
@@ -1,199 +1,289 @@
 module Libcrux_ml_kem.Vector.Portable.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 let inv_ntt_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
       (i j: usize)
      =
   let a_minus_b:i16 =
-    (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -!
-    (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -!
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let a_plus_b:i16 =
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) +!
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+  in
+  let _:Prims.unit =
+    assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i)));
+    assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))
+  in
+  let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element a_plus_b in
+  let o1:i16 =
+    Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta
+  in
+  let _:Prims.unit =
+    calc ( == ) {
+      v o0 % 3329;
+      ( == ) { () }
+      v a_plus_b % 3329;
+      ( == ) { () }
+      (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329;
+    };
+    calc ( == ) {
+      v o1 % 3329;
+      ( == ) { () }
+      (v a_minus_b * v zeta * 169) % 3329;
+      ( == ) { () }
+      ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) %
+      3329;
+    }
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     {
-      v with
+      vec with
       Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
       =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
         i
-        (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v
-                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                <:
-                i16) +!
-              (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16)
-              <:
-              i16)
-          <:
-          i16)
+        o0
     }
     <:
     Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     {
-      v with
+      vec with
       Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
       =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
         j
-        (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta
-          <:
-          i16)
+        o1
     }
     <:
     Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
   in
-  v
+  let _:Prims.unit =
+    assert (Seq.index vec.f_elements (v i) == o0);
+    assert (Seq.index vec.f_elements (v j) == o1)
+  in
+  vec
+
+#push-options "--z3rlimit 200"
 
 let inv_ntt_layer_1_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 0) (sz 2)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 1) (sz 3)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 4) (sz 6)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 5) (sz 7)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta2 (sz 8) (sz 10)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta2 (sz 9) (sz 11)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta3 (sz 12) (sz 14)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta3 (sz 13) (sz 15)
-  in
-  v
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 0) (sz 2)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 1) (sz 3)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 4) (sz 6)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 5) (sz 7)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta2 (sz 8) (sz 10)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta2 (sz 9) (sz 11)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta3 (sz 12) (sz 14)
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta3 (sz 13) (sz 15)
+  in
+  let _:Prims.unit =
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 13));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 15));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 12));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 14));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 9));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 11));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 8));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 10));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 5));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 7));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 4));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 6));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 1));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 3));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 0));
+    assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 2));
+    assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements i))
+  in
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
 
 let inv_ntt_layer_2_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 0) (sz 4)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 0) (sz 4)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 1) (sz 5)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 1) (sz 5)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 2) (sz 6)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 2) (sz 6)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta0 (sz 3) (sz 7)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta0 (sz 3) (sz 7)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 8) (sz 12)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 8) (sz 12)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 9) (sz 13)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 9) (sz 13)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 10) (sz 14)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 10) (sz 14)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta1 (sz 11) (sz 15)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta1 (sz 11) (sz 15)
   in
-  v
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
 
 let inv_ntt_layer_3_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 0) (sz 8)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 0) (sz 8)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 1) (sz 9)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 1) (sz 9)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 2) (sz 10)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 2) (sz 10)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 3) (sz 11)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 3) (sz 11)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 4) (sz 12)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 4) (sz 12)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 5) (sz 13)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 5) (sz 13)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 6) (sz 14)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 6) (sz 14)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    inv_ntt_step v zeta (sz 7) (sz 15)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    inv_ntt_step vec zeta (sz 7) (sz 15)
   in
-  v
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 250 --split_queries always --query_stats --ext context_prune"
 
 let ntt_multiply_binomials
       (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
-      (i j: usize)
+      (i: usize)
       (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
      =
-  let o0:i16 =
-    Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a
-                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                <:
-                i16)
-            <:
-            i32) *!
-          (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32)
-          <:
-          i32) +!
-        ((cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ((cast (a
-                            .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ]
-                          <:
-                          i16)
-                      <:
-                      i32) *!
-                    (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16)
-                      <:
-                      i32)
-                    <:
-                    i32)
-                <:
-                i16)
-            <:
-            i32) *!
-          (cast (zeta <: i16) <: i32)
-          <:
-          i32)
-        <:
-        i32)
+  let ai:i16 = a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in
+  let bi:i16 = b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in
+  let aj:i16 =
+    a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize
+    ]
+  in
+  let bj:i16 =
+    b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize
+    ]
+  in
+  let _:Prims.unit =
+    assert (Spec.Utils.is_i16b 3328 ai);
+    assert (Spec.Utils.is_i16b 3328 bi);
+    assert (Spec.Utils.is_i16b 3328 aj);
+    assert (Spec.Utils.is_i16b 3328 bj);
+    assert_norm (3328 * 3328 < pow2 31)
+  in
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bi in
+  let ai_bi:i32 = (cast (ai <: i16) <: i32) *! (cast (bi <: i16) <: i32) in
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bj in
+  let aj_bj___:i32 = (cast (aj <: i16) <: i32) *! (cast (bj <: i16) <: i32) in
+  let _:Prims.unit = assert_norm (3328 * 3328 <= 3328 * pow2 15) in
+  let aj_bj:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element aj_bj___ in
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 1664 aj_bj zeta in
+  let aj_bj_zeta:i32 = (cast (aj_bj <: i16) <: i32) *! (cast (zeta <: i16) <: i32) in
+  let ai_bi_aj_bj:i32 = ai_bi +! aj_bj_zeta in
+  let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 1664) ai_bi_aj_bj) in
+  let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15) in
+  let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bi_aj_bj in
+  let _:Prims.unit =
+    calc ( == ) {
+      v o0 % 3329;
+      ( == ) { () }
+      (v ai_bi_aj_bj * 169) % 3329;
+      ( == ) { assert (v ai_bi_aj_bj == v ai_bi + v aj_bj_zeta) }
+      ((v ai_bi + v aj_bj_zeta) * 169) % 3329;
+      ( == ) { assert (v ai_bi == v ai * v bi) }
+      (((v ai * v bi) + v aj_bj_zeta) * 169) % 3329;
+      ( == ) { assert (v aj_bj_zeta == v aj_bj * v zeta) }
+      (((v ai * v bi) + (v aj_bj * v zeta)) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 }
+      ((((v ai * v bi) + (v aj_bj * v zeta)) % 3329) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 }
+      ((((v ai * v bi) + ((v aj_bj * v zeta) % 3329)) % 3329) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 }
+      ((((v ai * v bi) + (((v aj_bj % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329;
+      ( == ) { assert (v aj_bj % 3329 == (v aj_bj___ * 169) % 3329) }
+      ((((v ai * v bi) + ((((v aj_bj___ * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329;
+      ( == ) { assert (v aj_bj___ == v aj * v bj) }
+      ((((v ai * v bi) + ((((v aj * v bj * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj * v bj * 169) (v zeta) 3329 }
+      ((((v ai * v bi) + (((v aj * v bj * 169 * v zeta) % 3329))) % 3329) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj * v bj * 169 * v zeta) 3329 }
+      ((((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) % 3329) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta)))
+        169
+        3329 }
+      (((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) * 169) % 3329;
+    }
   in
-  let o1:i16 =
-    Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a
-                  .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
-                <:
-                i16)
-            <:
-            i32) *!
-          (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32)
-          <:
-          i32) +!
-        ((cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) *!
-          (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32)
-          <:
-          i32)
-        <:
-        i32)
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bj in
+  let ai_bj:i32 = (cast (ai <: i16) <: i32) *! (cast (bj <: i16) <: i32) in
+  let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bi in
+  let aj_bi:i32 = (cast (aj <: i16) <: i32) *! (cast (bi <: i16) <: i32) in
+  let ai_bj_aj_bi:i32 = ai_bj +! aj_bi in
+  let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 3328) ai_bj_aj_bi) in
+  let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15) in
+  let o1:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bj_aj_bi in
+  let _:Prims.unit =
+    calc ( == ) {
+      v o1 % 3329;
+      ( == ) { () }
+      (v ai_bj_aj_bi * 169) % 3329;
+      ( == ) { assert (v ai_bj_aj_bi == v ai_bj + v aj_bi) }
+      ((v ai_bj + v aj_bi) * 169) % 3329;
+      ( == ) { assert (v ai_bj == v ai * v bj) }
+      ((v ai * v bj + v aj_bi) * 169) % 3329;
+      ( == ) { assert (v aj_bi == v aj * v bi) }
+      ((v ai * v bj + v aj * v bi) * 169) % 3329;
+    }
   in
+  let v__out0:t_Array i16 (sz 16) = out.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     {
       out with
@@ -201,7 +291,7 @@ let ntt_multiply_binomials
       =
       Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        i
+        (sz 2 *! i <: usize)
         o0
     }
     <:
@@ -214,170 +304,264 @@ let ntt_multiply_binomials
       =
       Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        j
+        ((sz 2 *! i <: usize) +! sz 1 <: usize)
         o1
     }
     <:
     Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
   in
+  let _:Prims.unit =
+    assert (Seq.index out.f_elements (2 * v i) == o0);
+    assert (Seq.index out.f_elements (2 * v i + 1) == o1);
+    assert (Spec.Utils.is_i16b_array 3328 out.f_elements);
+    assert (forall k.
+          (k <> 2 * v i /\ k <> 2 * v i + 1) ==> Seq.index out.f_elements k == Seq.index v__out0 k)
+  in
+  let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in
   out
 
+#pop-options
+
 let ntt_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
       (i j: usize)
      =
   let t:i16 =
-    Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v
+    Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ]
         <:
         i16)
       zeta
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let _:Prims.unit =
+    assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))
+  in
+  let a_minus_t:i16 =
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t
+  in
+  let _:Prims.unit =
+    calc ( == ) {
+      v a_minus_t % 3329;
+      ( == ) { () }
+      (v (Seq.index vec.f_elements (v i)) - v t) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
+      (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329;
+      ( == ) { () }
+      (v (Seq.index vec.f_elements (v i)) -
+        ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
+      3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i)))
+        (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
+        3329 }
+      (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
+      3329;
+    }
+  in
+  let a_plus_t:i16 =
+    (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t
+  in
+  let _:Prims.unit =
+    calc ( == ) {
+      v a_plus_t % 3329;
+      ( == ) { () }
+      (v (Seq.index vec.f_elements (v i)) + v t) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
+      (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329;
+      ( == ) { () }
+      (v (Seq.index vec.f_elements (v i)) +
+        ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
+      3329;
+      ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i)))
+        (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
+        3329 }
+      (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
+      3329;
+    }
+  in
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     {
-      v with
+      vec with
       Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
       =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
         j
-        ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t <: i16)
+        a_minus_t
     }
     <:
     Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     {
-      v with
+      vec with
       Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
       =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
           .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
         i
-        ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t <: i16)
+        a_plus_t
     }
     <:
     Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
   in
-  v
+  let _:Prims.unit =
+    assert (Seq.index vec.f_elements (v i) == a_plus_t);
+    assert (Seq.index vec.f_elements (v j) == a_minus_t)
+  in
+  vec
+
+#push-options "--z3rlimit 100"
 
 let ntt_layer_1_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 0) (sz 2)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 0) (sz 2)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 1) (sz 3)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 1) (sz 3)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 4) (sz 6)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 4) (sz 6)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 5) (sz 7)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 5) (sz 7)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta2 (sz 8) (sz 10)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta2 (sz 8) (sz 10)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta2 (sz 9) (sz 11)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta2 (sz 9) (sz 11)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta3 (sz 12) (sz 14)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta3 (sz 12) (sz 14)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta3 (sz 13) (sz 15)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta3 (sz 13) (sz 15)
   in
-  v
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
 
 let ntt_layer_2_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1: i16)
      =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 0) (sz 4)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 0) (sz 4)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 1) (sz 5)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 1) (sz 5)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 2) (sz 6)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 2) (sz 6)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta0 (sz 3) (sz 7)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta0 (sz 3) (sz 7)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 8) (sz 12)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 8) (sz 12)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 9) (sz 13)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 9) (sz 13)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 10) (sz 14)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 10) (sz 14)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta1 (sz 11) (sz 15)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta1 (sz 11) (sz 15)
   in
-  v
+  vec
+
+#pop-options
 
-let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) =
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 0) (sz 8)
+#push-options "--z3rlimit 100"
+
+let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) =
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 0) (sz 8)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 1) (sz 9)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 1) (sz 9)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 2) (sz 10)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 2) (sz 10)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 3) (sz 11)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 3) (sz 11)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 4) (sz 12)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 4) (sz 12)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 5) (sz 13)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 5) (sz 13)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 6) (sz 14)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 6) (sz 14)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_step v zeta (sz 7) (sz 15)
+  let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+    ntt_step vec zeta (sz 7) (sz 15)
   in
-  v
+  vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
 
 let ntt_multiply
       (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
      =
+  let nzeta0:i16 = Core.Ops.Arith.Neg.neg zeta0 in
+  let nzeta1:i16 = Core.Ops.Arith.Neg.neg zeta1 in
+  let nzeta2:i16 = Core.Ops.Arith.Neg.neg zeta2 in
+  let nzeta3:i16 = Core.Ops.Arith.Neg.neg zeta3 in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta0) in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta1) in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta2) in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta3) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
     Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs zeta0 (sz 0) (sz 1) out
+    ntt_multiply_binomials lhs rhs zeta0 (sz 0) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta0 <: i16) (sz 2) (sz 3) out
+    ntt_multiply_binomials lhs rhs nzeta0 (sz 1) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs zeta1 (sz 4) (sz 5) out
+    ntt_multiply_binomials lhs rhs zeta1 (sz 2) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta1 <: i16) (sz 6) (sz 7) out
+    ntt_multiply_binomials lhs rhs nzeta1 (sz 3) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs zeta2 (sz 8) (sz 9) out
+    ntt_multiply_binomials lhs rhs zeta2 (sz 4) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta2 <: i16) (sz 10) (sz 11) out
+    ntt_multiply_binomials lhs rhs nzeta2 (sz 5) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs zeta3 (sz 12) (sz 13) out
+    ntt_multiply_binomials lhs rhs zeta3 (sz 6) out
   in
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
   let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta3 <: i16) (sz 14) (sz 15) out
+    ntt_multiply_binomials lhs rhs nzeta3 (sz 7) out
   in
-  out
+  let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in
+  let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+  let _:Prims.unit = admit () (* Panic freedom *) in
+  result
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
index 3c826a279..c5532bbde 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
@@ -1,36 +1,65 @@
 module Libcrux_ml_kem.Vector.Portable.Ntt
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+[@@ "opaque_to_smt"]
+
 val inv_ntt_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
       (i j: usize)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\
+        Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements)
+      (ensures
+        fun vec_future ->
+          let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in
+          Spec.Utils.is_i16b_array (4 * 3328) vec_future.f_elements /\
+          (forall k.
+              (k <> v i /\ k <> v j) ==>
+              Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\
+          Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v i)) /\
+          Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v j)) /\
+          Spec.Utils.inv_ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements)
 
 val inv_ntt_layer_1_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements)
 
 val inv_ntt_layer_2_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array 3328 vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements)
 
 val inv_ntt_layer_3_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements)
+
+[@@ "opaque_to_smt"]
 
 /// Compute the product of two Kyber binomials with respect to the
 /// modulus `X² - zeta`.
@@ -44,49 +73,127 @@ val inv_ntt_layer_3_step
 /// c₁ ← a₀·b₁ + a₁·b₀
 /// return c₀, c₁
 /// ```
-/// We say "almost" because the coefficients output by this function are in
+/// We say \"almost\" because the coefficients output by this function are in
 /// the Montgomery domain (unlike in the specification).
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 val ntt_multiply_binomials
       (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
-      (i j: usize)
+      (i: usize)
       (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        v i < 8 /\ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 a.f_elements /\
+        Spec.Utils.is_i16b_array 3328 b.f_elements /\ Spec.Utils.is_i16b_array 3328 out.f_elements)
+      (ensures
+        fun out_future ->
+          let out_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out_future in
+          Spec.Utils.is_i16b_array 3328 out_future.f_elements /\
+          (forall k.
+              (k <> 2 * v i /\ k <> 2 * v i + 1) ==>
+              Seq.index out_future.f_elements k == Seq.index out.f_elements k) /\
+          (let ai = Seq.index a.f_elements (2 * v i) in
+            let aj = Seq.index a.f_elements (2 * v i + 1) in
+            let bi = Seq.index b.f_elements (2 * v i) in
+            let bj = Seq.index b.f_elements (2 * v i + 1) in
+            let oi = Seq.index out_future.f_elements (2 * v i) in
+            let oj = Seq.index out_future.f_elements (2 * v i + 1) in
+            ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\
+            ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329))))
+
+[@@ "opaque_to_smt"]
 
 val ntt_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta: i16)
       (i j: usize)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\
+        Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\
+        Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\
+        Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ])
+      (ensures
+        fun vec_future ->
+          let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in
+          (forall k.
+              (k <> v i /\ k <> v j) ==>
+              Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\
+          (forall b.
+              (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\
+                Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==>
+              (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\
+                Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\
+          Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements)
 
 val ntt_layer_1_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements)
 
 val ntt_layer_2_step
-      (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+      (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements)
 
-val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16)
+val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements)
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements)
 
 val ntt_multiply
       (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
       (zeta0 zeta1 zeta2 zeta3: i16)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+      (requires
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array 3328 lhs.f_elements /\ Spec.Utils.is_i16b_array 3328 rhs.f_elements
+      )
+      (ensures
+        fun result ->
+          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+          Spec.Utils.is_i16b_array 3328 result.f_elements /\
+          (let zetas =
+              Seq.seq_of_list [
+                  v zeta0;
+                  - v zeta0;
+                  v zeta1;
+                  - v zeta1;
+                  v zeta2;
+                  - v zeta2;
+                  v zeta3;
+                  - v zeta3
+                ]
+            in
+            (forall (i: nat).
+                i < 8 ==>
+                (let ai = Seq.index lhs.f_elements (2 * i) in
+                  let aj = Seq.index lhs.f_elements (2 * i + 1) in
+                  let bi = Seq.index rhs.f_elements (2 * i) in
+                  let bj = Seq.index rhs.f_elements (2 * i + 1) in
+                  let oi = Seq.index result.f_elements (2 * i) in
+                  let oj = Seq.index result.f_elements (2 * i + 1) in
+                  ((v oi % 3329) ==
+                    (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\
+                  ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329))))))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst
index aec49a64f..ef246cd1f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst
@@ -1,8 +1,10 @@
 module Libcrux_ml_kem.Vector.Portable.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+#push-options "--admit_smt_queries true"
+
 let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
   let sampled:usize = sz 0 in
   let result, sampled:(t_Slice i16 & usize) =
@@ -40,3 +42,5 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
   in
   let hax_temp_output:usize = sampled in
   result, hax_temp_output <: (t_Slice i16 & usize)
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti
index fc5f15276..57159cf4c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti
@@ -1,7 +1,14 @@
 module Libcrux_ml_kem.Vector.Portable.Sampling
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 val rej_sample (a: t_Slice u8) (result: t_Slice i16)
-    : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Slice i16 & usize)
+      (requires
+        (Core.Slice.impl__len #u8 a <: usize) =. sz 24 &&
+        (Core.Slice.impl__len #i16 result <: usize) =. sz 16)
+      (ensures
+        fun temp_0_ ->
+          let result_future, res:(t_Slice i16 & usize) = temp_0_ in
+          Seq.length result_future == Seq.length result /\ v res <= 16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti
new file mode 100644
index 000000000..4ed69770d
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti
@@ -0,0 +1,100 @@
+module Libcrux_ml_kem.Vector.Portable.Serialize.Edited
+// #set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+// open Core
+// open FStar.Mul
+
+// val deserialize_10_int (bytes: t_Slice u8)
+//     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_11_int (bytes: t_Slice u8)
+//     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_12_int (bytes: t_Slice u8)
+//     : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True)
+
+// val deserialize_4_int (bytes: t_Slice u8)
+//     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_5_int (bytes: t_Slice u8)
+//     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val serialize_10_int (v: t_Slice i16)
+//     : Prims.Pure (u8 & u8 & u8 & u8 & u8)
+//       (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 4)
+//       (ensures
+//         fun tuple ->
+//           let tuple:(u8 & u8 & u8 & u8 & u8) = tuple in
+//           BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 4)) 10 (MkSeq.create5 tuple) 8)
+
+// val serialize_11_int (v: t_Slice i16)
+//     : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8)
+//       (requires Seq.length v == 8 /\ (forall i. Rust_primitives.bounded (Seq.index v i) 11))
+//       (ensures
+//         fun tuple ->
+//           let tuple:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = tuple in
+//           BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 8)) 11 (MkSeq.create11 tuple) 8)
+
+// val serialize_12_int (v: t_Slice i16)
+//     : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_4_int (v: t_Slice i16)
+//     : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_5_int (v: t_Slice i16)
+//     : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+//     : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+
+// val deserialize_1_ (v: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_10_ (bytes: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_11_ (bytes: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_12_ (bytes: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_4_ (bytes: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
+
+// val deserialize_5_ (bytes: t_Slice u8)
+//     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+//       Prims.l_True
+//       (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
index 9a88facf7..03cede344 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Portable.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -244,159 +244,65 @@ let serialize_5_int (v: t_Slice i16) =
   in
   r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8)
 
-let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let result:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in
-  let result:t_Array u8 (sz 2) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 8)
-      (fun result temp_1_ ->
-          let result:t_Array u8 (sz 2) = result in
-          let _:usize = temp_1_ in
-          true)
-      result
-      (fun result i ->
-          let result:t_Array u8 (sz 2) = result in
-          let i:usize = i in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-            (sz 0)
-            ((result.[ sz 0 ] <: u8) |.
-              ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <<!
-                i
-                <:
-                u8)
-              <:
-              u8)
-          <:
-          t_Array u8 (sz 2))
-  in
-  let result:t_Array u8 (sz 2) =
-    Rust_primitives.Hax.Folds.fold_range (sz 8)
-      (sz 16)
-      (fun result temp_1_ ->
-          let result:t_Array u8 (sz 2) = result in
-          let _:usize = temp_1_ in
-          true)
-      result
-      (fun result i ->
-          let result:t_Array u8 (sz 2) = result in
-          let i:usize = i in
-          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-            (sz 1)
-            ((result.[ sz 1 ] <: u8) |.
-              ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <<!
-                (i -! sz 8 <: usize)
-                <:
-                u8)
-              <:
-              u8)
-          <:
-          t_Array u8 (sz 2))
-  in
-  result
-
-let serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let r0_4_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 4
-          }
+let deserialize_11_ (bytes: t_Slice u8) =
+  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r5_9_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 4;
-            Core.Ops.Range.f_end = sz 8
-          }
+  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r10_14_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 12
-          }
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1;
+        v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
+let deserialize_5_ (bytes: t_Slice u8) =
+  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r15_19_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 12;
-            Core.Ops.Range.f_end = sz 16
-          }
+  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
-  in
-  let result:t_Array u8 (sz 20) = Rust_primitives.Hax.repeat 0uy (sz 20) in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_4_._1
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_4_._2
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_4_._3
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_4_._4
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_4_._5
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r5_9_._1
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r5_9_._2
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r5_9_._3
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r5_9_._4
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r5_9_._5
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r10_14_._1
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r10_14_._2
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r10_14_._3
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r10_14_._4
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r10_14_._5
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r15_19_._1
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r15_19_._2
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r15_19_._3
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r15_19_._4
-  in
-  let result:t_Array u8 (sz 20) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r15_19_._5
+        t_Slice u8)
   in
-  result
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1;
+        v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
 
 let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
   let r0_10_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) =
@@ -419,1567 +325,663 @@ let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto
         <:
         t_Slice i16)
   in
-  let result:t_Array u8 (sz 22) = Rust_primitives.Hax.repeat 0uy (sz 22) in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_10_._1
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_10_._2
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_10_._3
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_10_._4
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_10_._5
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r0_10_._6
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r0_10_._7
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r0_10_._8
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r0_10_._9
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r0_10_._10
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r0_10_._11
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r11_21_._1
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r11_21_._2
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r11_21_._3
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r11_21_._4
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r11_21_._5
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r11_21_._6
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r11_21_._7
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r11_21_._8
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r11_21_._9
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 20) r11_21_._10
-  in
-  let result:t_Array u8 (sz 22) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 21) r11_21_._11
+  let list =
+    [
+      r0_10_._1; r0_10_._2; r0_10_._3; r0_10_._4; r0_10_._5; r0_10_._6; r0_10_._7; r0_10_._8;
+      r0_10_._9; r0_10_._10; r0_10_._11; r11_21_._1; r11_21_._2; r11_21_._3; r11_21_._4; r11_21_._5;
+      r11_21_._6; r11_21_._7; r11_21_._8; r11_21_._9; r11_21_._10; r11_21_._11
+    ]
   in
-  result
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 22);
+  Rust_primitives.Hax.array_of_list 22 list
 
-let serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let r0_2_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let r0_4_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
             Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 2
+            Core.Ops.Range.f_end = sz 8
           }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
         t_Slice i16)
   in
-  let r3_5_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 2;
-            Core.Ops.Range.f_end = sz 4
+  let r5_9_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 8;
+            Core.Ops.Range.f_end = sz 16
           }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
         t_Slice i16)
   in
-  let r6_8_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 4;
-            Core.Ops.Range.f_end = sz 6
-          }
+  let list =
+    [
+      r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4;
+      r5_9_._5
+    ]
+  in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 10);
+  Rust_primitives.Hax.array_of_list 10 list
+
+let deserialize_1_ (v: t_Slice u8) =
+  let result0:i16 = cast ((v.[ sz 0 ] <: u8) &. 1uy <: u8) <: i16 in
+  let result1:i16 = cast (((v.[ sz 0 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in
+  let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in
+  let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in
+  let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in
+  let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in
+  let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in
+  let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in
+  let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in
+  let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in
+  let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in
+  let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in
+  let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in
+  let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in
+  let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in
+  let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        result0; result1; result2; result3; result4; result5; result6; result7; result8; result9;
+        result10; result11; result12; result13; result14; result15
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in
+     (forall (i: nat {i < 16}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let deserialize_1_lemma inputs =
+  deserialize_1_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+
+let deserialize_1_bounded_lemma inputs =
+  admit()
+
+let deserialize_10_ (bytes: t_Slice u8) =
+  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r9_11_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 6;
-            Core.Ops.Range.f_end = sz 8
-          }
+  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+    deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 20 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r12_14_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 10
-          }
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1;
+        v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (deserialize_10_ v).f_elements 10 in
+     (forall (i: nat {i < 160}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let deserialize_10_lemma inputs =
+  deserialize_10_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+
+let deserialize_10_bounded_lemma inputs =
+  admit()
+
+let deserialize_12_ (bytes: t_Slice u8) =
+  let v0_1_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r15_17_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 10;
-            Core.Ops.Range.f_end = sz 12
-          }
+  let v2_3_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 6 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r18_20_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 12;
-            Core.Ops.Range.f_end = sz 14
-          }
+  let v4_5_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 6; Core.Ops.Range.f_end = sz 9 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r21_23_:(u8 & u8 & u8) =
-    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 14;
-            Core.Ops.Range.f_end = sz 16
-          }
+  let v6_7_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 12 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
-  in
-  let result:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_2_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_2_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_2_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r3_5_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r3_5_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r3_5_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r6_8_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r6_8_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r6_8_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r9_11_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r9_11_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r9_11_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r12_14_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r12_14_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r12_14_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r15_17_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r15_17_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r15_17_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r18_20_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r18_20_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 20) r18_20_._3
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 21) r21_23_._1
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 22) r21_23_._2
-  in
-  let result:t_Array u8 (sz 24) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 23) r21_23_._3
+        t_Slice u8)
   in
-  result
-
-let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let result0_3_:(u8 & u8 & u8 & u8) =
-    serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 8
-          }
+  let v8_9_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 15 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let result4_7_:(u8 & u8 & u8 & u8) =
-    serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 16
-          }
+  let v10_11_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 15; Core.Ops.Range.f_end = sz 18 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
-  in
-  let result:t_Array u8 (sz 8) = Rust_primitives.Hax.repeat 0uy (sz 8) in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) result0_3_._1
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) result0_3_._2
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) result0_3_._3
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) result0_3_._4
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) result4_7_._1
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) result4_7_._2
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) result4_7_._3
-  in
-  let result:t_Array u8 (sz 8) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) result4_7_._4
+        t_Slice u8)
   in
-  result
-
-let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
-  let r0_4_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 0;
-            Core.Ops.Range.f_end = sz 8
-          }
+  let v12_13_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 18; Core.Ops.Range.f_end = sz 21 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
+        t_Slice u8)
   in
-  let r5_9_:(u8 & u8 & u8 & u8 & u8) =
-    serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
-            Core.Ops.Range.f_start = sz 8;
-            Core.Ops.Range.f_end = sz 16
-          }
+  let v14_15_:(i16 & i16) =
+    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 21; Core.Ops.Range.f_end = sz 24 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice i16)
-  in
-  let result:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_4_._1
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_4_._2
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_4_._3
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_4_._4
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_4_._5
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r5_9_._1
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r5_9_._2
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r5_9_._3
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r5_9_._4
-  in
-  let result:t_Array u8 (sz 10) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r5_9_._5
+        t_Slice u8)
   in
-  result
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        v0_1_._1; v0_1_._2; v2_3_._1; v2_3_._2; v4_5_._1; v4_5_._2; v6_7_._1; v6_7_._2; v8_9_._1;
+        v8_9_._2; v10_11_._1; v10_11_._2; v12_13_._1; v12_13_._2; v14_15_._1; v14_15_._2
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
 
-let deserialize_1_ (v: t_Slice u8) =
-  let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 8)
-      (fun result temp_1_ ->
-          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
-          let _:usize = temp_1_ in
-          true)
-      result
-      (fun result i ->
-          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
-          let i:usize = i in
-          {
-            result with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              (cast (((v.[ sz 0 ] <: u8) >>! i <: u8) &. 1uy <: u8) <: i16)
-            <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-  in
-  let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Rust_primitives.Hax.Folds.fold_range (sz 8)
-      Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
-      (fun result temp_1_ ->
-          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
-          let _:usize = temp_1_ in
-          true)
-      result
-      (fun result i ->
-          let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
-          let i:usize = i in
-          {
-            result with
-            Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-            =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
-                .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-              i
-              (cast (((v.[ sz 1 ] <: u8) >>! (i -! sz 8 <: usize) <: u8) &. 1uy <: u8) <: i16)
-            <:
-            t_Array i16 (sz 16)
-          }
-          <:
-          Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-  in
-  result
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
 
-let deserialize_10_ (bytes: t_Slice u8) =
+let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (deserialize_12_ v).f_elements 12 in
+     (forall (i: nat {i < 192}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let deserialize_12_lemma inputs =
+  deserialize_12_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+
+let deserialize_12_bounded_lemma inputs =
+  admit()
+
+let deserialize_4_ (bytes: t_Slice u8) =
   let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 }
+    deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
         t_Slice u8)
   in
   let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 20 }
+    deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
         t_Slice u8)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 0)
-        v0_7_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 1)
-        v0_7_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 2)
-        v0_7_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 3)
-        v0_7_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 4)
-        v0_7_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 5)
-        v0_7_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 6)
-        v0_7_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 7)
-        v0_7_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 8)
-        v8_15_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 9)
-        v8_15_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 10)
-        v8_15_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 11)
-        v8_15_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 12)
-        v8_15_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 13)
-        v8_15_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 14)
-        v8_15_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 15)
-        v8_15_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+  {
+    Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+    =
+    let list =
+      [
+        v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1;
+        v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8
+      ]
+    in
+    FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+    Rust_primitives.Hax.array_of_list 16 list
+  }
+  <:
+  Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (deserialize_4_ v).f_elements 4 in
+     (forall (i: nat {i < 64}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let deserialize_4_lemma inputs =
+  deserialize_4_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+
+let deserialize_4_bounded_lemma inputs =
+  admit()
+
+let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let result0:u8 =
+    (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |.
+                ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16)
+                    <:
+                    u8) <<!
+                  1l
+                  <:
+                  u8)
+                <:
+                u8) |.
+              ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 ] <: i16) <: u8
+                ) <<!
+                2l
+                <:
+                u8)
+              <:
+              u8) |.
+            ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 3 ] <: i16) <: u8) <<!
+              3l
+              <:
+              u8)
+            <:
+            u8) |.
+          ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) <: u8) <<!
+            4l
+            <:
+            u8)
+          <:
+          u8) |.
+        ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) <: u8) <<!
+          5l
+          <:
+          u8)
+        <:
+        u8) |.
+      ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 6 ] <: i16) <: u8) <<! 6l
+        <:
+        u8)
+      <:
+      u8) |.
+    ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 7 ] <: i16) <: u8) <<! 7l
+      <:
+      u8)
+  in
+  let result1:u8 =
+    (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 8 ] <: i16) <: u8) |.
+                ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 9 ] <: i16)
+                    <:
+                    u8) <<!
+                  1l
+                  <:
+                  u8)
+                <:
+                u8) |.
+              ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 10 ] <: i16)
+                  <:
+                  u8) <<!
+                2l
+                <:
+                u8)
+              <:
+              u8) |.
+            ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 11 ] <: i16) <: u8) <<!
+              3l
+              <:
+              u8)
+            <:
+            u8) |.
+          ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 12 ] <: i16) <: u8) <<!
+            4l
+            <:
+            u8)
+          <:
+          u8) |.
+        ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 13 ] <: i16) <: u8) <<!
+          5l
+          <:
+          u8)
+        <:
+        u8) |.
+      ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 14 ] <: i16) <: u8) <<!
+        6l
+        <:
+        u8)
+      <:
+      u8) |.
+    ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 15 ] <: i16) <: u8) <<! 7l
+      <:
+      u8)
   in
-  v
+  let list = [result0; result1] in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+  Rust_primitives.Hax.array_of_list 2 list
 
-let deserialize_11_ (bytes: t_Slice u8) =
-  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 }
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 1 in
+     let outputs = bit_vec_of_int_t_array (serialize_1_ ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 16}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let serialize_1_lemma inputs =
+  serialize_1_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_1_ inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1))
+
+#pop-options
+
+let serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let r0_4_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 0;
+            Core.Ops.Range.f_end = sz 4
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 }
+  let r5_9_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 4;
+            Core.Ops.Range.f_end = sz 8
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 0)
-        v0_7_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 1)
-        v0_7_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 2)
-        v0_7_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 3)
-        v0_7_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 4)
-        v0_7_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 5)
-        v0_7_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 6)
-        v0_7_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 7)
-        v0_7_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 8)
-        v8_15_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 9)
-        v8_15_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 10)
-        v8_15_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 11)
-        v8_15_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 12)
-        v8_15_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 13)
-        v8_15_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 14)
-        v8_15_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 15)
-        v8_15_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+        t_Slice i16)
   in
-  v
-
-let deserialize_12_ (bytes: t_Slice u8) =
-  let v0_1_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 }
+  let r10_14_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 8;
+            Core.Ops.Range.f_end = sz 12
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v2_3_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 6 }
+  let r15_19_:(u8 & u8 & u8 & u8 & u8) =
+    serialize_10_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 12;
+            Core.Ops.Range.f_end = sz 16
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v4_5_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 6; Core.Ops.Range.f_end = sz 9 }
+  let list =
+    [
+      r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4;
+      r5_9_._5; r10_14_._1; r10_14_._2; r10_14_._3; r10_14_._4; r10_14_._5; r15_19_._1; r15_19_._2;
+      r15_19_._3; r15_19_._4; r15_19_._5
+    ]
+  in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 20);
+  Rust_primitives.Hax.array_of_list 20 list
+
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 10 in
+     let outputs = bit_vec_of_int_t_array (serialize_10_ ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 160}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let serialize_10_lemma inputs =
+  serialize_10_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_10_ inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10))
+
+#pop-options
+
+let serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let r0_2_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 0;
+            Core.Ops.Range.f_end = sz 2
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v6_7_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 12 }
+  let r3_5_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 2;
+            Core.Ops.Range.f_end = sz 4
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v8_9_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 15 }
+  let r6_8_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 4;
+            Core.Ops.Range.f_end = sz 6
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v10_11_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 15; Core.Ops.Range.f_end = sz 18 }
+  let r9_11_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 6;
+            Core.Ops.Range.f_end = sz 8
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v12_13_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 18; Core.Ops.Range.f_end = sz 21 }
+  let r12_14_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 8;
+            Core.Ops.Range.f_end = sz 10
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v14_15_:(i16 & i16) =
-    deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 21; Core.Ops.Range.f_end = sz 24 }
+  let r15_17_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 10;
+            Core.Ops.Range.f_end = sz 12
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 0)
-        v0_1_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 1)
-        v0_1_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 2)
-        v2_3_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 3)
-        v2_3_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 4)
-        v4_5_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 5)
-        v4_5_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 6)
-        v6_7_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 7)
-        v6_7_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 8)
-        v8_9_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 9)
-        v8_9_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 10)
-        v10_11_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 11)
-        v10_11_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 12)
-        v12_13_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 13)
-        v12_13_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 14)
-        v14_15_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let re:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      re with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 15)
-        v14_15_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+        t_Slice i16)
   in
-  re
-
-let deserialize_4_ (bytes: t_Slice u8) =
-  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 }
+  let r18_20_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 12;
+            Core.Ops.Range.f_end = sz 14
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 }
+  let r21_23_:(u8 & u8 & u8) =
+    serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 14;
+            Core.Ops.Range.f_end = sz 16
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 0)
-        v0_7_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 1)
-        v0_7_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 2)
-        v0_7_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 3)
-        v0_7_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 4)
-        v0_7_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 5)
-        v0_7_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 6)
-        v0_7_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 7)
-        v0_7_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 8)
-        v8_15_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 9)
-        v8_15_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 10)
-        v8_15_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 11)
-        v8_15_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 12)
-        v8_15_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 13)
-        v8_15_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 14)
-        v8_15_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 15)
-        v8_15_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+  let list =
+    [
+      r0_2_._1; r0_2_._2; r0_2_._3; r3_5_._1; r3_5_._2; r3_5_._3; r6_8_._1; r6_8_._2; r6_8_._3;
+      r9_11_._1; r9_11_._2; r9_11_._3; r12_14_._1; r12_14_._2; r12_14_._3; r15_17_._1; r15_17_._2;
+      r15_17_._3; r18_20_._1; r18_20_._2; r18_20_._3; r21_23_._1; r21_23_._2; r21_23_._3
+    ]
   in
-  v
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 24);
+  Rust_primitives.Hax.array_of_list 24 list
 
-let deserialize_5_ (bytes: t_Slice u8) =
-  let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 }
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 12 in
+     let outputs = bit_vec_of_int_t_array (serialize_12_ ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 192}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let serialize_12_lemma inputs =
+  serialize_12_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_12_ inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12))
+
+#pop-options
+
+let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let result0_3_:(u8 & u8 & u8 & u8) =
+    serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 0;
+            Core.Ops.Range.f_end = sz 8
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
+        t_Slice i16)
   in
-  let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
-    deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 }
+  let result4_7_:(u8 & u8 & u8 & u8) =
+    serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
+            Core.Ops.Range.f_start = sz 8;
+            Core.Ops.Range.f_end = sz 16
+          }
           <:
           Core.Ops.Range.t_Range usize ]
         <:
-        t_Slice u8)
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 0)
-        v0_7_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 1)
-        v0_7_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 2)
-        v0_7_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 3)
-        v0_7_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 4)
-        v0_7_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 5)
-        v0_7_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 6)
-        v0_7_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 7)
-        v0_7_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 8)
-        v8_15_._1
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 9)
-        v8_15_._2
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 10)
-        v8_15_._3
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 11)
-        v8_15_._4
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 12)
-        v8_15_._5
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 13)
-        v8_15_._6
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 14)
-        v8_15_._7
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-  in
-  let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-    {
-      v with
-      Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v
-          .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
-        (sz 15)
-        v8_15_._8
-    }
-    <:
-    Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+        t_Slice i16)
   in
-  v
+  let list =
+    [
+      result0_3_._1;
+      result0_3_._2;
+      result0_3_._3;
+      result0_3_._4;
+      result4_7_._1;
+      result4_7_._2;
+      result4_7_._3;
+      result4_7_._4
+    ]
+  in
+  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+  Rust_primitives.Hax.array_of_list 8 list
+
+#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh"
+
+let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 4 in
+     let outputs = bit_vec_of_int_t_array (serialize_4_ ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 64}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let serialize_4_lemma inputs =
+  serialize_4_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_4_ inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4))
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti
index 978699fa8..3e010f599 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti
@@ -1,92 +1,142 @@
 module Libcrux_ml_kem.Vector.Portable.Serialize
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 val deserialize_10_int (bytes: t_Slice u8)
     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 10)
       (fun _ -> Prims.l_True)
 
 val deserialize_11_int (bytes: t_Slice u8)
     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 11)
       (fun _ -> Prims.l_True)
 
 val deserialize_12_int (bytes: t_Slice u8)
-    : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (i16 & i16)
+      (requires Core.Slice.impl__len #u8 bytes =. sz 3)
+      (fun _ -> Prims.l_True)
 
 val deserialize_4_int (bytes: t_Slice u8)
     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 4)
       (fun _ -> Prims.l_True)
 
 val deserialize_5_int (bytes: t_Slice u8)
     : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 5)
       (fun _ -> Prims.l_True)
 
 val serialize_10_int (v: t_Slice i16)
-    : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (u8 & u8 & u8 & u8 & u8)
+      (requires Core.Slice.impl__len #i16 v =. sz 4)
+      (fun _ -> Prims.l_True)
 
 val serialize_11_int (v: t_Slice i16)
     : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8)
-      Prims.l_True
+      (requires Core.Slice.impl__len #i16 v =. sz 8)
       (fun _ -> Prims.l_True)
 
 val serialize_12_int (v: t_Slice i16)
-    : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (u8 & u8 & u8)
+      (requires Core.Slice.impl__len #i16 v =. sz 2)
+      (fun _ -> Prims.l_True)
 
 val serialize_4_int (v: t_Slice i16)
-    : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (u8 & u8 & u8 & u8)
+      (requires Core.Slice.impl__len #i16 v =. sz 8)
+      (fun _ -> Prims.l_True)
 
 val serialize_5_int (v: t_Slice i16)
-    : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (u8 & u8 & u8 & u8 & u8)
+      (requires Core.Slice.impl__len #i16 v =. sz 8)
+      (fun _ -> Prims.l_True)
 
-val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_11_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires Core.Slice.impl__len #u8 bytes =. sz 22)
+      (fun _ -> Prims.l_True)
 
-val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_5_ (bytes: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires Core.Slice.impl__len #u8 bytes =. sz 10)
+      (fun _ -> Prims.l_True)
 
 val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
 
-val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-    : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
-
 val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
     : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
 
 val deserialize_1_ (v: t_Slice u8)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 v =. sz 2)
       (fun _ -> Prims.l_True)
 
+val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma
+  (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8)
+
+val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1)
+
 val deserialize_10_ (bytes: t_Slice u8)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 20)
       (fun _ -> Prims.l_True)
 
-val deserialize_11_ (bytes: t_Slice u8)
-    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+  (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8)
+
+val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10)
 
 val deserialize_12_ (bytes: t_Slice u8)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 24)
       (fun _ -> Prims.l_True)
 
+val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+  (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
+
+val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12)
+
 val deserialize_4_ (bytes: t_Slice u8)
     : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
+      (requires Core.Slice.impl__len #u8 bytes =. sz 8)
       (fun _ -> Prims.l_True)
 
-val deserialize_5_ (bytes: t_Slice u8)
-    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-      Prims.l_True
-      (fun _ -> Prims.l_True)
+val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+  (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
+
+val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4)
+
+val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) 
+  (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
+
+val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) 
+  (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10)
+
+val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) 
+  (ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12)
+
+val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) 
+  (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
index 962c322cf..70c80f4e5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Portable.Vector_type
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -25,5 +25,17 @@ let from_i16_array (array: t_Slice i16) =
 
 let to_i16_array (x: t_PortableVector) = x.f_elements
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_PortableVector
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_PortableVector
+
+let impl_1 = impl_1'
+
 let zero (_: Prims.unit) =
   { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
index 4c354edf7..0d4b6268a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
@@ -1,14 +1,36 @@
 module Libcrux_ml_kem.Vector.Portable.Vector_type
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
 type t_PortableVector = { f_elements:t_Array i16 (sz 16) }
 
 val from_i16_array (array: t_Slice i16)
-    : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure t_PortableVector
+      (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16)
+      (ensures
+        fun result ->
+          let result:t_PortableVector = result in
+          result.f_elements == array)
 
 val to_i16_array (x: t_PortableVector)
-    : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure (t_Array i16 (sz 16))
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_Array i16 (sz 16) = result in
+          result == x.f_elements)
 
-val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_PortableVector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_PortableVector
+
+val zero: Prims.unit
+  -> Prims.Pure t_PortableVector
+      Prims.l_True
+      (ensures
+        fun result ->
+          let result:t_PortableVector = result in
+          result.f_elements == Seq.create 16 0s)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst
new file mode 100644
index 000000000..7c018d9cf
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst
@@ -0,0 +1,673 @@
+module Libcrux_ml_kem.Vector.Portable
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_kem.Vector.Portable.Vector_type in
+  let open Libcrux_ml_kem.Vector.Traits in
+  ()
+
+let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a
+
+let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a
+
+let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a
+
+let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_kem.Vector.Traits.t_Repr
+Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_repr_post
+    =
+    (fun
+        (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array i16 (sz 16))
+        ->
+        true);
+    f_repr
+    =
+    fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+      Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x
+  }
+
+let deserialize_1_ (a: t_Slice u8) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a
+
+let deserialize_10_ (a: t_Slice u8) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a
+
+let deserialize_12_ (a: t_Slice u8) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a
+
+let deserialize_4_ (a: t_Slice u8) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a
+
+let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a
+
+let serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a
+
+let serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a
+
+let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+  let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in
+  let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in
+  Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a
+
+#push-options "--z3rlimit 400 --split_queries always"
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations
+Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+  {
+    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
+    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
+    _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve;
+    f_ZERO_pre = (fun (_: Prims.unit) -> true);
+    f_ZERO_post
+    =
+    (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        impl.f_repr out == Seq.create 16 0s);
+    f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ());
+    f_from_i16_array_pre
+    =
+    (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16);
+    f_from_i16_array_post
+    =
+    (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        impl.f_repr out == array);
+    f_from_i16_array
+    =
+    (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array);
+    f_to_i16_array_pre
+    =
+    (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_to_i16_array_post
+    =
+    (fun
+        (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array i16 (sz 16))
+        ->
+        out == impl.f_repr x);
+    f_to_i16_array
+    =
+    (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x);
+    f_add_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)));
+    f_add_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall i.
+          i < 16 ==>
+          (v (Seq.index result.f_elements i) ==
+            v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)));
+    f_add
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.add lhs rhs);
+    f_sub_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)));
+    f_sub_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall i.
+          i < 16 ==>
+          (v (Seq.index result.f_elements i) ==
+            v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)));
+    f_sub
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs);
+    f_multiply_by_constant_pre
+    =
+    (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) ->
+        forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c)
+    );
+    f_multiply_by_constant_post
+    =
+    (fun
+        (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (c: i16)
+        (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall i.
+          i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c));
+    f_multiply_by_constant
+    =
+    (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant vec c);
+    f_bitwise_and_with_constant_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true);
+    f_bitwise_and_with_constant_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (c: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr v));
+    f_bitwise_and_with_constant
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c);
+    f_shift_right_pre
+    =
+    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l);
+    f_shift_right_post
+    =
+    (fun
+        (v_SHIFT_BY: i32)
+        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+        impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr v));
+    f_shift_right
+    =
+    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v);
+    f_cond_subtract_3329_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr v));
+    f_cond_subtract_3329_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        impl.f_repr out ==
+        Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr v));
+    f_cond_subtract_3329_
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v);
+    f_barrett_reduce_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.Utils.is_i16b_array 28296 (impl.f_repr v));
+    f_barrett_reduce_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        true);
+    f_barrett_reduce
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v);
+    f_montgomery_multiply_by_constant_pre
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) ->
+        Spec.Utils.is_i16b 1664 r);
+    f_montgomery_multiply_by_constant_post
+    =
+    (fun
+        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (r: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        true);
+    f_montgomery_multiply_by_constant
+    =
+    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) ->
+        Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r);
+    f_compress_1_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        forall (i: nat).
+          i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329);
+    f_compress_1_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1);
+    f_compress_1_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a);
+    f_compress_pre
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==>
+            v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329));
+    f_compress_post
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) ==>
+        (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS))
+    );
+    f_compress
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a);
+    f_decompress_ciphertext_coefficient_pre
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+          v v_COEFFICIENT_BITS == 11) /\
+        (forall (i: nat).
+            i < 16 ==>
+            v (Seq.index (impl.f_repr a) i) >= 0 /\
+            v (Seq.index (impl.f_repr a) i) < pow2 (v v_COEFFICIENT_BITS)));
+    f_decompress_ciphertext_coefficient_post
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        true);
+    f_decompress_ciphertext_coefficient
+    =
+    (fun
+        (v_COEFFICIENT_BITS: i32)
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS
+          a);
+    f_ntt_layer_1_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr a));
+    f_ntt_layer_1_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out));
+    f_ntt_layer_1_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3);
+    f_ntt_layer_2_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr a));
+    f_ntt_layer_2_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out));
+    f_ntt_layer_2_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1);
+    f_ntt_layer_3_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr a));
+    f_ntt_layer_3_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out));
+    f_ntt_layer_3_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_3_step a zeta);
+    f_inv_ntt_layer_1_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr a));
+    f_inv_ntt_layer_1_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_1_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3);
+    f_inv_ntt_layer_2_step_pre
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr a));
+    f_inv_ntt_layer_2_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_2_step
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1);
+    f_inv_ntt_layer_3_step_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
+        Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr a));
+    f_inv_ntt_layer_3_step_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_inv_ntt_layer_3_step
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_3_step a zeta);
+    f_ntt_multiply_pre
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+        Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs));
+    f_ntt_multiply_post
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        ->
+        Spec.Utils.is_i16b_array 3328 (impl.f_repr out));
+    f_ntt_multiply
+    =
+    (fun
+        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (zeta0: i16)
+        (zeta1: i16)
+        (zeta2: i16)
+        (zeta3: i16)
+        ->
+        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3);
+    f_serialize_1_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.MLKEM.serialize_pre 1 (impl.f_repr a));
+    f_serialize_1_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 2))
+        ->
+        Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==>
+        Spec.MLKEM.serialize_post 1 (impl.f_repr a) out);
+    f_serialize_1_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_1_ a);
+    f_deserialize_1_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 2);
+    f_deserialize_1_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out));
+    f_deserialize_1_ = (fun (a: t_Slice u8) -> deserialize_1_ a);
+    f_serialize_4_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.MLKEM.serialize_pre 4 (impl.f_repr a));
+    f_serialize_4_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 8))
+        ->
+        Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==>
+        Spec.MLKEM.serialize_post 4 (impl.f_repr a) out);
+    f_serialize_4_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_4_ a);
+    f_deserialize_4_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 8);
+    f_deserialize_4_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out));
+    f_deserialize_4_ = (fun (a: t_Slice u8) -> deserialize_4_ a);
+    f_serialize_5_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_serialize_5_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 10))
+        ->
+        true);
+    f_serialize_5_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_5_ a);
+    f_deserialize_5_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 10);
+    f_deserialize_5_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_deserialize_5_ = (fun (a: t_Slice u8) -> deserialize_5_ a);
+    f_serialize_10_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.MLKEM.serialize_pre 10 (impl.f_repr a));
+    f_serialize_10_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 20))
+        ->
+        Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==>
+        Spec.MLKEM.serialize_post 10 (impl.f_repr a) out);
+    f_serialize_10_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_10_ a);
+    f_deserialize_10_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 20);
+    f_deserialize_10_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out));
+    f_deserialize_10_ = (fun (a: t_Slice u8) -> deserialize_10_ a);
+    f_serialize_11_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_serialize_11_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 22))
+        ->
+        true);
+    f_serialize_11_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_11_ a);
+    f_deserialize_11_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 22);
+    f_deserialize_11_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
+    f_deserialize_11_ = (fun (a: t_Slice u8) -> deserialize_11_ a);
+    f_serialize_12_pre
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        Spec.MLKEM.serialize_pre 12 (impl.f_repr a));
+    f_serialize_12_post
+    =
+    (fun
+        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+        (out: t_Array u8 (sz 24))
+        ->
+        Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==>
+        Spec.MLKEM.serialize_post 12 (impl.f_repr a) out);
+    f_serialize_12_
+    =
+    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_12_ a);
+    f_deserialize_12_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 24);
+    f_deserialize_12_post
+    =
+    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
+        sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out));
+    f_deserialize_12_ = (fun (a: t_Slice u8) -> deserialize_12_ a);
+    f_rej_sample_pre
+    =
+    (fun (a: t_Slice u8) (out: t_Slice i16) ->
+        (Core.Slice.impl__len #u8 a <: usize) =. sz 24 &&
+        (Core.Slice.impl__len #i16 out <: usize) =. sz 16);
+    f_rej_sample_post
+    =
+    (fun (a: t_Slice u8) (out: t_Slice i16) (out_future, result: (t_Slice i16 & usize)) ->
+        Seq.length out_future == Seq.length out /\ v result <= 16);
+    f_rej_sample
+    =
+    fun (a: t_Slice u8) (out: t_Slice i16) ->
+      let tmp0, out1:(t_Slice i16 & usize) =
+        Libcrux_ml_kem.Vector.Portable.Sampling.rej_sample a out
+      in
+      let out:t_Slice i16 = tmp0 in
+      let hax_temp_output:usize = out1 in
+      out, hax_temp_output <: (t_Slice i16 & usize)
+  }
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
index 164f28caa..c9cf458ce 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Portable
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
@@ -7,545 +7,97 @@ let _ =
   (* This module has implicit dependencies, here we make them explicit. *)
   (* The implicit dependencies arise from typeclasses instances. *)
   let open Libcrux_ml_kem.Vector.Portable.Vector_type in
+  let open Libcrux_ml_kem.Vector.Traits in
   ()
 
+val deserialize_11_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22)
+      (fun _ -> Prims.l_True)
+
+val deserialize_5_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10)
+      (fun _ -> Prims.l_True)
+
+val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_kem.Vector.Traits.t_Repr
+Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
+val deserialize_1_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2)
+      (ensures
+        fun out ->
+          let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+          sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out))
+
+val deserialize_10_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20)
+      (ensures
+        fun out ->
+          let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+          sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out))
+
+val deserialize_12_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24)
+      (ensures
+        fun out ->
+          let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+          sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out))
+
+val deserialize_4_ (a: t_Slice u8)
+    : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+      (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 8)
+      (ensures
+        fun out ->
+          let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+          sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out))
+
+val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 2))
+      (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 2) = out in
+          Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==>
+          Spec.MLKEM.serialize_post 1 (impl.f_repr a) out)
+
+val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 20))
+      (requires Spec.MLKEM.serialize_pre 10 (impl.f_repr a))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 20) = out in
+          Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==>
+          Spec.MLKEM.serialize_post 10 (impl.f_repr a) out)
+
+val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 24))
+      (requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 24) = out in
+          Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==>
+          Spec.MLKEM.serialize_post 12 (impl.f_repr a) out)
+
+val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+    : Prims.Pure (t_Array u8 (sz 8))
+      (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a))
+      (ensures
+        fun out ->
+          let out:t_Array u8 (sz 8) = out in
+          Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==>
+          Spec.MLKEM.serialize_post 4 (impl.f_repr a) out)
+
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Libcrux_ml_kem.Vector.Traits.t_Operations
-Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
-  {
-    _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve;
-    _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve;
-    f_ZERO_pre = (fun (_: Prims.unit) -> true);
-    f_ZERO_post
-    =
-    (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ());
-    f_from_i16_array_pre = (fun (array: t_Slice i16) -> true);
-    f_from_i16_array_post
-    =
-    (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        true);
-    f_from_i16_array
-    =
-    (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array);
-    f_to_i16_array_pre
-    =
-    (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_to_i16_array_post
-    =
-    (fun
-        (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array i16 (sz 16))
-        ->
-        true);
-    f_to_i16_array
-    =
-    (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x);
-    f_add_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_add_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_add
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.add lhs rhs);
-    f_sub_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_sub_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_sub
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs);
-    f_multiply_by_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true);
-    f_multiply_by_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (c: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_multiply_by_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant v c);
-    f_bitwise_and_with_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true);
-    f_bitwise_and_with_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (c: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_bitwise_and_with_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c);
-    f_shift_right_pre
-    =
-    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_shift_right_post
-    =
-    (fun
-        (v_SHIFT_BY: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_shift_right
-    =
-    (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v);
-    f_cond_subtract_3329_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_cond_subtract_3329_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_cond_subtract_3329_
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v);
-    f_barrett_reduce_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_barrett_reduce_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_barrett_reduce
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v);
-    f_montgomery_multiply_by_constant_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> true);
-    f_montgomery_multiply_by_constant_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (r: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_montgomery_multiply_by_constant
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) ->
-        Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r);
-    f_compress_1_pre
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_compress_1_post
-    =
-    (fun
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_compress_1_
-    =
-    (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v);
-    f_compress_pre
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_compress_post
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_compress
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v);
-    f_decompress_ciphertext_coefficient_pre
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_decompress_ciphertext_coefficient_post
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_decompress_ciphertext_coefficient
-    =
-    (fun
-        (v_COEFFICIENT_BITS: i32)
-        (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS
-          v);
-    f_ntt_layer_1_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        true);
-    f_ntt_layer_1_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_ntt_layer_1_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3);
-    f_ntt_layer_2_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        ->
-        true);
-    f_ntt_layer_2_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_ntt_layer_2_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1);
-    f_ntt_layer_3_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true);
-    f_ntt_layer_3_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_ntt_layer_3_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_3_step a zeta);
-    f_inv_ntt_layer_1_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        true);
-    f_inv_ntt_layer_1_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_inv_ntt_layer_1_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_1_step a zeta0 zeta1 zeta2 zeta3);
-    f_inv_ntt_layer_2_step_pre
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        ->
-        true);
-    f_inv_ntt_layer_2_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_inv_ntt_layer_2_step
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1);
-    f_inv_ntt_layer_3_step_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true);
-    f_inv_ntt_layer_3_step_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_inv_ntt_layer_3_step
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_3_step a zeta);
-    f_ntt_multiply_pre
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        true);
-    f_ntt_multiply_post
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        ->
-        true);
-    f_ntt_multiply
-    =
-    (fun
-        (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (zeta0: i16)
-        (zeta1: i16)
-        (zeta2: i16)
-        (zeta3: i16)
-        ->
-        Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3);
-    f_serialize_1_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_1_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 2))
-        ->
-        true);
-    f_serialize_1_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a);
-    f_deserialize_1_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_1_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_1_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a);
-    f_serialize_4_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_4_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 8))
-        ->
-        true);
-    f_serialize_4_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a);
-    f_deserialize_4_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_4_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_4_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a);
-    f_serialize_5_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_5_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 10))
-        ->
-        true);
-    f_serialize_5_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a);
-    f_deserialize_5_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_5_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_5_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a);
-    f_serialize_10_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_10_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 20))
-        ->
-        true);
-    f_serialize_10_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a);
-    f_deserialize_10_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_10_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_10_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a);
-    f_serialize_11_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_11_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 22))
-        ->
-        true);
-    f_serialize_11_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a);
-    f_deserialize_11_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_11_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_11_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a);
-    f_serialize_12_pre
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_serialize_12_post
-    =
-    (fun
-        (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
-        (out: t_Array u8 (sz 24))
-        ->
-        true);
-    f_serialize_12_
-    =
-    (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) ->
-        Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a);
-    f_deserialize_12_pre = (fun (a: t_Slice u8) -> true);
-    f_deserialize_12_post
-    =
-    (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true);
-    f_deserialize_12_
-    =
-    (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a);
-    f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true);
-    f_rej_sample_post
-    =
-    (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true);
-    f_rej_sample
-    =
-    fun (a: t_Slice u8) (out: t_Slice i16) ->
-      let tmp0, out1:(t_Slice i16 & usize) =
-        Libcrux_ml_kem.Vector.Portable.Sampling.rej_sample a out
-      in
-      let out:t_Slice i16 = tmp0 in
-      let hax_temp_output:usize = out1 in
-      out, hax_temp_output <: (t_Slice i16 & usize)
-  }
+val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations
+Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti
index ce3906fea..3d4f6be0a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti
@@ -1,5 +1,5 @@
 module Libcrux_ml_kem.Vector.Rej_sample_table
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
index e52e5813d..69e93a949 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
@@ -1,22 +1,40 @@
 module Libcrux_ml_kem.Vector.Traits
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+#push-options "--z3rlimit 200 --split_queries always"
+
 let decompress_1_
       (#v_T: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
-      (v: v_T)
+      (vec: v_T)
      =
-  f_bitwise_and_with_constant #v_T
-    #FStar.Tactics.Typeclasses.solve
-    (f_sub #v_T
-        #FStar.Tactics.Typeclasses.solve
-        (f_ZERO #v_T #FStar.Tactics.Typeclasses.solve () <: v_T)
-        v
-      <:
-      v_T)
-    1665s
+  let z:v_T = f_ZERO #v_T #FStar.Tactics.Typeclasses.solve () in
+  let _:Prims.unit =
+    assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr z) i == 0s)
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          let x = Seq.index (i1._super_8706949974463268012.f_repr vec) i in
+          ((0 - v x) == 0 \/ (0 - v x) == - 1))
+  in
+  let _:Prims.unit =
+    assert (forall i.
+          i < 16 ==>
+          Spec.Utils.is_intb (pow2 15 - 1)
+            (0 - v (Seq.index (i1._super_8706949974463268012.f_repr vec) i)))
+  in
+  let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in
+  let _:Prims.unit =
+    assert (forall i.
+          Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/
+          Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s))
+  in
+  let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in
+  f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s
+
+#pop-options
 
 let montgomery_multiply_fe
       (#v_T: Type0)
@@ -35,6 +53,8 @@ let to_standard_domain
     v
     v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS
 
+#push-options "--admit_smt_queries true"
+
 let to_unsigned_representative
       (#v_T: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
@@ -45,3 +65,5 @@ let to_unsigned_representative
     f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS
   in
   f_add #v_T #FStar.Tactics.Typeclasses.solve a fm
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
index c5dbe6258..21e6d6a50 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
@@ -1,142 +1,327 @@
 module Libcrux_ml_kem.Vector.Traits
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 
+class t_Repr (v_Self: Type0) = {
+  [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self;
+  [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self;
+  f_repr_pre:x: v_Self -> pred: Type0{true ==> pred};
+  f_repr_post:v_Self -> t_Array i16 (sz 16) -> Type0;
+  f_repr:x0: v_Self
+    -> Prims.Pure (t_Array i16 (sz 16)) (f_repr_pre x0) (fun result -> f_repr_post x0 result)
+}
+
 class t_Operations (v_Self: Type0) = {
   [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self;
   [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self;
-  f_ZERO_pre:Prims.unit -> Type0;
-  f_ZERO_post:Prims.unit -> v_Self -> Type0;
+  [@@@ FStar.Tactics.Typeclasses.no_method]_super_8706949974463268012:t_Repr v_Self;
+  f_ZERO_pre:x: Prims.unit
+    -> pred:
+      Type0
+        { (let _:Prims.unit = x in
+            true) ==>
+          pred };
+  f_ZERO_post:x: Prims.unit -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (let _:Prims.unit = x in
+            f_repr result == Seq.create 16 0s) };
   f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result);
-  f_from_i16_array_pre:t_Slice i16 -> Type0;
-  f_from_i16_array_post:t_Slice i16 -> v_Self -> Type0;
+  f_from_i16_array_pre:array: t_Slice i16
+    -> pred: Type0{(Core.Slice.impl__len #i16 array <: usize) =. sz 16 ==> pred};
+  f_from_i16_array_post:array: t_Slice i16 -> result: v_Self
+    -> pred: Type0{pred ==> f_repr result == array};
   f_from_i16_array:x0: t_Slice i16
     -> Prims.Pure v_Self (f_from_i16_array_pre x0) (fun result -> f_from_i16_array_post x0 result);
-  f_to_i16_array_pre:v_Self -> Type0;
-  f_to_i16_array_post:v_Self -> t_Array i16 (sz 16) -> Type0;
+  f_to_i16_array_pre:x: v_Self -> pred: Type0{true ==> pred};
+  f_to_i16_array_post:x: v_Self -> result: t_Array i16 (sz 16)
+    -> pred: Type0{pred ==> f_repr x == result};
   f_to_i16_array:x0: v_Self
     -> Prims.Pure (t_Array i16 (sz 16))
         (f_to_i16_array_pre x0)
         (fun result -> f_to_i16_array_post x0 result);
-  f_add_pre:v_Self -> v_Self -> Type0;
-  f_add_post:v_Self -> v_Self -> v_Self -> Type0;
+  f_add_pre:lhs: v_Self -> rhs: v_Self
+    -> pred:
+      Type0
+        { (forall i.
+              i < 16 ==>
+              Spec.Utils.is_intb (pow2 15 - 1)
+                (v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) ==>
+          pred };
+  f_add_post:lhs: v_Self -> rhs: v_Self -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (forall i.
+              i < 16 ==>
+              (v (Seq.index (f_repr result) i) ==
+                v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) };
   f_add:x0: v_Self -> x1: v_Self
     -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result);
-  f_sub_pre:v_Self -> v_Self -> Type0;
-  f_sub_post:v_Self -> v_Self -> v_Self -> Type0;
+  f_sub_pre:lhs: v_Self -> rhs: v_Self
+    -> pred:
+      Type0
+        { (forall i.
+              i < 16 ==>
+              Spec.Utils.is_intb (pow2 15 - 1)
+                (v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) ==>
+          pred };
+  f_sub_post:lhs: v_Self -> rhs: v_Self -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (forall i.
+              i < 16 ==>
+              (v (Seq.index (f_repr result) i) ==
+                v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) };
   f_sub:x0: v_Self -> x1: v_Self
     -> Prims.Pure v_Self (f_sub_pre x0 x1) (fun result -> f_sub_post x0 x1 result);
-  f_multiply_by_constant_pre:v_Self -> i16 -> Type0;
-  f_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0;
+  f_multiply_by_constant_pre:vec: v_Self -> c: i16
+    -> pred:
+      Type0
+        { (forall i.
+              i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr vec) i) * v c)) ==>
+          pred };
+  f_multiply_by_constant_post:vec: v_Self -> c: i16 -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (forall i.
+              i < 16 ==> (v (Seq.index (f_repr result) i) == v (Seq.index (f_repr vec) i) * v c)) };
   f_multiply_by_constant:x0: v_Self -> x1: i16
     -> Prims.Pure v_Self
         (f_multiply_by_constant_pre x0 x1)
         (fun result -> f_multiply_by_constant_post x0 x1 result);
-  f_bitwise_and_with_constant_pre:v_Self -> i16 -> Type0;
-  f_bitwise_and_with_constant_post:v_Self -> i16 -> v_Self -> Type0;
+  f_bitwise_and_with_constant_pre:v: v_Self -> c: i16 -> pred: Type0{true ==> pred};
+  f_bitwise_and_with_constant_post:v: v_Self -> c: i16 -> result: v_Self
+    -> pred: Type0{pred ==> f_repr result == Spec.Utils.map_array (fun x -> x &. c) (f_repr v)};
   f_bitwise_and_with_constant:x0: v_Self -> x1: i16
     -> Prims.Pure v_Self
         (f_bitwise_and_with_constant_pre x0 x1)
         (fun result -> f_bitwise_and_with_constant_post x0 x1 result);
-  f_shift_right_pre:v_SHIFT_BY: i32 -> v_Self -> Type0;
-  f_shift_right_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0;
+  f_shift_right_pre:v_SHIFT_BY: i32 -> v: v_Self
+    -> pred: Type0{v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l ==> pred};
+  f_shift_right_post:v_SHIFT_BY: i32 -> v: v_Self -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+          f_repr result == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (f_repr v) };
   f_shift_right:v_SHIFT_BY: i32 -> x0: v_Self
     -> Prims.Pure v_Self
         (f_shift_right_pre v_SHIFT_BY x0)
         (fun result -> f_shift_right_post v_SHIFT_BY x0 result);
-  f_cond_subtract_3329_pre:v_Self -> Type0;
-  f_cond_subtract_3329_post:v_Self -> v_Self -> Type0;
+  f_cond_subtract_3329_pre:v: v_Self
+    -> pred: Type0{Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr v) ==> pred};
+  f_cond_subtract_3329_post:v: v_Self -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          f_repr result ==
+          Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr v) };
   f_cond_subtract_3329_:x0: v_Self
     -> Prims.Pure v_Self
         (f_cond_subtract_3329_pre x0)
         (fun result -> f_cond_subtract_3329_post x0 result);
-  f_barrett_reduce_pre:v_Self -> Type0;
+  f_barrett_reduce_pre:vector: v_Self
+    -> pred: Type0{Spec.Utils.is_i16b_array 28296 (f_repr vector) ==> pred};
   f_barrett_reduce_post:v_Self -> v_Self -> Type0;
   f_barrett_reduce:x0: v_Self
     -> Prims.Pure v_Self (f_barrett_reduce_pre x0) (fun result -> f_barrett_reduce_post x0 result);
-  f_montgomery_multiply_by_constant_pre:v_Self -> i16 -> Type0;
+  f_montgomery_multiply_by_constant_pre:v: v_Self -> c: i16
+    -> pred: Type0{Spec.Utils.is_i16b 1664 c ==> pred};
   f_montgomery_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0;
   f_montgomery_multiply_by_constant:x0: v_Self -> x1: i16
     -> Prims.Pure v_Self
         (f_montgomery_multiply_by_constant_pre x0 x1)
         (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result);
-  f_compress_1_pre:v_Self -> Type0;
-  f_compress_1_post:v_Self -> v_Self -> Type0;
+  f_compress_1_pre:a: v_Self
+    -> pred:
+      Type0
+        { (forall (i: nat).
+              i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==>
+          pred };
+  f_compress_1_post:a: v_Self -> result: v_Self
+    -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)};
   f_compress_1_:x0: v_Self
     -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result);
-  f_compress_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0;
-  f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0;
+  f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self
+    -> pred:
+      Type0
+        { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+            v v_COEFFICIENT_BITS == 11) /\
+          (forall (i: nat).
+              i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==>
+          pred };
+  f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self
+    -> pred:
+      Type0
+        { pred ==>
+          (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+            v v_COEFFICIENT_BITS == 11) ==>
+          (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS))
+        };
   f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self
     -> Prims.Pure v_Self
         (f_compress_pre v_COEFFICIENT_BITS x0)
         (fun result -> f_compress_post v_COEFFICIENT_BITS x0 result);
-  f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0;
+  f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self
+    -> pred:
+      Type0
+        { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+            v v_COEFFICIENT_BITS == 11) /\
+          (forall (i: nat).
+              i < 16 ==>
+              v (Seq.index (f_repr a) i) >= 0 /\
+              v (Seq.index (f_repr a) i) < pow2 (v v_COEFFICIENT_BITS)) ==>
+          pred };
   f_decompress_ciphertext_coefficient_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0;
   f_decompress_ciphertext_coefficient:v_COEFFICIENT_BITS: i32 -> x0: v_Self
     -> Prims.Pure v_Self
         (f_decompress_ciphertext_coefficient_pre v_COEFFICIENT_BITS x0)
         (fun result -> f_decompress_ciphertext_coefficient_post v_COEFFICIENT_BITS x0 result);
-  f_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0;
-  f_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0;
+  f_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+          Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+          Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr a) ==>
+          pred };
+  f_ntt_layer_1_step_post:
+      a: v_Self ->
+      zeta0: i16 ->
+      zeta1: i16 ->
+      zeta2: i16 ->
+      zeta3: i16 ->
+      out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 6 * 3328) (f_repr out)};
   f_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16
     -> Prims.Pure v_Self
         (f_ntt_layer_1_step_pre x0 x1 x2 x3 x4)
         (fun result -> f_ntt_layer_1_step_post x0 x1 x2 x3 x4 result);
-  f_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0;
-  f_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0;
+  f_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+          Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr a) ==>
+          pred };
+  f_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr out)};
   f_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16
     -> Prims.Pure v_Self
         (f_ntt_layer_2_step_pre x0 x1 x2)
         (fun result -> f_ntt_layer_2_step_post x0 x1 x2 result);
-  f_ntt_layer_3_step_pre:v_Self -> i16 -> Type0;
-  f_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0;
+  f_ntt_layer_3_step_pre:a: v_Self -> zeta: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (f_repr a) ==>
+          pred };
+  f_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr out)};
   f_ntt_layer_3_step:x0: v_Self -> x1: i16
     -> Prims.Pure v_Self
         (f_ntt_layer_3_step_pre x0 x1)
         (fun result -> f_ntt_layer_3_step_post x0 x1 result);
-  f_inv_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0;
-  f_inv_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0;
+  f_inv_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+          Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+          Spec.Utils.is_i16b_array (4 * 3328) (f_repr a) ==>
+          pred };
+  f_inv_ntt_layer_1_step_post:
+      a: v_Self ->
+      zeta0: i16 ->
+      zeta1: i16 ->
+      zeta2: i16 ->
+      zeta3: i16 ->
+      out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)};
   f_inv_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16
     -> Prims.Pure v_Self
         (f_inv_ntt_layer_1_step_pre x0 x1 x2 x3 x4)
         (fun result -> f_inv_ntt_layer_1_step_post x0 x1 x2 x3 x4 result);
-  f_inv_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0;
-  f_inv_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0;
+  f_inv_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+          Spec.Utils.is_i16b_array 3328 (f_repr a) ==>
+          pred };
+  f_inv_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)};
   f_inv_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16
     -> Prims.Pure v_Self
         (f_inv_ntt_layer_2_step_pre x0 x1 x2)
         (fun result -> f_inv_ntt_layer_2_step_post x0 x1 x2 result);
-  f_inv_ntt_layer_3_step_pre:v_Self -> i16 -> Type0;
-  f_inv_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0;
+  f_inv_ntt_layer_3_step_pre:a: v_Self -> zeta: i16
+    -> pred:
+      Type0{Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (f_repr a) ==> pred};
+  f_inv_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)};
   f_inv_ntt_layer_3_step:x0: v_Self -> x1: i16
     -> Prims.Pure v_Self
         (f_inv_ntt_layer_3_step_pre x0 x1)
         (fun result -> f_inv_ntt_layer_3_step_post x0 x1 result);
-  f_ntt_multiply_pre:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> Type0;
-  f_ntt_multiply_post:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0;
+  f_ntt_multiply_pre:
+      lhs: v_Self ->
+      rhs: v_Self ->
+      zeta0: i16 ->
+      zeta1: i16 ->
+      zeta2: i16 ->
+      zeta3: i16
+    -> pred:
+      Type0
+        { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+          Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+          Spec.Utils.is_i16b_array 3328 (f_repr lhs) /\ Spec.Utils.is_i16b_array 3328 (f_repr rhs) ==>
+          pred };
+  f_ntt_multiply_post:
+      lhs: v_Self ->
+      rhs: v_Self ->
+      zeta0: i16 ->
+      zeta1: i16 ->
+      zeta2: i16 ->
+      zeta3: i16 ->
+      out: v_Self
+    -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)};
   f_ntt_multiply:x0: v_Self -> x1: v_Self -> x2: i16 -> x3: i16 -> x4: i16 -> x5: i16
     -> Prims.Pure v_Self
         (f_ntt_multiply_pre x0 x1 x2 x3 x4 x5)
         (fun result -> f_ntt_multiply_post x0 x1 x2 x3 x4 x5 result);
-  f_serialize_1_pre:v_Self -> Type0;
-  f_serialize_1_post:v_Self -> t_Array u8 (sz 2) -> Type0;
+  f_serialize_1_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 1 (f_repr a) ==> pred};
+  f_serialize_1_post:a: v_Self -> result: t_Array u8 (sz 2)
+    -> pred:
+      Type0
+        { pred ==>
+          Spec.MLKEM.serialize_pre 1 (f_repr a) ==> Spec.MLKEM.serialize_post 1 (f_repr a) result };
   f_serialize_1_:x0: v_Self
     -> Prims.Pure (t_Array u8 (sz 2))
         (f_serialize_1_pre x0)
         (fun result -> f_serialize_1_post x0 result);
-  f_deserialize_1_pre:t_Slice u8 -> Type0;
-  f_deserialize_1_post:t_Slice u8 -> v_Self -> Type0;
+  f_deserialize_1_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 2 ==> pred};
+  f_deserialize_1_post:a: t_Slice u8 -> result: v_Self
+    -> pred:
+      Type0{pred ==> sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (f_repr result)};
   f_deserialize_1_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_1_pre x0) (fun result -> f_deserialize_1_post x0 result);
-  f_serialize_4_pre:v_Self -> Type0;
-  f_serialize_4_post:v_Self -> t_Array u8 (sz 8) -> Type0;
+  f_serialize_4_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 4 (f_repr a) ==> pred};
+  f_serialize_4_post:a: v_Self -> result: t_Array u8 (sz 8)
+    -> pred:
+      Type0
+        { pred ==>
+          Spec.MLKEM.serialize_pre 4 (f_repr a) ==> Spec.MLKEM.serialize_post 4 (f_repr a) result };
   f_serialize_4_:x0: v_Self
     -> Prims.Pure (t_Array u8 (sz 8))
         (f_serialize_4_pre x0)
         (fun result -> f_serialize_4_post x0 result);
-  f_deserialize_4_pre:t_Slice u8 -> Type0;
-  f_deserialize_4_post:t_Slice u8 -> v_Self -> Type0;
+  f_deserialize_4_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 8 ==> pred};
+  f_deserialize_4_post:a: t_Slice u8 -> result: v_Self
+    -> pred:
+      Type0{pred ==> sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (f_repr result)};
   f_deserialize_4_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_4_pre x0) (fun result -> f_deserialize_4_post x0 result);
   f_serialize_5_pre:v_Self -> Type0;
@@ -145,18 +330,28 @@ class t_Operations (v_Self: Type0) = {
     -> Prims.Pure (t_Array u8 (sz 10))
         (f_serialize_5_pre x0)
         (fun result -> f_serialize_5_post x0 result);
-  f_deserialize_5_pre:t_Slice u8 -> Type0;
+  f_deserialize_5_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 10 ==> pred};
   f_deserialize_5_post:t_Slice u8 -> v_Self -> Type0;
   f_deserialize_5_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_5_pre x0) (fun result -> f_deserialize_5_post x0 result);
-  f_serialize_10_pre:v_Self -> Type0;
-  f_serialize_10_post:v_Self -> t_Array u8 (sz 20) -> Type0;
+  f_serialize_10_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 10 (f_repr a) ==> pred};
+  f_serialize_10_post:a: v_Self -> result: t_Array u8 (sz 20)
+    -> pred:
+      Type0
+        { pred ==>
+          Spec.MLKEM.serialize_pre 10 (f_repr a) ==> Spec.MLKEM.serialize_post 10 (f_repr a) result
+        };
   f_serialize_10_:x0: v_Self
     -> Prims.Pure (t_Array u8 (sz 20))
         (f_serialize_10_pre x0)
         (fun result -> f_serialize_10_post x0 result);
-  f_deserialize_10_pre:t_Slice u8 -> Type0;
-  f_deserialize_10_post:t_Slice u8 -> v_Self -> Type0;
+  f_deserialize_10_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 20 ==> pred};
+  f_deserialize_10_post:a: t_Slice u8 -> result: v_Self
+    -> pred:
+      Type0
+        {pred ==> sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (f_repr result)};
   f_deserialize_10_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_10_pre x0) (fun result -> f_deserialize_10_post x0 result);
   f_serialize_11_pre:v_Self -> Type0;
@@ -165,28 +360,52 @@ class t_Operations (v_Self: Type0) = {
     -> Prims.Pure (t_Array u8 (sz 22))
         (f_serialize_11_pre x0)
         (fun result -> f_serialize_11_post x0 result);
-  f_deserialize_11_pre:t_Slice u8 -> Type0;
+  f_deserialize_11_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 22 ==> pred};
   f_deserialize_11_post:t_Slice u8 -> v_Self -> Type0;
   f_deserialize_11_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_11_pre x0) (fun result -> f_deserialize_11_post x0 result);
-  f_serialize_12_pre:v_Self -> Type0;
-  f_serialize_12_post:v_Self -> t_Array u8 (sz 24) -> Type0;
+  f_serialize_12_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 12 (f_repr a) ==> pred};
+  f_serialize_12_post:a: v_Self -> result: t_Array u8 (sz 24)
+    -> pred:
+      Type0
+        { pred ==>
+          Spec.MLKEM.serialize_pre 12 (f_repr a) ==> Spec.MLKEM.serialize_post 12 (f_repr a) result
+        };
   f_serialize_12_:x0: v_Self
     -> Prims.Pure (t_Array u8 (sz 24))
         (f_serialize_12_pre x0)
         (fun result -> f_serialize_12_post x0 result);
-  f_deserialize_12_pre:t_Slice u8 -> Type0;
-  f_deserialize_12_post:t_Slice u8 -> v_Self -> Type0;
+  f_deserialize_12_pre:a: t_Slice u8
+    -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 24 ==> pred};
+  f_deserialize_12_post:a: t_Slice u8 -> result: v_Self
+    -> pred:
+      Type0
+        {pred ==> sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (f_repr result)};
   f_deserialize_12_:x0: t_Slice u8
     -> Prims.Pure v_Self (f_deserialize_12_pre x0) (fun result -> f_deserialize_12_post x0 result);
-  f_rej_sample_pre:t_Slice u8 -> t_Slice i16 -> Type0;
-  f_rej_sample_post:t_Slice u8 -> t_Slice i16 -> (t_Slice i16 & usize) -> Type0;
+  f_rej_sample_pre:a: t_Slice u8 -> out: t_Slice i16
+    -> pred:
+      Type0
+        { (Core.Slice.impl__len #u8 a <: usize) =. sz 24 &&
+          (Core.Slice.impl__len #i16 out <: usize) =. sz 16 ==>
+          pred };
+  f_rej_sample_post:a: t_Slice u8 -> out: t_Slice i16 -> x: (t_Slice i16 & usize)
+    -> pred:
+      Type0
+        { pred ==>
+          (let out_future, result:(t_Slice i16 & usize) = x in
+            Seq.length out_future == Seq.length out /\ v result <= 16) };
   f_rej_sample:x0: t_Slice u8 -> x1: t_Slice i16
     -> Prims.Pure (t_Slice i16 & usize)
         (f_rej_sample_pre x0 x1)
         (fun result -> f_rej_sample_post x0 x1 result)
 }
 
+let v_BARRETT_SHIFT: i32 = 26l
+
+let v_BARRETT_R: i32 = 1l <<! v_BARRETT_SHIFT
+
 let v_FIELD_ELEMENTS_IN_VECTOR: usize = sz 16
 
 let v_FIELD_MODULUS: i16 = 3329s
@@ -195,14 +414,27 @@ let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209ul
 
 let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353s
 
-val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T)
-    : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True)
+val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (vec: v_T)
+    : Prims.Pure v_T
+      (requires
+        forall i.
+          let x = Seq.index (i1._super_8706949974463268012.f_repr vec) i in
+          (x == 0s \/ x == 1s))
+      (fun _ -> Prims.l_True)
 
 val montgomery_multiply_fe (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) (fer: i16)
-    : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure v_T (requires Spec.Utils.is_i16b 1664 fer) (fun _ -> Prims.l_True)
 
 val to_standard_domain (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T)
     : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True)
 
 val to_unsigned_representative (#v_T: Type0) {| i1: t_Operations v_T |} (a: v_T)
-    : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True)
+    : Prims.Pure v_T
+      (requires Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a))
+      (ensures
+        fun result ->
+          let result:v_T = result in
+          forall i.
+            (let x = Seq.index (i1._super_8706949974463268012.f_repr a) i in
+              let y = Seq.index (i1._super_8706949974463268012.f_repr result) i in
+              (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329))))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json b/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json
index bfd5cccba..d7b3a38b6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json
+++ b/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json
@@ -14,9 +14,11 @@
     ],
     "include_dirs": [
         "${HACL_HOME}/lib",
+        "${HACL_HOME}/specs",
         "${HAX_HOME}/proof-libs/fstar/rust_primitives",
         "${HAX_HOME}/proof-libs/fstar/core",
         "${HAX_HOME}/hax-lib/proofs/fstar/extraction",
+        "../spec",
         "../../../../sys/platform/proofs/fstar/extraction",
         "../../../../libcrux-sha3/proofs/fstar/extraction",
         "../../../../libcrux-intrinsics/proofs/fstar/extraction"
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
index 747c4a7e3..7865c6d43 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile
@@ -1,185 +1,16 @@
-# This is a generically useful Makefile for F* that is self-contained
-#
-# It is tempting to factor this out into multiple Makefiles but that
-# makes it less portable, so resist temptation, or move to a more
-# sophisticated build system.
-#
-# We expect FSTAR_HOME to be set to your FSTAR repo/install directory
-# We expect HACL_HOME to be set to your HACL* repo location
-# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc.
-#
-# ROOTS contains all the top-level F* files you wish to verify
-# The default target `verify` verified ROOTS and its dependencies
-# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line
-#
-#
-# To make F* emacs mode use the settings in this file, you need to
-# add the following lines to your .emacs
-#
-# (setq-default fstar-executable "<YOUR_FSTAR_HOME>/bin/fstar.exe")
-# (setq-default fstar-smt-executable "<YOUR_Z3_HOME>/bin/z3")
-#
-# (defun my-fstar-compute-prover-args-using-make ()
-#   "Construct arguments to pass to F* by calling make."
-#   (with-demoted-errors "Error when constructing arg string: %S"
-#     (let* ((fname (file-name-nondirectory buffer-file-name))
-# 	   (target (concat fname "-in"))
-# 	   (argstr (car (process-lines "make" "--quiet" target))))
-#       (split-string argstr))))
-# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make)
-#
-
-WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/..
-
-HAX_HOME ?= $(WORKSPACE_ROOT)/hax
-HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar
-HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction
-FSTAR_HOME    ?= $(WORKSPACE_ROOT)/FStar
-HACL_HOME     ?= $(WORKSPACE_ROOT)/hacl-star
-FSTAR_BIN     ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe")
-
-CACHE_DIR     ?= .cache
-HINT_DIR      ?= .hints
-
-.PHONY: all verify verify-lax clean
-
-all:
-	rm -f .depend && $(MAKE) .depend
-	$(MAKE) verify
-
-VERIFIED = 
-PANIC_FREE = Libcrux_ml_kem.Constant_time_ops.fst \
-             Libcrux_ml_kem.Constant_time_ops.fsti \
-             Libcrux_ml_kem.Constants.fsti \
-             Libcrux_ml_kem.Hash_functions.Avx2.fsti \
-             Libcrux_ml_kem.Hash_functions.fsti \
-             Libcrux_ml_kem.Hash_functions.Neon.fsti \
-             Libcrux_ml_kem.Hash_functions.Portable.fsti \
-             Libcrux_ml_kem.Ind_cca.fsti \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst \
-             Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti \
-             Libcrux_ml_kem.Ind_cca.Multiplexing.fst \
-             Libcrux_ml_kem.Ind_cca.Multiplexing.fsti \
-             Libcrux_ml_kem.Ind_cpa.fsti \
-             Libcrux_ml_kem.Ind_cpa.Unpacked.fsti \
-             Libcrux_ml_kem.Invert_ntt.fsti \
-             Libcrux_ml_kem.Matrix.fsti \
-             Libcrux_ml_kem.Mlkem512.Avx2.fst \
-             Libcrux_ml_kem.Mlkem512.Avx2.fsti \
-             Libcrux_ml_kem.Mlkem512.fst \
-             Libcrux_ml_kem.Mlkem512.fsti \
-             Libcrux_ml_kem.Mlkem512.Neon.fst \
-             Libcrux_ml_kem.Mlkem512.Neon.fsti \
-             Libcrux_ml_kem.Mlkem512.Portable.fst \
-             Libcrux_ml_kem.Mlkem512.Portable.fsti \
-             Libcrux_ml_kem.Mlkem768.Avx2.fst \
-             Libcrux_ml_kem.Mlkem768.Avx2.fsti \
-             Libcrux_ml_kem.Mlkem768.fst \
-             Libcrux_ml_kem.Mlkem768.fsti \
-             Libcrux_ml_kem.Mlkem768.Neon.fst \
-             Libcrux_ml_kem.Mlkem768.Neon.fsti \
-             Libcrux_ml_kem.Mlkem768.Portable.fst \
-             Libcrux_ml_kem.Mlkem768.Portable.fsti \
-             Libcrux_ml_kem.Mlkem1024.Avx2.fst \
-             Libcrux_ml_kem.Mlkem1024.Avx2.fsti \
-             Libcrux_ml_kem.Mlkem1024.fst \
-             Libcrux_ml_kem.Mlkem1024.fsti \
-             Libcrux_ml_kem.Mlkem1024.Neon.fst \
-             Libcrux_ml_kem.Mlkem1024.Neon.fsti \
-             Libcrux_ml_kem.Mlkem1024.Portable.fst \
-             Libcrux_ml_kem.Mlkem1024.Portable.fsti \
-             Libcrux_ml_kem.Ntt.fsti \
-             Libcrux_ml_kem.Polynomial.fsti \
-             Libcrux_ml_kem.Sampling.fsti \
-             Libcrux_ml_kem.Serialize.fsti \
-             Libcrux_ml_kem.Types.fst \
-             Libcrux_ml_kem.Types.fsti \
-             Libcrux_ml_kem.Utils.fst \
-             Libcrux_ml_kem.Utils.fsti \
-             Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti \
-             Libcrux_ml_kem.Vector.Avx2.Compress.fsti \
-             Libcrux_ml_kem.Vector.Avx2.fsti \
-             Libcrux_ml_kem.Vector.Avx2.Ntt.fsti \
-             Libcrux_ml_kem.Vector.Avx2.Sampling.fsti \
-             Libcrux_ml_kem.Vector.Avx2.Serialize.fsti \
-             Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti \
-             Libcrux_ml_kem.Vector.Neon.Compress.fsti \
-             Libcrux_ml_kem.Vector.Neon.fsti \
-             Libcrux_ml_kem.Vector.Neon.Ntt.fsti \
-             Libcrux_ml_kem.Vector.Neon.Serialize.fsti \
-             Libcrux_ml_kem.Vector.Neon.Vector_type.fsti \
-             Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti \
-             Libcrux_ml_kem.Vector.Portable.Compress.fsti \
-             Libcrux_ml_kem.Vector.Portable.fsti \
-             Libcrux_ml_kem.Vector.Portable.Ntt.fsti \
-             Libcrux_ml_kem.Vector.Portable.Sampling.fsti \
-             Libcrux_ml_kem.Vector.Portable.Serialize.fsti \
-             Libcrux_ml_kem.Vector.Portable.Vector_type.fsti \
-             Libcrux_ml_kem.Vector.Rej_sample_table.fsti \
-             Libcrux_ml_kem.Vector.Traits.fsti
-             
-UNVERIFIED = $(filter-out $(PANIC_FREE),$(wildcard *.fst))
-
-VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED)))
-PANIC_FREE_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(PANIC_FREE)))
-UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED)))
-
-# By default, we process all the files in the current directory. Here, we
-# *extend* the set of relevant files with the tests.
-ROOTS = $(UNVERIFIED) $(PANIC_FREE) $(VERIFIED)
-
-FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives \
-	$(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) \
-	../../../../sys/platform/proofs/fstar/extraction/ \
-	../../../../libcrux-intrinsics/proofs/fstar/extraction/ \
-	../../../../libcrux-sha3/proofs/fstar/extraction/
-
-FSTAR_FLAGS = --cmi \
-  --warn_error -331-321-274 \
-  --cache_checked_modules --cache_dir $(CACHE_DIR) \
-  --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \
-  $(addprefix --include ,$(FSTAR_INCLUDE_DIRS))
-
-FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS)
-
-
-.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS)
-	$(info $(ROOTS))
-	$(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@
-
-include .depend
-
-$(HINT_DIR):
-	mkdir -p $@
-
-$(CACHE_DIR):
-	mkdir -p $@
-
-$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true
-$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR)
-	$(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints
-
-verify: $(UNVERIFIED_CHECKED) $(PANIC_FREE_CHECKED) $(VERIFIED_CHECKED)
-
-# Targets for interactive mode
-
-%.fst-in:
-	$(info $(FSTAR_FLAGS) \
-	  $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints)
-
-%.fsti-in:
-	$(info $(FSTAR_FLAGS) \
-	  $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints)
-
-
-# Clean targets
-
-SHELL=/usr/bin/env bash
-
-clean:
-	rm -rf $(CACHE_DIR)/*
-	rm *.fst
+SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst \
+                Libcrux_ml_kem.Vector.Rej_sample_table.fsti
+
+ADMIT_MODULES = Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \
+              Libcrux_ml_kem.Vector.Neon.Compress.fst \
+              Libcrux_ml_kem.Vector.Neon.fsti \
+              Libcrux_ml_kem.Vector.Neon.fst \
+              Libcrux_ml_kem.Vector.Neon.Ntt.fst \
+              Libcrux_ml_kem.Vector.Neon.Serialize.fst \
+              Libcrux_ml_kem.Vector.Neon.Vector_type.fst
+
+FSTAR_INCLUDE_DIRS_EXTRA += ../spec \
+	      $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec \
+	      $(shell git rev-parse --show-toplevel)/libcrux-intrinsics/proofs/fstar/extraction
+
+include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Makefile b/libcrux-ml-kem/proofs/fstar/spec/Makefile
new file mode 100644
index 000000000..7520f4797
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/spec/Makefile
@@ -0,0 +1,3 @@
+FSTAR_INCLUDE_DIRS_EXTRA += $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec
+
+include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst
new file mode 100644
index 000000000..8a4168dec
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst
@@ -0,0 +1,64 @@
+module Spec.MLKEM.Instances
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 30"
+open FStar.Mul
+open Core
+open Spec.Utils
+open Spec.MLKEM.Math
+open Spec.MLKEM
+
+
+(** MLKEM-768 Instantiation *)
+
+let mlkem768_rank : rank = sz 3
+
+#set-options "--z3rlimit 350"
+let mlkem768_generate_keypair (randomness:t_Array u8 (sz 64)):
+                              (t_Array u8 (sz 2400) & t_Array u8 (sz 1184)) & bool =
+    ind_cca_generate_keypair mlkem768_rank randomness
+
+let mlkem768_encapsulate (public_key: t_Array u8 (sz 1184)) (randomness: t_Array u8 (sz 32)):
+                         (t_Array u8 (sz 1088) & t_Array u8 (sz 32)) & bool =
+    assert (v_CPA_CIPHERTEXT_SIZE mlkem768_rank == sz 1088); 
+    ind_cca_encapsulate mlkem768_rank public_key randomness
+
+let mlkem768_decapsulate (secret_key: t_Array u8 (sz 2400)) (ciphertext: t_Array u8 (sz 1088)):
+                         t_Array u8 (sz 32) & bool =
+    ind_cca_decapsulate mlkem768_rank secret_key ciphertext
+
+(** MLKEM-1024 Instantiation *)
+
+let mlkem1024_rank = sz 4
+
+let mlkem1024_generate_keypair (randomness:t_Array u8 (sz 64)):
+                               (t_Array u8 (sz 3168) & t_Array u8 (sz 1568)) & bool =
+    ind_cca_generate_keypair mlkem1024_rank randomness
+
+let mlkem1024_encapsulate (public_key: t_Array u8 (sz 1568)) (randomness: t_Array u8 (sz 32)):
+                          (t_Array u8 (sz 1568) & t_Array u8 (sz 32)) & bool  =
+    assert (v_CPA_CIPHERTEXT_SIZE mlkem1024_rank == sz 1568);            
+    ind_cca_encapsulate mlkem1024_rank public_key randomness
+
+let mlkem1024_decapsulate (secret_key: t_Array u8 (sz 3168)) (ciphertext: t_Array u8 (sz 1568)):
+                           t_Array u8 (sz 32) & bool =
+    ind_cca_decapsulate mlkem1024_rank secret_key ciphertext
+
+(** MLKEM-512 Instantiation *)
+
+let mlkem512_rank : rank = sz 2
+
+let mlkem512_generate_keypair (randomness:t_Array u8 (sz 64)):
+                              (t_Array u8 (sz 1632) & t_Array u8 (sz 800)) & bool =
+    ind_cca_generate_keypair mlkem512_rank randomness
+
+let mlkem512_encapsulate (public_key: t_Array u8 (sz 800)) (randomness: t_Array u8 (sz 32)):
+                         (t_Array u8 (sz 768) & t_Array u8 (sz 32)) & bool =
+    assert (v_CPA_CIPHERTEXT_SIZE mlkem512_rank == sz 768);            
+    ind_cca_encapsulate mlkem512_rank public_key randomness
+
+
+let mlkem512_decapsulate (secret_key: t_Array u8 (sz 1632)) (ciphertext: t_Array u8 (sz 768)):
+                         t_Array u8 (sz 32) & bool =
+    ind_cca_decapsulate mlkem512_rank secret_key ciphertext
+
+    
+
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst
new file mode 100644
index 000000000..dc97bb645
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst
@@ -0,0 +1,299 @@
+module Spec.MLKEM.Math
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+
+open FStar.Mul
+open Core
+open Spec.Utils
+
+let v_FIELD_MODULUS: i32 = 3329l
+let is_rank (r:usize) = v r == 2 \/ v r == 3 \/ v r == 4
+
+type rank = r:usize{is_rank r}
+
+(** MLKEM Math and Sampling *)
+
+type field_element = n:nat{n < v v_FIELD_MODULUS}
+type polynomial = t_Array field_element (sz 256)
+type vector (r:rank) = t_Array polynomial r
+type matrix (r:rank) = t_Array (vector r) r
+
+val field_add: field_element -> field_element -> field_element
+let field_add a b = (a + b) % v v_FIELD_MODULUS
+
+val field_sub: field_element -> field_element -> field_element
+let field_sub a b = (a - b) % v v_FIELD_MODULUS
+
+val field_neg: field_element -> field_element
+let field_neg a = (0 - a) % v v_FIELD_MODULUS
+
+val field_mul: field_element -> field_element -> field_element
+let field_mul a b = (a * b) % v v_FIELD_MODULUS
+
+val poly_add: polynomial -> polynomial -> polynomial
+let poly_add a b = map2 field_add a b
+
+val poly_sub: polynomial -> polynomial -> polynomial
+let poly_sub a b = map2 field_sub a b
+
+let int_to_spec_fe (m:int) : field_element = 
+    let m_v = m % v v_FIELD_MODULUS in
+    assert (m_v > -  v v_FIELD_MODULUS);
+    if m_v < 0 then
+      m_v + v v_FIELD_MODULUS
+    else m_v
+
+(* Convert concrete code types to spec types *)
+
+let to_spec_fe (m:i16) : field_element = 
+    int_to_spec_fe (v m)
+
+let to_spec_array #len (m:t_Array i16 len) : t_Array field_element len =
+    createi #field_element len (fun i -> to_spec_fe (m.[i]))
+
+let to_spec_poly (m:t_Array i16 (sz 256)) : polynomial =
+    to_spec_array m
+
+let to_spec_vector (#r:rank)
+                   (m:t_Array (t_Array i16 (sz 256)) r)
+                   : (vector r) =
+    createi r (fun i -> to_spec_poly (m.[i]))
+
+let to_spec_matrix (#r:rank)
+                   (m:t_Array (t_Array (t_Array i16 (sz 256)) r) r)
+                   : (matrix r) =
+    createi r (fun i -> to_spec_vector (m.[i]))
+
+(* Specifying NTT:
+bitrev7 = [int('{:07b}'.format(x)[::-1], 2) for x in range(0,128)]
+zetas = [pow(17,x) % 3329 for x in bitrev7]
+zetas_mont = [pow(2,16) * x % 3329 for x in zetas]
+zetas_mont_r = [(x - 3329 if x > 1664 else x) for x in zetas_mont]
+
+bitrev7 is 
+[0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127]
+
+zetas = 17^bitrev7 is
+[1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333, 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756, 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100, 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789, 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886, 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154]
+
+zetas_mont = zetas * 2^16 is
+[2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, 1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, 2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, 2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, 2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628]
+
+zetas_mont_r = zetas_mont - 3329 if zetas_mont > 1664 else zetas_mont is
+[-1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628]
+*)
+
+let zetas_list : list field_element = [1; 1729; 2580; 3289; 2642; 630; 1897; 848; 1062; 1919; 193; 797; 2786; 3260; 569; 1746; 296; 2447; 1339; 1476; 3046; 56; 2240; 1333; 1426; 2094; 535; 2882; 2393; 2879; 1974; 821; 289; 331; 3253; 1756; 1197; 2304; 2277; 2055; 650; 1977; 2513; 632; 2865; 33; 1320; 1915; 2319; 1435; 807; 452; 1438; 2868; 1534; 2402; 2647; 2617; 1481; 648; 2474; 3110; 1227; 910; 17; 2761; 583; 2649; 1637; 723; 2288; 1100; 1409; 2662; 3281; 233; 756; 2156; 3015; 3050; 1703; 1651; 2789; 1789; 1847; 952; 1461; 2687; 939; 2308; 2437; 2388; 733; 2337; 268; 641; 1584; 2298; 2037; 3220; 375; 2549; 2090; 1645; 1063; 319; 2773; 757; 2099; 561; 2466; 2594; 2804; 1092; 403; 1026; 1143; 2150; 2775; 886; 1722; 1212; 1874; 1029; 2110; 2935; 885; 2154]
+
+let zetas : t_Array field_element (sz 128) = 
+  assert_norm(List.Tot.length zetas_list == 128);
+  Rust_primitives.Arrays.of_list zetas_list
+  
+let poly_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) =
+  let t = field_mul b zetas.[sz i] in
+  let b = field_sub a t in
+  let a = field_add a t in
+  (a,b)
+
+#push-options "--split_queries always"
+let poly_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial =
+  let len = pow2 l in
+  let k = (128 / len) - 1 in
+  Rust_primitives.Arrays.createi (sz 256) (fun i ->
+    let round = v i / (2 * len) in
+    let idx = v i % (2 * len) in
+    let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in
+    let (a_ntt, b_ntt) = poly_ntt_step p.[sz idx0] p.[sz idx1] (round + k) in
+    if idx < len then a_ntt else b_ntt)
+#pop-options
+
+val poly_ntt: polynomial -> polynomial
+[@ "opaque_to_smt"]
+let poly_ntt p =
+  let p = poly_ntt_layer p 7 in
+  let p = poly_ntt_layer p 6 in
+  let p = poly_ntt_layer p 5 in
+  let p = poly_ntt_layer p 4 in
+  let p = poly_ntt_layer p 3 in
+  let p = poly_ntt_layer p 2 in
+  let p = poly_ntt_layer p 1 in
+  p
+
+let poly_inv_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) =
+  let b_minus_a = field_sub b a in
+  let a = field_add a b in
+  let b = field_mul b_minus_a zetas.[sz i] in
+  (a,b)
+
+#push-options "--z3rlimit 150"
+let poly_inv_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial =
+  let len = pow2 l in
+  let k = (256 / len) - 1 in
+  Rust_primitives.Arrays.createi (sz 256) (fun i ->
+    let round = v i / (2 * len) in
+    let idx = v i % (2 * len) in
+    let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in
+    let (a_ntt, b_ntt) = poly_inv_ntt_step p.[sz idx0] p.[sz idx1] (k - round) in
+    if idx < len then a_ntt else b_ntt)
+#pop-options
+
+val poly_inv_ntt: polynomial -> polynomial
+let poly_inv_ntt p =
+  let p = poly_inv_ntt_layer p 1 in
+  let p = poly_inv_ntt_layer p 2 in
+  let p = poly_inv_ntt_layer p 3 in
+  let p = poly_inv_ntt_layer p 4 in
+  let p = poly_inv_ntt_layer p 5 in
+  let p = poly_inv_ntt_layer p 6 in
+  let p = poly_inv_ntt_layer p 7 in
+  p
+
+let poly_base_case_multiply (a0 a1 b0 b1 zeta:field_element) =
+  let c0 = field_add (field_mul a0 b0) (field_mul (field_mul a1 b1) zeta) in
+  let c1 = field_add (field_mul a0 b1) (field_mul a1 b0) in
+  (c0,c1)
+
+val poly_mul_ntt: polynomial -> polynomial -> polynomial
+let poly_mul_ntt a b =
+  Rust_primitives.Arrays.createi (sz 256) (fun i ->
+    let a0 = a.[sz (2 * (v i / 2))] in
+    let a1 = a.[sz (2 * (v i / 2) + 1)] in
+    let b0 = b.[sz (2 * (v i / 2))] in
+    let b1 = b.[sz (2 * (v i / 2) + 1)] in
+    let zeta_4 = zetas.[sz (64 + (v i/4))] in
+    let zeta = if v i % 4 < 2 then zeta_4 else field_neg zeta_4 in
+    let (c0,c1) = poly_base_case_multiply a0 a1 b0 b1 zeta in
+    if v i % 2 = 0 then c0 else c1)
+  
+
+val vector_add: #r:rank -> vector r -> vector r -> vector r
+let vector_add #p a b = map2 poly_add a b
+
+val vector_ntt: #r:rank -> vector r -> vector r
+let vector_ntt #p v = map_array poly_ntt v
+
+val vector_inv_ntt: #r:rank -> vector r -> vector r
+let vector_inv_ntt #p v = map_array poly_inv_ntt v
+
+val vector_mul_ntt: #r:rank -> vector r -> vector r -> vector r 
+let vector_mul_ntt #p a b = map2 poly_mul_ntt a b
+
+val vector_sum: #r:rank -> vector r -> polynomial
+let vector_sum #r a = repeati (r -! sz 1)
+     (fun i x -> assert (v i < v r - 1); poly_add x (a.[i +! sz 1])) a.[sz 0]
+
+val vector_dot_product_ntt: #r:rank -> vector r -> vector r -> polynomial
+let vector_dot_product_ntt a b = vector_sum (vector_mul_ntt a b)
+
+val matrix_transpose: #r:rank -> matrix r -> matrix r
+[@ "opaque_to_smt"]
+let matrix_transpose #r m =
+  createi r (fun i -> 
+    createi r (fun j ->
+      m.[j].[i]))
+
+val matrix_vector_mul_ntt: #r:rank -> matrix r -> vector r -> vector r
+let matrix_vector_mul_ntt #r m v =
+  createi r (fun i -> vector_dot_product_ntt m.[i] v)
+
+val compute_As_plus_e_ntt: #r:rank -> a:matrix r -> s:vector r -> e:vector r -> vector r
+[@ "opaque_to_smt"]
+let compute_As_plus_e_ntt #p a s e = vector_add (matrix_vector_mul_ntt a s) e
+
+
+
+type dT = d: nat {d = 1 \/ d = 4 \/ d = 5 \/ d = 10 \/ d = 11 \/ d = 12}
+let max_d (d:dT) = if d < 12 then pow2 d else v v_FIELD_MODULUS
+type field_element_d (d:dT) = n:nat{n < max_d d}
+type polynomial_d (d:dT) = t_Array (field_element_d d) (sz 256)
+type vector_d (r:rank) (d:dT) = t_Array (polynomial_d d) r
+
+let bits_to_bytes (#bytes: usize) (bv: bit_vec (v bytes * 8))
+  : Pure (t_Array u8 bytes)
+         (requires True)
+         (ensures fun r -> (forall i. bit_vec_of_int_t_array r 8 i == bv i))
+  = bit_vec_to_int_t_array 8 bv
+
+let bytes_to_bits (#bytes: usize) (r: t_Array u8 bytes)
+  : Pure (i: bit_vec (v bytes * 8))
+         (requires True)
+         (ensures fun f -> (forall i. bit_vec_of_int_t_array r 8 i == f i))
+  = bit_vec_of_int_t_array r 8
+
+unfold let retype_bit_vector #a #b (#_:unit{a == b}) (x: a): b = x
+
+
+let compress_d (d: dT {d <> 12}) (x: field_element): field_element_d d
+  = let r = (pow2 d * x + 1664) / v v_FIELD_MODULUS in
+    assert (r * v v_FIELD_MODULUS <= pow2 d * x + 1664);
+    assert (r * v v_FIELD_MODULUS <= pow2 d * (v v_FIELD_MODULUS - 1) + 1664);
+    Math.Lemmas.lemma_div_le (r * v v_FIELD_MODULUS) (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) (v v_FIELD_MODULUS);
+    Math.Lemmas.cancel_mul_div  r (v v_FIELD_MODULUS);
+    assert (r <= (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) / v v_FIELD_MODULUS);
+    Math.Lemmas.lemma_div_mod_plus (1664 - pow2 d) (pow2 d) (v v_FIELD_MODULUS);
+    assert (r <= pow2 d + (1664 - pow2 d) / v v_FIELD_MODULUS);
+    assert (r <= pow2 d);
+    if r = pow2 d then 0 else r
+
+let decompress_d (d: dT {d <> 12}) (x: field_element_d d): field_element
+  = let r = (x * v v_FIELD_MODULUS + 1664) / pow2 d in
+    r
+    
+[@ "opaque_to_smt"]
+let byte_encode (d: dT) (coefficients: polynomial_d d): t_Array u8 (sz (32 * d))
+  =  let coefficients' : t_Array nat (sz 256) = map_array #(field_element_d d) (fun x -> x <: nat) coefficients in
+     bits_to_bytes #(sz (32 * d))
+       (retype_bit_vector (bit_vec_of_nat_array coefficients' d))
+
+[@ "opaque_to_smt"]
+let byte_decode (d: dT) (coefficients: t_Array u8 (sz (32 * d))): polynomial_d d
+  = let bv = bytes_to_bits coefficients in
+    let arr: t_Array nat (sz 256) = bit_vec_to_nat_array d (retype_bit_vector bv) in
+    let p: polynomial_d d = 
+      createi (sz 256) (fun i -> 
+        let x_f : field_element = arr.[i] % v v_FIELD_MODULUS in
+        assert (d < 12  ==> arr.[i] < pow2 d);
+        let x_m : field_element_d d = x_f in
+        x_m) 
+    in
+    p
+
+let coerce_polynomial_12 (p:polynomial): polynomial_d 12 = p
+let coerce_vector_12 (#r:rank) (v:vector r): vector_d r 12 = v
+
+[@ "opaque_to_smt"]
+let compress_then_byte_encode (d: dT {d <> 12}) (coefficients: polynomial): t_Array u8 (sz (32 * d))
+  = let coefs: t_Array (field_element_d d) (sz 256) = map_array (compress_d d) coefficients
+    in
+    byte_encode d coefs
+
+[@ "opaque_to_smt"]
+let byte_decode_then_decompress (d: dT {d <> 12}) (b:t_Array u8 (sz (32 * d))): polynomial
+  = map_array (decompress_d d) (byte_decode d b)
+
+
+(**** Definitions to move or to rework *)
+let serialize_pre
+  (d1: dT)
+  (coefficients: t_Array i16 (sz 16))
+  = forall i. i < 16 ==> bounded (Seq.index coefficients i) d1
+
+// TODO: this is an alternative version of byte_encode
+//   rename to encoded bytes
+#push-options "--z3rlimit 80 --split_queries always"
+let serialize_post
+  (d1: dT)
+  (coefficients: t_Array i16 (sz 16) { serialize_pre d1 coefficients })
+  (output: t_Array u8 (sz (d1 * 2)))
+  = BitVecEq.int_t_array_bitwise_eq coefficients d1
+                                   output       8
+
+// TODO: this is an alternative version of byte_decode
+//   rename to decoded bytes
+let deserialize_post
+  (d1: dT)
+  (bytes: t_Array u8 (sz (d1 * 2)))
+  (output: t_Array i16 (sz 16))
+  = BitVecEq.int_t_array_bitwise_eq bytes  8
+                                   output d1 /\
+  forall (i:nat). i < 16 ==> bounded (Seq.index output i) d1
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst
new file mode 100644
index 000000000..5fc57dfcc
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst
@@ -0,0 +1,449 @@
+module Spec.MLKEM
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open FStar.Mul
+open Core
+
+include Spec.Utils
+include Spec.MLKEM.Math
+
+(** ML-KEM Constants *)
+let v_BITS_PER_COEFFICIENT: usize = sz 12
+
+let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256
+
+let v_BITS_PER_RING_ELEMENT: usize = sz 3072 // v_COEFFICIENTS_IN_RING_ELEMENT *! sz 12
+
+let v_BYTES_PER_RING_ELEMENT: usize = sz 384 // v_BITS_PER_RING_ELEMENT /! sz 8
+
+let v_CPA_KEY_GENERATION_SEED_SIZE: usize = sz 32
+
+let v_H_DIGEST_SIZE: usize = sz 32 
+// same as  Libcrux.Digest.digest_size (Libcrux.Digest.Algorithm_Sha3_256_ <: Libcrux.Digest.t_Algorithm)
+
+let v_REJECTION_SAMPLING_SEED_SIZE: usize =  sz 840 // sz 168 *! sz 5
+
+let v_SHARED_SECRET_SIZE: usize = v_H_DIGEST_SIZE
+
+val v_ETA1 (r:rank) : u:usize{u == sz 3 \/ u == sz 2}
+let v_ETA1 (r:rank) : usize = 
+  if r = sz 2 then sz 3 else
+  if r = sz 3 then sz 2 else
+  if r = sz 4 then sz 2 else (
+  assert (false);
+  sz 0)
+  
+
+let v_ETA2 (r:rank) : usize = sz 2
+
+val v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 10 \/ u == sz 11}
+let v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : usize = 
+  if r = sz 2 then sz 10 else
+  if r = sz 3 then sz 10 else
+  if r = sz 4 then sz 11
+
+val v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 4 \/ u == sz 5}
+let v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : usize = 
+  if r = sz 2 then sz 4 else
+  if r = sz 3 then sz 4 else
+  if r = sz 4 then sz 5
+
+val v_ETA1_RANDOMNESS_SIZE (r:rank) : u:usize{u == sz 128 \/ u == sz 192}
+let v_ETA1_RANDOMNESS_SIZE (r:rank) = v_ETA1 r *! sz 64
+
+val v_ETA2_RANDOMNESS_SIZE (r:rank) : u:usize{u == sz 128}
+let v_ETA2_RANDOMNESS_SIZE (r:rank) = v_ETA2 r *! sz 64
+
+val v_RANKED_BYTES_PER_RING_ELEMENT (r:rank) : u:usize{u = sz 768 \/ u = sz 1152 \/ u = sz 1536}
+let v_RANKED_BYTES_PER_RING_ELEMENT (r:rank)  = r *! v_BYTES_PER_RING_ELEMENT
+
+let v_T_AS_NTT_ENCODED_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r
+let v_CPA_PRIVATE_KEY_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r
+
+val v_CPA_PUBLIC_KEY_SIZE (r:rank) : u:usize{u = sz 800 \/ u = sz 1184 \/ u = sz 1568}
+let v_CPA_PUBLIC_KEY_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r +! sz 32
+
+val v_CCA_PRIVATE_KEY_SIZE (r:rank) : u:usize{u = sz 1632 \/ u = sz 2400 \/ u = sz 3168}
+let v_CCA_PRIVATE_KEY_SIZE (r:rank) =
+  (v_CPA_PRIVATE_KEY_SIZE r +! v_CPA_PUBLIC_KEY_SIZE r +! v_H_DIGEST_SIZE +! v_SHARED_SECRET_SIZE)
+
+let v_CCA_PUBLIC_KEY_SIZE (r:rank) = v_CPA_PUBLIC_KEY_SIZE r
+
+val v_C1_BLOCK_SIZE (r:rank): u:usize{(u = sz 320 \/ u = sz 352) /\ v u == 32 * v (v_VECTOR_U_COMPRESSION_FACTOR r)}
+let v_C1_BLOCK_SIZE (r:rank) = sz 32 *! v_VECTOR_U_COMPRESSION_FACTOR r
+
+val v_C1_SIZE (r:rank) : u:usize{(u >=. sz 640 /\ u <=. sz 1448) /\ 
+                                    v u == v (v_C1_BLOCK_SIZE r) * v r}
+let v_C1_SIZE (r:rank) = v_C1_BLOCK_SIZE r *! r
+
+val v_C2_SIZE (r:rank) : u:usize{(u = sz 128 \/ u = sz 160) /\ v u == 32 * v (v_VECTOR_V_COMPRESSION_FACTOR r)}
+let v_C2_SIZE (r:rank) = sz 32 *! v_VECTOR_V_COMPRESSION_FACTOR r
+
+val v_CPA_CIPHERTEXT_SIZE (r:rank) : u:usize {v u = v (v_C1_SIZE r) + v (v_C2_SIZE r)}
+let v_CPA_CIPHERTEXT_SIZE (r:rank) = v_C1_SIZE r +! v_C2_SIZE r
+
+let v_CCA_CIPHERTEXT_SIZE (r:rank) = v_CPA_CIPHERTEXT_SIZE r
+
+val v_IMPLICIT_REJECTION_HASH_INPUT_SIZE (r:rank): u:usize{v u == v v_SHARED_SECRET_SIZE + 
+                                                                    v (v_CPA_CIPHERTEXT_SIZE r)}
+let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE (r:rank) =
+    v_SHARED_SECRET_SIZE +! v_CPA_CIPHERTEXT_SIZE r
+
+val v_KEY_GENERATION_SEED_SIZE: u:usize{u = sz 64}
+let v_KEY_GENERATION_SEED_SIZE: usize =
+  v_CPA_KEY_GENERATION_SEED_SIZE +!
+  v_SHARED_SECRET_SIZE
+
+
+(** ML-KEM Types *)
+
+type t_MLKEMPublicKey (r:rank) = t_Array u8 (v_CPA_PUBLIC_KEY_SIZE r)
+type t_MLKEMPrivateKey (r:rank) = t_Array u8 (v_CCA_PRIVATE_KEY_SIZE r)
+type t_MLKEMKeyPair (r:rank) = t_MLKEMPrivateKey r & t_MLKEMPublicKey r
+
+type t_MLKEMCPAPrivateKey (r:rank) = t_Array u8 (v_CPA_PRIVATE_KEY_SIZE r)
+type t_MLKEMCPAKeyPair (r:rank) = t_MLKEMCPAPrivateKey r & t_MLKEMPublicKey r
+
+type t_MLKEMCiphertext (r:rank) = t_Array u8 (v_CPA_CIPHERTEXT_SIZE r)
+type t_MLKEMSharedSecret = t_Array u8 (v_SHARED_SECRET_SIZE)
+
+
+assume val sample_max: n:usize{v n < pow2 32 /\ v n >= 128 * 3 /\ v n % 3 = 0}
+
+val sample_polynomial_ntt: seed:t_Array u8 (sz 34) -> (polynomial & bool)
+let sample_polynomial_ntt seed =
+  let randomness = v_XOF sample_max seed in
+  let bv = bytes_to_bits randomness in
+  assert (v sample_max * 8 == (((v sample_max / 3) * 2) * 12));
+  let bv: bit_vec ((v (sz ((v sample_max / 3) * 2))) * 12) = retype_bit_vector bv in
+  let i16s = bit_vec_to_nat_array #(sz ((v sample_max / 3) * 2)) 12 bv in
+  assert ((v sample_max / 3) * 2 >= 256);
+  let poly0: polynomial = Seq.create 256 0 in
+  let index_t = n:nat{n <= 256} in
+  let (sampled, poly1) =
+    repeati #(index_t & polynomial) (sz ((v sample_max / 3) * 2))
+      (fun i (sampled,acc) ->
+        if sampled < 256 then
+          let sample = Seq.index i16s (v i) in 
+          if sample < 3329 then
+             (sampled+1, Rust_primitives.Hax.update_at acc (sz sampled) sample)
+          else (sampled, acc)
+        else (sampled, acc))
+      (0,poly0) in
+  if sampled < 256 then poly0, false else poly1, true
+
+let sample_polynomial_ntt_at_index (seed:t_Array u8 (sz 32)) (i j: (x:usize{v x <= 4})) : polynomial & bool =
+    let seed34 = Seq.append seed (Seq.create 2 0uy) in
+    let seed34 = Rust_primitives.Hax.update_at seed34 (sz 32) (mk_int #u8_inttype (v i)) in
+    let seed34 = Rust_primitives.Hax.update_at seed34 (sz 33) (mk_int #u8_inttype (v j)) in
+    sample_polynomial_ntt seed34
+
+val sample_matrix_A_ntt: #r:rank -> seed:t_Array u8 (sz 32) -> (matrix r & bool)
+[@ "opaque_to_smt"]
+let sample_matrix_A_ntt #r seed = 
+  let m = 
+    createi r (fun i -> 
+      createi r (fun j ->
+        let (p,b) = sample_polynomial_ntt_at_index seed i j in
+        p))
+  in 
+  let sufficient_randomness = 
+    repeati r (fun i b -> 
+      repeati r (fun j b ->
+        let (p,v) = sample_polynomial_ntt_at_index seed i j in
+        b && v) b) true in
+  (m, sufficient_randomness)
+
+assume val sample_poly_cbd: v_ETA:usize{v v_ETA == 2 \/ v v_ETA == 3} -> t_Array u8 (v_ETA *! sz 64) -> polynomial
+
+open Rust_primitives.Integers
+
+val sample_poly_cbd2: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial
+let sample_poly_cbd2 #r seed domain_sep =
+  let prf_input = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep))) in
+  let prf_output = v_PRF (v_ETA2_RANDOMNESS_SIZE r) prf_input in
+  sample_poly_cbd (v_ETA2 r) prf_output
+
+let sample_vector_cbd1_prf_input (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) (i:usize{i <. r}) : t_Array u8 (sz 33) =
+  Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep + v i)))
+
+let sample_vector_cbd1_prf_output (#r:rank) (prf_output:t_Array (t_Array u8 (v_ETA1_RANDOMNESS_SIZE r)) r) (i:usize{i <. r}) : polynomial =
+  sample_poly_cbd (v_ETA1 r) prf_output.[i]
+
+let sample_vector_cbd1 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r =
+    let prf_input = createi r (sample_vector_cbd1_prf_input #r seed domain_sep) in
+    let prf_output = v_PRFxN r (v_ETA1_RANDOMNESS_SIZE r) prf_input in
+    createi r (sample_vector_cbd1_prf_output #r prf_output)
+
+let sample_vector_cbd2_prf_input (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) (i:usize{i <. r}) : t_Array u8 (sz 33) =
+  Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep + v i)))
+
+let sample_vector_cbd2_prf_output (#r:rank) (prf_output:t_Array (t_Array u8 (v_ETA2_RANDOMNESS_SIZE r)) r) (i:usize{i <. r}) : polynomial =
+  sample_poly_cbd (v_ETA2 r) prf_output.[i]
+
+let sample_vector_cbd2 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r =
+    let prf_input = createi r (sample_vector_cbd2_prf_input #r seed domain_sep) in
+    let prf_output = v_PRFxN r (v_ETA2_RANDOMNESS_SIZE r) prf_input in
+    createi r (sample_vector_cbd2_prf_output #r prf_output)
+
+[@ "opaque_to_smt"]
+let sample_vector_cbd_then_ntt (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r =
+    vector_ntt (sample_vector_cbd1 #r seed domain_sep)
+
+[@ "opaque_to_smt"]
+let vector_encode_12 (#r:rank) (v: vector r) : t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r)
+  = let s: t_Array (t_Array _ (sz 384)) r = map_array (byte_encode 12) (coerce_vector_12 v) in
+    flatten s
+
+let vector_decode_12 (#r:rank) (arr: t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r)): vector r
+  = createi r (fun block -> 
+      let block_size = (sz (32 * 12)) in
+      let slice = Seq.slice arr (v block * v block_size) 
+                                (v block * v block_size + v block_size) in
+      byte_decode 12 slice
+    )
+
+let compress_then_encode_message (p:polynomial) : t_Array u8 v_SHARED_SECRET_SIZE
+  = compress_then_byte_encode 1 p
+
+let decode_then_decompress_message (b:t_Array u8 v_SHARED_SECRET_SIZE): polynomial
+  = byte_decode_then_decompress 1 b
+
+let compress_then_encode_u (#r:rank) (vec: vector r): t_Array u8 (v_C1_SIZE r)
+  = let d = v (v_VECTOR_U_COMPRESSION_FACTOR r) in
+    flatten (map_array (compress_then_byte_encode d) vec)
+
+let decode_then_decompress_u (#r:rank) (arr: t_Array u8 (v_C1_SIZE r)): vector r
+  = let d = v_VECTOR_U_COMPRESSION_FACTOR r in
+    createi r (fun block -> 
+      let block_size = v_C1_BLOCK_SIZE r in
+      let slice = Seq.slice arr (v block * v block_size) 
+                                (v block * v block_size + v block_size) in
+      byte_decode_then_decompress (v d) slice
+    )
+
+let compress_then_encode_v (#r:rank): polynomial -> t_Array u8 (v_C2_SIZE r)
+  = compress_then_byte_encode (v (v_VECTOR_V_COMPRESSION_FACTOR r))
+
+let decode_then_decompress_v (#r:rank): t_Array u8 (v_C2_SIZE r) -> polynomial
+  = byte_decode_then_decompress (v (v_VECTOR_V_COMPRESSION_FACTOR r)) 
+
+(** IND-CPA Functions *)
+
+val ind_cpa_generate_keypair_unpacked (r:rank) (randomness:t_Array u8 v_CPA_KEY_GENERATION_SEED_SIZE) :
+                             (((((vector r) & (t_Array u8 (sz 32))) & (matrix r)) & (vector r)) & bool)
+let ind_cpa_generate_keypair_unpacked r randomness =
+    let hashed = v_G (Seq.append randomness (Seq.create 1 (cast r <: u8))) in
+    let (seed_for_A, seed_for_secret_and_error) = split hashed (sz 32) in
+    let (matrix_A_as_ntt, sufficient_randomness) = sample_matrix_A_ntt #r seed_for_A in
+    let secret_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error (sz 0) in
+    let error_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error r in
+    let t_as_ntt = compute_As_plus_e_ntt #r matrix_A_as_ntt secret_as_ntt error_as_ntt in
+    (((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), sufficient_randomness
+
+/// This function implements most of <strong>Algorithm 12</strong> of the
+/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE key generation algorithm.
+///
+/// We say "most of" since Algorithm 12 samples the required randomness within
+/// the function itself, whereas this implementation expects it to be provided
+/// through the `key_generation_seed` parameter.
+
+val ind_cpa_generate_keypair (r:rank) (randomness:t_Array u8 v_CPA_KEY_GENERATION_SEED_SIZE) :
+                             (t_MLKEMCPAKeyPair r & bool)
+let ind_cpa_generate_keypair r randomness =
+    let ((((t_as_ntt,seed_for_A), _), secret_as_ntt), sufficient_randomness) =
+      ind_cpa_generate_keypair_unpacked r randomness in
+    let public_key_serialized = Seq.append (vector_encode_12 #r t_as_ntt) seed_for_A in
+    let secret_key_serialized = vector_encode_12 #r secret_as_ntt in
+    ((secret_key_serialized,public_key_serialized), sufficient_randomness)
+
+val ind_cpa_encrypt_unpacked (r:rank)
+                    (message: t_Array u8 v_SHARED_SECRET_SIZE)
+                    (randomness:t_Array u8 v_SHARED_SECRET_SIZE)
+                    (t_as_ntt:vector r)
+                    (matrix_A_as_ntt:matrix r) :
+                    t_MLKEMCiphertext r
+
+#push-options "--z3rlimit 500 --ext context_pruning"
+let ind_cpa_encrypt_unpacked r message randomness t_as_ntt matrix_A_as_ntt =
+    let r_as_ntt = sample_vector_cbd_then_ntt #r randomness (sz 0) in
+    let error_1 = sample_vector_cbd2 #r randomness r in
+    let error_2 = sample_poly_cbd2 #r randomness (r +! r) in
+    let u = vector_add (vector_inv_ntt (matrix_vector_mul_ntt matrix_A_as_ntt r_as_ntt)) error_1 in
+    let mu = decode_then_decompress_message message in
+    let v = poly_add (poly_add (vector_dot_product_ntt t_as_ntt r_as_ntt) error_2) mu in  
+    let c1 = compress_then_encode_u #r u in
+    let c2 = compress_then_encode_v #r v in
+    concat c1 c2
+#pop-options
+
+/// This function implements <strong>Algorithm 13</strong> of the
+/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE encryption algorithm.
+
+val ind_cpa_encrypt (r:rank) (public_key: t_MLKEMPublicKey r)
+                    (message: t_Array u8 v_SHARED_SECRET_SIZE)
+                    (randomness:t_Array u8 v_SHARED_SECRET_SIZE) :
+                    (t_MLKEMCiphertext r & bool)
+
+[@ "opaque_to_smt"]
+let ind_cpa_encrypt r public_key message randomness =
+    let (t_as_ntt_bytes, seed_for_A) = split public_key (v_T_AS_NTT_ENCODED_SIZE r) in
+    let t_as_ntt = vector_decode_12 #r t_as_ntt_bytes in 
+    let matrix_A_as_ntt, sufficient_randomness = sample_matrix_A_ntt #r seed_for_A in
+    let c = ind_cpa_encrypt_unpacked r message randomness t_as_ntt (matrix_transpose matrix_A_as_ntt) in
+    (c, sufficient_randomness)
+
+val ind_cpa_decrypt_unpacked (r:rank)
+                    (ciphertext: t_MLKEMCiphertext r) (secret_as_ntt:vector r): 
+                    t_MLKEMSharedSecret
+
+let ind_cpa_decrypt_unpacked r ciphertext secret_as_ntt =
+    let (c1,c2) = split ciphertext (v_C1_SIZE r) in
+    let u = decode_then_decompress_u #r c1 in
+    let v = decode_then_decompress_v #r c2 in
+    let w = poly_sub v (poly_inv_ntt (vector_dot_product_ntt secret_as_ntt (vector_ntt u))) in
+    compress_then_encode_message w
+
+/// This function implements <strong>Algorithm 14</strong> of the
+/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE decryption algorithm.
+
+val ind_cpa_decrypt (r:rank) (secret_key: t_MLKEMCPAPrivateKey r)
+                    (ciphertext: t_MLKEMCiphertext r): 
+                    t_MLKEMSharedSecret
+
+[@ "opaque_to_smt"]
+let ind_cpa_decrypt r secret_key ciphertext =
+    let secret_as_ntt = vector_decode_12 #r secret_key in
+    ind_cpa_decrypt_unpacked r ciphertext secret_as_ntt
+
+(** IND-CCA Functions *)
+
+
+/// This function implements most of Algorithm 15 of the
+/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM key generation algorithm.
+///
+/// We say "most of" since Algorithm 15 samples the required randomness within
+/// the function itself, whereas this implementation expects it to be provided
+/// through the `randomness` parameter.
+/// 
+/// TODO: input validation
+
+val ind_cca_generate_keypair (r:rank) (randomness:t_Array u8 v_KEY_GENERATION_SEED_SIZE) :
+                             t_MLKEMKeyPair r & bool
+let ind_cca_generate_keypair p randomness =
+    let (ind_cpa_keypair_randomness, implicit_rejection_value) =
+        split randomness v_CPA_KEY_GENERATION_SEED_SIZE in
+        
+    let (ind_cpa_secret_key,ind_cpa_public_key), sufficient_randomness = ind_cpa_generate_keypair p ind_cpa_keypair_randomness in
+    let ind_cca_secret_key = Seq.append ind_cpa_secret_key (
+                             Seq.append ind_cpa_public_key (
+                             Seq.append (v_H ind_cpa_public_key) implicit_rejection_value)) in
+    (ind_cca_secret_key, ind_cpa_public_key), sufficient_randomness
+
+/// This function implements most of Algorithm 16 of the
+/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM encapsulation algorithm.
+///
+/// We say "most of" since Algorithm 16 samples the required randomness within
+/// the function itself, whereas this implementation expects it to be provided
+/// through the `randomness` parameter.
+///
+/// TODO: input validation
+
+val ind_cca_encapsulate (r:rank) (public_key: t_MLKEMPublicKey r)
+                        (randomness:t_Array u8 v_SHARED_SECRET_SIZE) :
+                        (t_MLKEMCiphertext r &  t_MLKEMSharedSecret) & bool
+let ind_cca_encapsulate p public_key randomness =
+    let to_hash = concat randomness (v_H public_key) in
+    let hashed = v_G to_hash in
+    let (shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in
+    let ciphertext, sufficient_randomness = ind_cpa_encrypt p public_key randomness pseudorandomness in
+    (ciphertext,shared_secret), sufficient_randomness
+    
+
+/// This function implements Algorithm 17 of the
+/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM encapsulation algorithm.
+
+val ind_cca_decapsulate (r:rank) (secret_key: t_MLKEMPrivateKey r)
+                        (ciphertext: t_MLKEMCiphertext r): 
+                         t_MLKEMSharedSecret & bool
+let ind_cca_decapsulate p secret_key ciphertext =
+    let (ind_cpa_secret_key,rest) = split secret_key (v_CPA_PRIVATE_KEY_SIZE p) in
+    let (ind_cpa_public_key,rest) = split rest (v_CPA_PUBLIC_KEY_SIZE p) in
+    let (ind_cpa_public_key_hash,implicit_rejection_value) = split rest v_H_DIGEST_SIZE in
+    
+    let decrypted = ind_cpa_decrypt p ind_cpa_secret_key ciphertext in
+    let to_hash = concat decrypted ind_cpa_public_key_hash in
+    let hashed = v_G to_hash in
+    let (success_shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in
+
+    assert (Seq.length implicit_rejection_value = 32);
+    let to_hash = concat implicit_rejection_value ciphertext in
+    let rejection_shared_secret = v_J to_hash in
+
+    let reencrypted, sufficient_randomness = ind_cpa_encrypt p ind_cpa_public_key decrypted pseudorandomness in
+    if reencrypted = ciphertext
+    then success_shared_secret, sufficient_randomness
+    else rejection_shared_secret, sufficient_randomness
+
+val ind_cca_unpack_public_key (r:rank) (public_key: t_MLKEMPublicKey r) :
+                        t_Array u8 (sz 32) & (t_Array u8 (sz 32) & (vector r & (matrix r & bool)))
+let ind_cca_unpack_public_key p public_key =
+    let (ring_elements, seed) = split public_key (v_T_AS_NTT_ENCODED_SIZE p) in
+    let deserialized_pk = vector_decode_12 #p ring_elements in
+    let (matrix_A, sufficient_randomness) = sample_matrix_A_ntt seed in
+    let matrix_A = matrix_transpose #p matrix_A in
+    let public_key_hash = v_H public_key in
+    public_key_hash, (seed, (deserialized_pk, (matrix_A, sufficient_randomness)))
+
+let matrix_A_as_ntt_j (#r:rank) (matrix_A_as_ntt:matrix r) (i:usize{i <. r}) (j:usize{j <. r}) : polynomial =
+  Seq.index (Seq.index matrix_A_as_ntt (v j)) (v i)
+
+let matrix_A_as_ntt_i (#r:rank) (matrix_A_as_ntt:matrix r) (i:usize{i <. r}) : vector r =
+  createi r (matrix_A_as_ntt_j matrix_A_as_ntt i)
+
+val ind_cca_unpack_generate_keypair (r:rank) (randomness:t_Array u8 v_KEY_GENERATION_SEED_SIZE) :
+                             ((matrix r & t_Array u8 (sz 32)) & t_Array u8 (sz 32)) & bool
+let ind_cca_unpack_generate_keypair p randomness =
+  let (ind_cpa_keypair_randomness, implicit_rejection_value) = split randomness v_CPA_KEY_GENERATION_SEED_SIZE in
+  let ((((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), sufficient_randomness) =
+    ind_cpa_generate_keypair_unpacked p ind_cpa_keypair_randomness in
+  // let m_A = 
+  // createi p (fun i -> 
+  //   createi p (fun j ->
+  //     Seq.index (Seq.index matrix_A_as_ntt j) i
+  //     ))
+  // in 
+  let m_A = createi p (matrix_A_as_ntt_i matrix_A_as_ntt) in 
+  let pk_serialized = Seq.append (vector_encode_12 t_as_ntt) seed_for_A in
+  let public_key_hash = v_H pk_serialized in
+  ((m_A, public_key_hash), implicit_rejection_value), sufficient_randomness
+
+val ind_cca_unpack_encapsulate (r:rank) (public_key_hash:t_Array u8 (sz 32))
+                    (t_as_ntt:vector r)
+                    (matrix_A_as_ntt:matrix r)
+                    (randomness:t_Array u8 v_SHARED_SECRET_SIZE) :
+                    (t_MLKEMCiphertext r & t_Array u8 v_SHARED_SECRET_SIZE)
+let ind_cca_unpack_encapsulate r public_key_hash t_as_ntt matrix_A_as_ntt randomness =
+  let to_hash = concat randomness public_key_hash in
+  let hashed = v_G to_hash in
+  let (shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in
+  let ciphertext = ind_cpa_encrypt_unpacked r randomness pseudorandomness t_as_ntt matrix_A_as_ntt in
+  ciphertext, shared_secret
+
+val ind_cca_unpack_decapsulate (r:rank) (public_key_hash:t_Array u8 (sz 32)) 
+                    (implicit_rejection_value:t_Array u8 (sz 32))
+                    (ciphertext: t_MLKEMCiphertext r)
+                    (secret_as_ntt:vector r)
+                    (t_as_ntt:vector r)
+                    (matrix_A_as_ntt:matrix r) :
+                    t_Array u8 v_SHARED_SECRET_SIZE
+let ind_cca_unpack_decapsulate r public_key_hash implicit_rejection_value ciphertext secret_as_ntt t_as_ntt matrix_A_as_ntt =
+  let decrypted = ind_cpa_decrypt_unpacked r ciphertext secret_as_ntt in
+  let to_hash = concat decrypted public_key_hash in
+  let hashed = v_G to_hash in
+  let (shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in
+  let to_hash:t_Array u8 (v_IMPLICIT_REJECTION_HASH_INPUT_SIZE r) = concat implicit_rejection_value ciphertext in
+  let implicit_rejection_shared_secret = v_PRF v_SHARED_SECRET_SIZE to_hash in
+  let expected_ciphertext = ind_cpa_encrypt_unpacked r decrypted pseudorandomness t_as_ntt matrix_A_as_ntt in
+  if ciphertext = expected_ciphertext
+  then shared_secret
+  else implicit_rejection_shared_secret
diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst
new file mode 100644
index 000000000..cbe51c827
--- /dev/null
+++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst
@@ -0,0 +1,499 @@
+module Spec.Utils
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open FStar.Mul
+open Core
+
+(** Utils *)
+let map_slice #a #b
+  (f:(x:a -> b))
+  (s: t_Slice a): t_Slice b
+  = createi (length s) (fun i -> f (Seq.index s (v i)))
+
+let map_array #a #b #len
+  (f:(x:a -> b))
+  (s: t_Array a len): t_Array b len
+  = createi (length s) (fun i -> f (Seq.index s (v i)))
+
+let map2 #a #b #c #len
+  (f:a -> b -> c)
+  (x: t_Array a len) (y: t_Array b len): t_Array c len
+  = createi (length x) (fun i -> f (Seq.index x (v i)) (Seq.index y (v i)))
+
+let create len c = createi len (fun i -> c)
+
+let repeati #acc (l:usize) (f:(i:usize{v i < v l}) -> acc -> acc) acc0 : acc = Lib.LoopCombinators.repeati (v l) (fun i acc -> f (sz i) acc) acc0
+
+let createL len l = Rust_primitives.Hax.array_of_list len l 
+
+let create16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 =
+  let l = [v15; v14; v13; v12; v11; v10; v9; v8; v7; v6; v5; v4; v3; v2; v1; v0] in
+  assert_norm (List.Tot.length l == 16);
+  createL 16 l
+
+
+val lemma_createL_index #a len l i :
+  Lemma (Seq.index (createL #a len l) i == List.Tot.index l i)
+        [SMTPat (Seq.index (createL #a len l) i)]
+let lemma_createL_index #a len l i = ()
+
+val lemma_create16_index #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 i :
+  Lemma (Seq.index (create16 #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) i ==
+        (if i = 0 then v15 else
+         if i = 1 then v14 else
+         if i = 2 then v13 else
+         if i = 3 then v12 else
+         if i = 4 then v11 else
+         if i = 5 then v10 else
+         if i = 6 then v9 else
+         if i = 7 then v8 else
+         if i = 8 then v7 else
+         if i = 9 then v6 else
+         if i = 10 then v5 else
+         if i = 11 then v4 else
+         if i = 12 then v3 else
+         if i = 13 then v2 else
+         if i = 14 then v1 else
+         if i = 15 then v0))
+        [SMTPat (Seq.index (create16 #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) i)]
+let lemma_create16_index #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 i =
+  let l = [v15; v14; v13; v12; v11; v10; v9; v8; v7; v6; v5; v4; v3; v2; v1; v0] in
+  assert_norm (List.Tot.index l 0 == v15);
+  assert_norm (List.Tot.index l 1 == v14);
+  assert_norm (List.Tot.index l 2 == v13);
+  assert_norm (List.Tot.index l 3 == v12);
+  assert_norm (List.Tot.index l 4 == v11);
+  assert_norm (List.Tot.index l 5 == v10);
+  assert_norm (List.Tot.index l 6 == v9);
+  assert_norm (List.Tot.index l 7 == v8);
+  assert_norm (List.Tot.index l 8 == v7);
+  assert_norm (List.Tot.index l 9 == v6);
+  assert_norm (List.Tot.index l 10 == v5);
+  assert_norm (List.Tot.index l 11 == v4);
+  assert_norm (List.Tot.index l 12 == v3);
+  assert_norm (List.Tot.index l 13 == v2);
+  assert_norm (List.Tot.index l 14 == v1);
+  assert_norm (List.Tot.index l 15 == v0)
+
+
+val lemma_createi_index #a len f i :
+  Lemma (Seq.index (createi #a len f) i == f (sz i))
+        [SMTPat (Seq.index (createi #a len f) i)]
+let lemma_createi_index #a len f i = ()
+
+val lemma_create_index #a len c i:
+  Lemma (Seq.index (create #a len c) i == c)
+        [SMTPat (Seq.index (create #a len c) i)]
+let lemma_create_index #a len c i = ()
+
+val lemma_map_index #a #b #len f x i:
+  Lemma (Seq.index (map_array #a #b #len f x) i == f (Seq.index x i))
+        [SMTPat (Seq.index (map_array #a #b #len f x) i)]
+let lemma_map_index #a #b #len f x i = ()
+
+val lemma_map2_index #a #b #c #len f x y i:
+  Lemma (Seq.index (map2 #a #b #c #len f x y) i == f (Seq.index x i) (Seq.index y i))
+        [SMTPat (Seq.index (map2 #a #b #c #len f x y) i)]
+let lemma_map2_index #a #b #c #len f x y i = ()
+  
+let lemma_bitand_properties #t (x:int_t t) :
+  Lemma ((x &. ones) == x /\ (x &. mk_int #t 0) == mk_int #t 0 /\ (ones #t &. x) == x /\ (mk_int #t 0 &. x) == mk_int #t 0) = 
+    logand_lemma #t x x
+
+#push-options "--z3rlimit 250"
+let flatten #t #n
+  (#m: usize {range (v n * v m) usize_inttype})
+  (x: t_Array (t_Array t m) n)
+  : t_Array t (m *! n)
+  = createi (m *! n) (fun i -> Seq.index (Seq.index x (v i / v m)) (v i % v m))
+#pop-options
+
+type t_Error = | Error_RejectionSampling : t_Error
+
+type t_Result a b = 
+  | Ok: a -> t_Result a b
+  | Err: b -> t_Result a b
+
+(** Hash Function *)
+open Spec.SHA3
+
+val v_G (input: t_Slice u8) : t_Array u8 (sz 64)
+let v_G input = map_slice Lib.RawIntTypes.u8_to_UInt8 (sha3_512 (Seq.length input) (map_slice Lib.IntTypes.secret input))
+
+val v_H (input: t_Slice u8) : t_Array u8 (sz 32)
+let v_H input = map_slice Lib.RawIntTypes.u8_to_UInt8 (sha3_256 (Seq.length input) (map_slice Lib.IntTypes.secret input)) 
+
+val v_PRF (v_LEN: usize{v v_LEN < pow2 32}) (input: t_Slice u8) : t_Array u8 v_LEN
+let v_PRF v_LEN input = map_slice Lib.RawIntTypes.u8_to_UInt8 (
+  shake256 (Seq.length input) (map_slice Lib.IntTypes.secret input) (v v_LEN))
+
+assume val v_PRFxN (r:usize{v r == 2 \/ v r == 3 \/ v r == 4}) (v_LEN: usize{v v_LEN < pow2 32})
+  (input: t_Array (t_Array u8 (sz 33)) r) : t_Array (t_Array u8 v_LEN) r
+
+let v_J (input: t_Slice u8) : t_Array u8 (sz 32) = v_PRF (sz 32) input
+
+val v_XOF (v_LEN: usize{v v_LEN < pow2 32}) (input: t_Slice u8) : t_Array u8 v_LEN
+let v_XOF v_LEN input = map_slice Lib.RawIntTypes.u8_to_UInt8 (
+  shake128 (Seq.length input) (map_slice Lib.IntTypes.secret input) (v v_LEN))
+
+let update_at_range_lemma #n
+  (s: t_Slice 't)
+  (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).f_index_pre s i}) 
+  (x: t_Slice 't)
+  : Lemma
+    (requires (Seq.length x == v i.f_end - v i.f_start))
+    (ensures (
+      let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in
+      let len = v i.f_start in
+      forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i
+    ))
+    [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)]
+  = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in
+    let len = v i.f_start in
+    introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i
+    with (assert ( Seq.index (Seq.slice s  0 len) i == Seq.index s  i 
+                 /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i ))  
+
+
+/// Bounded integers
+
+let is_intb (l:nat) (x:int) = (x <= l) && (x >= -l)
+let is_i16b (l:nat) (x:i16) = is_intb l (v x)
+let is_i16b_array (l:nat) (x:t_Slice i16) = forall i. i < Seq.length x ==> is_i16b l (Seq.index x i)
+let is_i16b_vector (l:nat) (r:usize) (x:t_Array (t_Array i16 (sz 256)) r) = forall i. i < v r ==> is_i16b_array l (Seq.index x i)
+let is_i16b_matrix (l:nat) (r:usize) (x:t_Array (t_Array (t_Array i16 (sz 256)) r) r) = forall i. i < v r ==> is_i16b_vector l r (Seq.index x i)
+
+[@ "opaque_to_smt"]
+let is_i16b_array_opaque (l:nat) (x:t_Slice i16) = is_i16b_array l x
+
+let is_i32b (l:nat) (x:i32) = is_intb l (v x)
+let is_i32b_array (l:nat) (x:t_Slice i32) = forall i. i < Seq.length x ==> is_i32b l (Seq.index x i)
+
+let nat_div_ceil (x:nat) (y:pos) : nat = if (x % y = 0) then x/y else (x/y)+1
+
+val lemma_intb_le b b'
+  : Lemma (requires (b <= b'))
+          (ensures (forall n. is_intb b n ==> is_intb b' n))
+let lemma_intb_le b b' = ()          
+
+#push-options "--z3rlimit 200"
+val lemma_mul_intb (b1 b2: nat) (n1 n2: int) 
+    : Lemma (requires (is_intb b1 n1 /\ is_intb b2 n2))
+      (ensures (is_intb (b1 * b2) (n1 * n2)))
+let lemma_mul_intb (b1 b2: nat) (n1 n2: int) =
+  if n1 = 0 || n2 = 0
+  then ()
+  else 
+    let open FStar.Math.Lemmas in
+    lemma_abs_bound n1 b1;
+    lemma_abs_bound n2 b2;
+    lemma_abs_mul n1 n2;
+    lemma_mult_le_left (abs n1) (abs n2) b2;
+    lemma_mult_le_right b2 (abs n1) b1;
+    lemma_abs_bound (n1 * n2) (b1 * b2)
+#pop-options
+
+#push-options "--z3rlimit 200"
+val lemma_mul_i16b (b1 b2: nat) (n1 n2: i16) 
+    : Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 * b2 < pow2 31))
+      (ensures (range (v n1 * v n2) i32_inttype /\ 
+                is_i32b (b1 * b2) ((cast n1 <: i32) *! (cast n2 <: i32)) /\
+                v ((cast n1 <: i32) *! (cast n2 <: i32)) == v n1 * v n2))
+      
+let lemma_mul_i16b (b1 b2: nat) (n1 n2: i16) =
+  if v n1 = 0 || v n2 = 0
+  then ()
+  else 
+    let open FStar.Math.Lemmas in
+    lemma_abs_bound (v n1) b1;
+    lemma_abs_bound (v n2) b2;
+    lemma_abs_mul (v n1) (v n2);
+    lemma_mult_le_left (abs (v n1)) (abs (v n2)) b2;
+    lemma_mult_le_right b2 (abs (v n1)) b1;
+    lemma_abs_bound (v n1 * v n2) (b1 * b2)
+#pop-options
+
+val lemma_add_i16b (b1 b2:nat) (n1 n2:i16) :
+  Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 + b2 < pow2 15))
+        (ensures (range (v n1 + v n2) i16_inttype /\
+                  is_i16b (b1 + b2) (n1 +! n2)))
+let lemma_add_i16b (b1 b2:nat) (n1 n2:i16) = ()
+
+#push-options "--z3rlimit 100 --split_queries always"
+let lemma_range_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ v < p/2 /\ v >= -p / 2}):
+  Lemma (v @% p == v) =
+    let m = v % p in
+    if v < 0 then (
+      Math.Lemmas.lemma_mod_plus v 1 p;
+      assert ((v + p) % p == v % p);
+      assert (v + p >= 0);
+      assert (v + p < p);
+      Math.Lemmas.modulo_lemma (v+p) p;
+      assert (m == v + p);
+      assert (m >= p/2);
+      assert (v @% p == m - p);
+      assert (v @% p == v))
+    else (
+      assert (v >= 0 /\ v < p);
+      Math.Lemmas.modulo_lemma v p;
+      assert (v % p == v);
+      assert (m < p/2);
+      assert (v @% p == v)
+    )
+#pop-options
+
+val lemma_sub_i16b (b1 b2:nat) (n1 n2:i16) :
+  Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 + b2 < pow2 15))
+        (ensures (range (v n1 - v n2) i16_inttype /\
+                  is_i16b (b1 + b2) (n1 -. n2) /\
+                  v (n1 -. n2) == v n1 - v n2))
+let lemma_sub_i16b (b1 b2:nat) (n1 n2:i16) = ()
+
+let mont_mul_red_i16 (x:i16) (y:i16) : i16=
+  let vlow = x *. y in
+  let k = vlow *. (neg 3327s) in
+  let k_times_modulus = cast (((cast k <: i32) *. 3329l) >>! 16l) <: i16 in
+  let vhigh = cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16 in
+  vhigh -. k_times_modulus
+
+let mont_red_i32 (x:i32) : i16 =
+  let vlow = cast x <: i16 in
+  let k = vlow *. (neg 3327s) in
+  let k_times_modulus = cast (((cast k <: i32) *. 3329l) >>! 16l) <: i16 in
+  let vhigh = cast (x >>! 16l) <: i16 in
+  vhigh -. k_times_modulus
+
+#push-options "--z3rlimit 100"
+let lemma_at_percent_mod (v:int) (p:int{p>0/\ p%2=0}):
+  Lemma ((v @% p) % p == v % p) =
+  let m = v % p in
+  assert (m >= 0 /\ m < p);
+  if m >= p/2 then (
+    assert ((v @%p) % p == (m - p) %p);
+    Math.Lemmas.lemma_mod_plus m (-1) p;
+    assert ((v @%p) % p == m %p);
+    Math.Lemmas.lemma_mod_mod m v p;
+    assert ((v @%p) % p == v % p)
+  ) else (
+    assert ((v @%p) % p == m%p);
+    Math.Lemmas.lemma_mod_mod m v p;
+    assert ((v @%p) % p == v % p)
+  ) 
+#pop-options
+
+let lemma_div_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ (v/p) < p/2 /\ (v/p) >= -p / 2}):
+  Lemma ((v / p) @% p == v / p) = 
+    lemma_range_at_percent (v/p) p
+
+val lemma_mont_red_i32 (x:i32): Lemma
+  (requires (is_i32b (3328 * pow2 16) x))
+  (ensures (
+          let result:i16 = mont_red_i32 x in
+          is_i16b (3328 + 1665) result /\
+          (is_i32b (3328 * pow2 15) x ==> is_i16b 3328 result) /\
+          v result % 3329 == (v x * 169) % 3329))
+
+let lemma_mont_red_i32 (x:i32) =
+  let vlow = cast x <: i16 in
+  assert (v vlow == v x @% pow2 16);
+  let k = vlow *. (neg 3327s) in
+  assert (v k == ((v x @% pow2 16) * (- 3327)) @% pow2 16);
+  let k_times_modulus = (cast k <: i32) *. 3329l in
+  assert (v k_times_modulus == (v k * 3329));
+  let c = cast (k_times_modulus >>! 16l) <: i16 in
+  assert (v c == (((v k * 3329) / pow2 16) @% pow2 16));
+  lemma_div_at_percent (v k * 3329) (pow2 16);
+  assert (v c == (((v k * 3329) / pow2 16)));
+  assert (is_i16b 1665 c);
+  let vhigh = cast (x >>! 16l) <: i16 in
+  lemma_div_at_percent (v x) (pow2 16);
+  assert (v vhigh == v x / pow2 16);
+  assert (is_i16b 3328 vhigh);
+  let result = vhigh -. c in
+  lemma_sub_i16b 3328 1665 vhigh c;
+  assert (is_i16b (3328 + 1665) result);
+  assert (v result = v vhigh - v c);
+  assert (is_i16b (3328 + 1665) result);
+  assert (is_i32b (3328 * pow2 15) x ==> is_i16b 3328 result);
+  calc ( == ) {
+      v k_times_modulus % pow2 16;
+      ( == ) { assert (v k_times_modulus == v k * 3329) }
+      (v k * 3329) % pow2 16;
+      ( == ) { assert (v k = ((v x @% pow2 16) * (-3327)) @% pow2 16) }
+      ((((v x @% pow2 16) * (-3327)) @% pow2 16) * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (((v x @% pow2 16) * (-3327)) @% pow2 16) 3329 (pow2 16) }
+      (((((v x @% pow2 16) * (-3327)) @% pow2 16) % pow2 16) * 3329) % pow2 16;
+      ( == ) { lemma_at_percent_mod ((v x @% pow2 16) * (-3327)) (pow2 16)}
+      ((((v x @% pow2 16) * (-3327)) % pow2 16)  * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v x @% pow2 16) * (-3327)) 3329 (pow2 16) }
+      (((v x @% pow2 16) * (-3327)) * 3329) % pow2 16;
+      ( == ) { }
+      ((v x @% pow2 16) * (-3327 * 3329)) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v x @% pow2 16) (-3327 * 3329) (pow2 16) }
+      ((v x @% pow2 16) % pow2 16);
+      ( == ) { lemma_at_percent_mod (v x) (pow2 16) }
+      (v x) % pow2 16;
+    };
+    Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v x) (v k_times_modulus);
+    assert ((v x - v k_times_modulus) % pow2 16 == 0);
+    calc ( == ) {
+      v result % 3329;
+      ( == ) { }
+      (v x / pow2 16 - v k_times_modulus / pow2 16) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact (v x - v k_times_modulus) (pow2 16) }
+      ((v x - v k_times_modulus) / pow2 16) % 3329;
+      ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
+      (((v x - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v x - v k_times_modulus) / pow2 16)
+        (pow2 16 * 169)
+        3329 }
+      (((v x - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact (v x - v k_times_modulus) (pow2 16) }
+      ((v x - v k_times_modulus) * 169) % 3329;
+      ( == ) { assert (v k_times_modulus == v k * 3329) }
+      ((v x * 169) - (v k * 3329 * 169)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub (v x * 169) 3329 (v k * 169) }
+      (v x * 169) % 3329;
+    }
+
+val lemma_mont_mul_red_i16_int (x y:i16): Lemma
+  (requires (is_intb (3326 * pow2 15) (v x * v y)))
+  (ensures (
+          let result:i16 = mont_mul_red_i16 x y in
+          is_i16b 3328 result /\
+          v result % 3329 == (v x * v y * 169) % 3329))
+
+#push-options "--z3rlimit 200"
+
+let lemma_mont_mul_red_i16_int (x y:i16) = 
+  let vlow = x *. y in
+  let prod = v x * v y in
+  assert (v vlow == prod @% pow2 16);
+  let k = vlow *. (neg 3327s) in
+  assert (v k == (((prod) @% pow2 16) * (- 3327)) @% pow2 16);
+  let k_times_modulus = (cast k <: i32) *. 3329l in
+  assert (v k_times_modulus == (v k * 3329));
+  let c = cast (k_times_modulus >>! 16l) <: i16 in
+  assert (v c == (((v k * 3329) / pow2 16) @% pow2 16));
+  lemma_div_at_percent (v k * 3329) (pow2 16);
+  assert (v c == (((v k * 3329) / pow2 16)));
+  assert (is_i16b 1665 c);
+  let vhigh = cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16 in
+  assert (v x @% pow2 32 == v x);
+  assert (v y @% pow2 32 == v y);
+  assert (v ((cast x <: i32) *. (cast y <: i32)) == (v x * v y) @% pow2 32);
+  assert (v vhigh == (((prod) @% pow2 32) / pow2 16) @% pow2 16);
+  assert_norm (pow2 15 * 3326 < pow2 31);
+  lemma_range_at_percent prod (pow2 32);
+  assert (v vhigh == (prod / pow2 16) @% pow2 16);
+  lemma_div_at_percent prod (pow2 16);
+  assert (v vhigh == prod / pow2 16);
+  let result = vhigh -. c in
+  assert (is_i16b 1663 vhigh);
+  lemma_sub_i16b 1663 1665 vhigh c;
+  assert (is_i16b 3328 result);
+  assert (v result = v vhigh - v c);
+  calc ( == ) {
+      v k_times_modulus % pow2 16;
+      ( == ) { assert (v k_times_modulus == v k * 3329) }
+      (v k * 3329) % pow2 16;
+      ( == ) { assert (v k = ((prod @% pow2 16) * (-3327)) @% pow2 16) }
+      ((((prod @% pow2 16) * (-3327)) @% pow2 16) * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (((prod @% pow2 16) * (-3327)) @% pow2 16) 3329 (pow2 16) }
+      (((((prod @% pow2 16) * (-3327)) @% pow2 16) % pow2 16) * 3329) % pow2 16;
+      ( == ) { lemma_at_percent_mod ((prod @% pow2 16) * (-3327)) (pow2 16)}
+      ((((prod @% pow2 16) * (-3327)) % pow2 16)  * 3329) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((prod @% pow2 16) * (-3327)) 3329 (pow2 16) }
+      (((prod @% pow2 16) * (-3327)) * 3329) % pow2 16;
+      ( == ) { }
+      ((prod @% pow2 16) * (-3327 * 3329)) % pow2 16;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (prod @% pow2 16) (-3327 * 3329) (pow2 16) }
+      ((prod @% pow2 16) % pow2 16);
+      ( == ) { lemma_at_percent_mod (prod) (pow2 16) }
+      (prod) % pow2 16;
+    };
+    Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) ((prod)) (v k_times_modulus);
+    assert (((prod) - v k_times_modulus) % pow2 16 == 0);
+    calc ( == ) {
+      v result % 3329;
+      ( == ) { }
+      (((prod) / pow2 16) - ((v k * 3329) / pow2 16)) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact ((prod) - (v k * 3329)) (pow2 16) }
+      ((prod - (v k * 3329)) / pow2 16) % 3329;
+      ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
+      (((prod - (v k * 3329)) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (((prod) - (v k * 3329)) / pow2 16)
+        (pow2 16 * 169)
+        3329 }
+      ((((prod) - (v k * 3329)) / pow2 16) * pow2 16 * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_div_exact ((prod) - (v k * 3329)) (pow2 16) }
+      (((prod) - (v k * 3329)) * 169) % 3329;
+      ( == ) { Math.Lemmas.lemma_mod_sub ((prod) * 169) 3329 (v k * 169)}
+      ((prod) * 169) % 3329; 
+    }
+
+#pop-options
+
+val lemma_mont_mul_red_i16 (x y:i16): Lemma
+  (requires (is_i16b 1664 y \/ is_intb (3326 * pow2 15) (v x * v y)))
+  (ensures (
+          let result:i16 = mont_mul_red_i16 x y in
+          is_i16b 3328 result /\
+          v result % 3329 == (v x * v y * 169) % 3329))
+          [SMTPat (mont_mul_red_i16 x y)]
+let lemma_mont_mul_red_i16 x y =
+  if is_i16b 1664 y then (
+    lemma_mul_intb (pow2 15) 1664 (v x) (v y);
+    assert(is_intb (3326 * pow2 15) (v x * v y));
+    lemma_mont_mul_red_i16_int x y) 
+  else lemma_mont_mul_red_i16_int x y
+ 
+let barrett_red (x:i16) = 
+  let t1 = cast (((cast x <: i32) *. (cast 20159s <: i32)) >>! 16l) <: i16 in
+  let t2 = t1 +. 512s in
+  let q = t2 >>! 10l in
+  let qm = q *. 3329s in
+  x -. qm
+
+let lemma_barrett_red (x:i16) : Lemma
+   (requires (is_i16b 28296 x))
+   (ensures (let result = barrett_red x in
+             is_i16b 3328 result /\
+             v result % 3329 == v x % 3329)) 
+   [SMTPat (barrett_red x)]
+   = admit()
+
+let cond_sub (x:i16) =
+  let xm = x -. 3329s in
+  let mask = xm >>! 15l in
+  let mm = mask &. 3329s in
+  xm +. mm
+
+let lemma_cond_sub x:
+  Lemma (let r = cond_sub x in
+         if x >=. 3329s then r == x -! 3329s else r == x)
+        [SMTPat (cond_sub x)]
+  = admit()
+
+
+let lemma_shift_right_15_i16 (x:i16):
+  Lemma (if v x >= 0 then (x >>! 15l) == 0s else (x >>! 15l) == -1s) =
+  Rust_primitives.Integers.mk_int_v_lemma #i16_inttype 0s;
+  Rust_primitives.Integers.mk_int_v_lemma #i16_inttype (-1s);
+  ()
+
+val ntt_spec #len (vec_in: t_Array i16 len) (zeta: int) (i: nat{i < v len}) (j: nat{j < v len}) 
+                  (vec_out: t_Array i16 len) : Type0
+let ntt_spec vec_in zeta i j vec_out =
+  ((v (Seq.index vec_out i) % 3329) ==
+   ((v (Seq.index vec_in i) + (v (Seq.index vec_in j) * zeta * 169)) % 3329)) /\
+  ((v (Seq.index vec_out j) % 3329) ==
+   ((v (Seq.index vec_in i) - (v (Seq.index vec_in j) * zeta * 169)) % 3329))
+
+val inv_ntt_spec #len (vec_in: t_Array i16 len) (zeta: int) (i: nat{i < v len}) (j: nat{j < v len}) 
+                 (vec_out: t_Array i16 len) : Type0
+let inv_ntt_spec vec_in zeta i j vec_out =
+  ((v (Seq.index vec_out i) % 3329) ==
+   ((v (Seq.index vec_in j) + v (Seq.index vec_in i)) % 3329)) /\
+  ((v (Seq.index vec_out j) % 3329) ==
+   (((v (Seq.index vec_in j) - v (Seq.index vec_in i)) * zeta * 169) % 3329))
+
diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md
new file mode 100644
index 000000000..71f373679
--- /dev/null
+++ b/libcrux-ml-kem/proofs/verification_status.md
@@ -0,0 +1,49 @@
+# ML-KEM Verification Status
+
+This file keeps track of the current verification status of the modules in the ML-KEM implementation.
+
+Lax Checking means that the module translates to typed code in F* which passes the F* lax checker.
+Runtime Safety means that the module has been proved to be free of panics, that it obeys all the preconditions
+set by the Rust standard library (e.g. arrays are accessed in bounds, arithmetic operations do not overflow, etc)
+as well as the pre-conditions set by all the modules this module depends on (e.g. range preconditions on inputs).
+Correctness means that the module has been formally verified for correctness against a high-level mathematical
+specifiction of its input-output behavior.
+
+We write "yes" when the module is fully proven to satisfy one of these conditions, and "needs proofs" when some
+functions in the modules still need some proofs in that category.
+
+
+| Category | File              | Lax Checking | Runtime Safety | Correctness  |
+| -------- | ----------------- | ------------ | -------------- | ------------ |
+| _Generic_  | constant_time_ops | yes          | yes            | yes          |    
+|          | hash_functions    | yes          | yes            | yes          |    
+|          | ind_cpa           | yes          | yes            | yes          |    
+|          | ind_cca           | yes          | yes            | yes          |    
+|          | instantiations    | yes          | yes            | yes          |    
+|          | multiplexing      | yes          | yes            | yes          |    
+|          | mlkem*            | yes          | yes            | needs proofs |    
+|          | invert_ntt        | yes          | yes            | needs proofs |    
+|          | ntt               | yes          | yes            | needs proofs |    
+|          | matrix            | yes          | needs proofs   | needs proofs |    
+|          | sampling          | yes          | needs proofs   | needs proofs |    
+|          | polynomial        | yes          | needs proofs   | needs proofs |    
+|          | serialize         | yes          | needs proofs   | needs proofs |    
+| 	   |                   |              |                |              |
+| _Portable_ | arithmetic        | yes          | yes            | yes          |
+|          | ntt               | yes          | yes            | yes          |
+|          | compress          | yes          | yes            | yes          |
+|          | serialize         | yes          | yes            | yes          |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+|          |                   |              |                |              |
+| _Avx2_     | arithmetic        | yes          | yes            | yes          |
+|          | ntt               | yes          | yes            | yes          |
+|          | compress          | yes          | yes            | needs proofs |
+|          | serialize         | yes          | needs proofs   | needs proofs |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+|          |                   |              |                |              |
+| _Neon_     | arithmetic        | yes          | needs proofs   | needs proofs |
+|          | ntt               | yes          | needs proofs   | needs proofs |
+|          | compress          | yes          | needs proofs   | needs proofs |
+|          | serialize         | yes          | needs proofs   | needs proofs |
+|          | sampling          | yes          | needs proofs   | needs proofs |
+
diff --git a/libcrux-ml-kem/src/cfg.rs b/libcrux-ml-kem/src/cfg.rs
index 8b234dbee..265dd00c0 100644
--- a/libcrux-ml-kem/src/cfg.rs
+++ b/libcrux-ml-kem/src/cfg.rs
@@ -1,28 +1,4 @@
-/// Macro to simplify feature gating of verified code that should only be enabled
-/// when unverified code is disabled.
-macro_rules! cfg_verified {
-    ($($item:item)*) => {
-        $(
-            #[cfg(not(feature = "pre-verification"))]
-            #[allow(missing_docs)]
-            $item
-        )*
-    }
-}
-
-/// Macro to simplify `pre-verification` feature gating
-macro_rules! cfg_pre_verification {
-    ($($item:item)*) => {
-        $(
-            #[cfg(feature = "pre-verification")]
-            #[cfg_attr(docsrs, doc(cfg(feature = "pre-verification")))]
-            $item
-        )*
-    }
-}
-
 /// Macro to simplify `kyber` feature gating
-#[cfg(feature = "pre-verification")]
 macro_rules! cfg_kyber {
     ($($item:item)*) => {
         $(
diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs
index b37bad7a1..b462a2cff 100644
--- a/libcrux-ml-kem/src/constant_time_ops.rs
+++ b/libcrux-ml-kem/src/constant_time_ops.rs
@@ -11,13 +11,46 @@ use crate::constants::SHARED_SECRET_SIZE;
 // XXX: We have to disable this for C extraction for now. See eurydice/issues#37
 
 /// Return 1 if `value` is not zero and 0 otherwise.
+#[hax_lib::ensures(|result| fstar!(r#"($value == 0uy ==> $result == 0uy) /\
+    ($value =!= 0uy ==> $result == 1uy)"#))]
 fn inz(value: u8) -> u8 {
+    let _orig_value = value;
     let value = value as u16;
-    let result = ((value | (!value).wrapping_add(1)) >> 8) & 1;
-    result as u8
+    let result = ((!value).wrapping_add(1) >> 8) as u8;
+    let res = result & 1;
+    hax_lib::fstar!(
+        r#"if v $_orig_value = 0 then  (
+        assert($value == zero);
+        lognot_lemma $value;
+        assert((~.$value +. 1us) == zero);
+        assert((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) == zero);
+        logor_lemma $value zero;
+        assert(($value |. (Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) <: u16) == $value);
+        assert (v $result == v (($value >>! 8l)));
+        assert ((v $value / pow2 8) == 0);
+        assert ($result == 0uy);
+        logand_lemma 1uy $result;
+        assert ($res == 0uy))
+    else (
+        assert (v $value <> 0);
+        lognot_lemma $value;
+        assert (v (~.$value) = pow2 16 - 1 - v $value);
+        assert (v (~.$value) + 1 = pow2 16 - v $value);
+        assert (v ($value) <= pow2 8 - 1);
+        assert ((v (~.$value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v $value));
+        assert ((v (~.$value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v $value));
+        assert ((v (~.$value) + 1)/pow2 8 = (pow2 8 - 1));
+        assert (v ((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) >>! 8l) = pow2 8 - 1);
+        assert ($result = ones);
+        logand_lemma 1uy $result;
+        assert ($res = 1uy))"#
+    );
+    res
 }
 
 #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
+#[hax_lib::ensures(|result| fstar!(r#"($value == 0uy ==> $result == 0uy) /\
+    ($value =!= 0uy ==> $result == 1uy)"#))]
 fn is_non_zero(value: u8) -> u8 {
     #[cfg(eurydice)]
     return inz(value);
@@ -28,13 +61,52 @@ fn is_non_zero(value: u8) -> u8 {
 
 /// Return 1 if the bytes of `lhs` and `rhs` do not exactly
 /// match and 0 otherwise.
-#[cfg_attr(hax, hax_lib::requires(
-    lhs.len() == rhs.len()
-))]
+#[hax_lib::requires(lhs.len() == rhs.len())]
+#[hax_lib::ensures(|result| fstar!(r#"($lhs == $rhs ==> $result == 0uy) /\
+    ($lhs =!= $rhs ==> $result == 1uy)"#))]
 fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
     let mut r: u8 = 0;
     for i in 0..lhs.len() {
-        r |= lhs[i] ^ rhs[i];
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $i <= Seq.length $lhs /\
+            (if (Seq.slice $lhs 0 (v $i) = Seq.slice $rhs 0 (v $i)) then
+                $r == 0uy
+                else ~ ($r == 0uy))"#
+            )
+        });
+        let nr = r | (lhs[i] ^ rhs[i]);
+        hax_lib::fstar!(
+            r#"if $r =. 0uy then (
+            if (Seq.index $lhs (v $i) = Seq.index $rhs (v $i)) then (
+               logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i));
+               assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) = zero);
+               logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8);
+               assert ($nr = $r);
+               assert (forall j. Seq.index (Seq.slice $lhs 0 (v $i)) j == Seq.index $lhs j);
+               assert (forall j. Seq.index (Seq.slice $rhs 0 (v $i)) j == Seq.index $rhs j);
+               eq_intro (Seq.slice $lhs 0 ((v $i) + 1)) (Seq.slice $rhs 0 ((v $i) + 1))
+            )
+            else (
+               logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i));
+               assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) <>  zero);
+               logor_lemma r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8);
+               assert (v $nr > 0);
+               assert (Seq.index (Seq.slice $lhs 0 ((v $i)+1)) (v $i) <> 
+                       Seq.index (Seq.slice $rhs 0 ((v $i)+1)) (v $i));
+               assert (Seq.slice $lhs 0 ((v $i)+1) <> Seq.slice $rhs 0 ((v $i) + 1))
+            )
+          ) else (
+            logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8);
+            assert (v $nr >= v $r);
+            assert (Seq.slice $lhs 0 (v $i) <> Seq.slice $rhs 0 (v $i));
+            if (Seq.slice $lhs 0 ((v $i)+1) = Seq.slice $rhs 0 ((v $i) + 1)) then
+              (assert (forall j. j < (v $i) + 1 ==> Seq.index (Seq.slice $lhs 0 ((v $i)+1)) j == Seq.index (Seq.slice $rhs 0 ((v $i)+1)) j);
+               eq_intro (Seq.slice $lhs 0 (v $i)) (Seq.slice $rhs 0 (v $i));
+               assert(False))
+          )"#
+        );
+        r = nr;
     }
 
     is_non_zero(r)
@@ -42,25 +114,75 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
 
 /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in
 /// `lhs` otherwise.
-#[cfg_attr(hax, hax_lib::requires(
+#[hax_lib::requires(
     lhs.len() == rhs.len() &&
     lhs.len() == SHARED_SECRET_SIZE
-))]
+)]
+#[hax_lib::ensures(|result| fstar!(r#"($selector == 0uy ==> $result == $lhs) /\
+        ($selector =!= 0uy ==> $result == $rhs)"#))]
+#[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")]
 fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] {
     let mask = is_non_zero(selector).wrapping_sub(1);
+    hax_lib::fstar!(
+        "assert (if $selector = 0uy then $mask = ones else $mask = zero);
+        lognot_lemma $mask;
+        assert (if $selector = 0uy then ~.$mask = zero else ~.$mask = ones)"
+    );
     let mut out = [0u8; SHARED_SECRET_SIZE];
 
     for i in 0..SHARED_SECRET_SIZE {
-        out[i] = (lhs[i] & mask) | (rhs[i] & !mask);
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $i <= v $SHARED_SECRET_SIZE /\
+            (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\
+            (forall j. j >= v $i ==> Seq.index $out j == 0uy)"#
+            )
+        });
+        hax_lib::fstar!(r#"assert ((${out}.[ $i ] <: u8) = 0uy)"#);
+        let outi = (lhs[i] & mask) | (rhs[i] & !mask);
+        hax_lib::fstar!(
+            r#"if ($selector = 0uy) then (
+            logand_lemma (${lhs}.[ $i ] <: u8) $mask;
+            assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == (${lhs}.[ $i ] <: u8));
+            logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask);
+            assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == zero);
+            logor_lemma ((${lhs}.[ $i ] <: u8) &. $mask <: u8) ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8);
+            assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8));
+            logor_lemma (${out}.[ $i ] <: u8) (${lhs}.[ $i ] <: u8);
+            assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8));
+            assert ($outi = (${lhs}.[ $i ] <: u8))
+          )
+          else (
+            logand_lemma (${lhs}.[ $i ] <: u8) $mask;
+            assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == zero);
+            logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask);
+            assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == (${rhs}.[ $i ] <: u8));
+            logor_lemma (${rhs}.[ $i ] <: u8) zero;
+            assert ((logor zero (${rhs}.[ $i ] <: u8)) == (${rhs}.[ $i ] <: u8));
+            assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8)) == (${rhs}.[ $i ] <: u8));
+            logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8);
+            assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8));
+            assert ($outi = (${rhs}.[ $i ] <: u8))
+          )"#
+        );
+        out[i] = outi;
     }
 
+    hax_lib::fstar!(
+        "if ($selector =. 0uy) then (
+            eq_intro $out $lhs
+        )
+        else (
+            eq_intro $out $rhs
+        )"
+    );
     out
 }
 
 #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
-#[cfg_attr(hax, hax_lib::requires(
-    lhs.len() == rhs.len()
-))]
+#[hax_lib::requires(lhs.len() == rhs.len())]
+#[hax_lib::ensures(|result| fstar!(r#"($lhs == $rhs ==> $result == 0uy) /\
+    ($lhs =!= $rhs ==> $result == 1uy)"#))]
 pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 {
     #[cfg(eurydice)]
     return compare(lhs, rhs);
@@ -70,10 +192,12 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8
 }
 
 #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
-#[cfg_attr(hax, hax_lib::requires(
+#[hax_lib::requires(
     lhs.len() == rhs.len() &&
     lhs.len() == SHARED_SECRET_SIZE
-))]
+)]
+#[hax_lib::ensures(|result| fstar!(r#"($selector == 0uy ==> $result == $lhs) /\
+       ($selector =!= 0uy ==> $result == $rhs)"#))]
 pub(crate) fn select_shared_secret_in_constant_time(
     lhs: &[u8],
     rhs: &[u8],
@@ -86,11 +210,14 @@ pub(crate) fn select_shared_secret_in_constant_time(
     core::hint::black_box(select_ct(lhs, rhs, selector))
 }
 
-#[cfg_attr(hax, hax_lib::requires(
+#[hax_lib::requires(
     lhs_c.len() == rhs_c.len() &&
     lhs_s.len() == rhs_s.len() &&
     lhs_s.len() == SHARED_SECRET_SIZE
-))]
+)]
+#[hax_lib::ensures(|result| fstar!(r#"let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in
+    ((selector == 0uy ==> $result == $lhs_s) /\
+     (selector =!= 0uy ==> $result == $rhs_s))"#))]
 pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time(
     lhs_c: &[u8],
     rhs_c: &[u8],
diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs
index 341404af9..572664cff 100644
--- a/libcrux-ml-kem/src/hash_functions.rs
+++ b/libcrux-ml-kem/src/hash_functions.rs
@@ -23,50 +23,69 @@ pub(crate) const THREE_BLOCKS: usize = BLOCK_SIZE * 3;
 /// - AVX2
 /// - NEON
 /// - Portable
+#[hax_lib::attributes]
 pub(crate) trait Hash<const K: usize> {
     /// G aka SHA3 512
+    #[requires(true)]
+    #[ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
+    ]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE];
 
     /// H aka SHA3 256
+    #[requires(true)]
+    #[ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
+    ]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE];
 
     /// PRF aka SHAKE256
+    #[requires(fstar!(r#"v $LEN < pow2 32"#))]
+    #[ensures(|result|
+        // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+        fstar!(r#"v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input"#))
+    ]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN];
 
     /// PRFxN aka N SHAKE256
+    #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+    #[ensures(|result|
+        // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+        fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
+            $result == Spec.Utils.v_PRFxN $K $LEN $input"#))
+    ]
     fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K];
 
     /// Create a SHAKE128 state and absorb the input.
-    fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self;
+    #[requires(true)]
+    fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self;
 
     /// Squeeze 3 blocks out of the SHAKE128 state.
-    fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K];
+    #[requires(true)]
+    fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K];
 
     /// Squeeze 1 block out of the SHAKE128 state.
-    fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K];
+    #[requires(true)]
+    fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K];
 }
 
 /// A portable implementation of [`Hash`]
 pub(crate) mod portable {
     use super::*;
-    use libcrux_sha3::portable::{
-        self,
-        incremental::{
-            shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks,
-            shake128_squeeze_next_block,
-        },
-        KeccakState,
-    };
+    use libcrux_sha3::portable::{self, incremental, KeccakState};
 
     /// The state.
     ///
     /// It's only used for SHAKE128.
     /// All other functions don't actually use any members.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct PortableHash<const K: usize> {
         shake128_state: [KeccakState; K],
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
+    ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
         let mut digest = [0u8; G_DIGEST_SIZE];
@@ -74,6 +93,9 @@ pub(crate) mod portable {
         digest
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
+    ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
         let mut digest = [0u8; H_DIGEST_SIZE];
@@ -81,6 +103,10 @@ pub(crate) mod portable {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
         let mut digest = [0u8; LEN];
@@ -88,6 +114,10 @@ pub(crate) mod portable {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
@@ -100,74 +130,96 @@ pub(crate) mod portable {
     }
 
     #[inline(always)]
-    fn shake128_init_absorb<const K: usize>(input: [[u8; 34]; K]) -> PortableHash<K> {
+    fn shake128_init_absorb_final<const K: usize>(input: [[u8; 34]; K]) -> PortableHash<K> {
         debug_assert!(K == 2 || K == 3 || K == 4);
 
-        let mut shake128_state = [shake128_init(); K];
+        let mut shake128_state = [incremental::shake128_init(); K];
         for i in 0..K {
-            shake128_absorb_final(&mut shake128_state[i], &input[i]);
+            incremental::shake128_absorb_final(&mut shake128_state[i], &input[i]);
         }
         PortableHash { shake128_state }
     }
 
     #[inline(always)]
-    fn shake128_squeeze_three_blocks<const K: usize>(
+    fn shake128_squeeze_first_three_blocks<const K: usize>(
         st: &mut PortableHash<K>,
     ) -> [[u8; THREE_BLOCKS]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
 
         let mut out = [[0u8; THREE_BLOCKS]; K];
         for i in 0..K {
-            shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]);
+            incremental::shake128_squeeze_first_three_blocks(
+                &mut st.shake128_state[i],
+                &mut out[i],
+            );
         }
         out
     }
 
     #[inline(always)]
-    fn shake128_squeeze_block<const K: usize>(st: &mut PortableHash<K>) -> [[u8; BLOCK_SIZE]; K] {
+    fn shake128_squeeze_next_block<const K: usize>(
+        st: &mut PortableHash<K>,
+    ) -> [[u8; BLOCK_SIZE]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
 
         let mut out = [[0u8; BLOCK_SIZE]; K];
         for i in 0..K {
-            shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]);
+            incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]);
         }
         out
     }
 
+    #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for PortableHash<K> {
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
+        ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
             G(input)
         }
 
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
+        ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
+        #[ensures(|out|
+            // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+        #[ensures(|out|
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
             PRFxN::<K, LEN>(input)
         }
 
         #[inline(always)]
-        fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self {
-            shake128_init_absorb(input)
+        fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self {
+            shake128_init_absorb_final(input)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
-            shake128_squeeze_three_blocks(self)
+        fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
+            shake128_squeeze_first_three_blocks(self)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
-            shake128_squeeze_block(self)
+        fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
+            shake128_squeeze_next_block(self)
         }
     }
 }
@@ -185,11 +237,14 @@ pub(crate) mod avx2 {
     ///
     /// It's only used for SHAKE128.
     /// All other functions don't actually use any members.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Simd256Hash {
         shake128_state: KeccakState,
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
+    ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
         let mut digest = [0u8; G_DIGEST_SIZE];
@@ -197,6 +252,9 @@ pub(crate) mod avx2 {
         digest
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
+    ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
         let mut digest = [0u8; H_DIGEST_SIZE];
@@ -204,6 +262,10 @@ pub(crate) mod avx2 {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
         let mut digest = [0u8; LEN];
@@ -211,6 +273,10 @@ pub(crate) mod avx2 {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
@@ -254,7 +320,7 @@ pub(crate) mod avx2 {
     }
 
     #[inline(always)]
-    fn shake128_init_absorb<const K: usize>(input: [[u8; 34]; K]) -> Simd256Hash {
+    fn shake128_init_absorb_final<const K: usize>(input: [[u8; 34]; K]) -> Simd256Hash {
         debug_assert!(K == 2 || K == 3 || K == 4);
         let mut state = x4::incremental::init();
 
@@ -283,7 +349,7 @@ pub(crate) mod avx2 {
     }
 
     #[inline(always)]
-    fn shake128_squeeze_three_blocks<const K: usize>(
+    fn shake128_squeeze_first_three_blocks<const K: usize>(
         st: &mut Simd256Hash,
     ) -> [[u8; THREE_BLOCKS]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
@@ -321,7 +387,7 @@ pub(crate) mod avx2 {
     }
 
     #[inline(always)]
-    fn shake128_squeeze_block<const K: usize>(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] {
+    fn shake128_squeeze_next_block<const K: usize>(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
         let mut out = [[0u8; BLOCK_SIZE]; K];
         let mut out0 = [0u8; BLOCK_SIZE];
@@ -356,40 +422,57 @@ pub(crate) mod avx2 {
         out
     }
 
+    #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for Simd256Hash {
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
+        ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
             G(input)
         }
 
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
+        ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
+        #[hax_lib::ensures(|out|
+            // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+        #[ensures(|out|
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
             PRFxN::<K, LEN>(input)
         }
 
         #[inline(always)]
-        fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self {
-            shake128_init_absorb(input)
+        fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self {
+            shake128_init_absorb_final(input)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
-            shake128_squeeze_three_blocks(self)
+        fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
+            shake128_squeeze_first_three_blocks(self)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
-            shake128_squeeze_block(self)
+        fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
+            shake128_squeeze_next_block(self)
         }
     }
 }
@@ -404,11 +487,14 @@ pub(crate) mod neon {
     ///
     /// It's only used for SHAKE128.
     /// All other functions don't actually use any members.
-    #[cfg_attr(hax, hax_lib::opaque_type)]
+    #[cfg_attr(hax, hax_lib::opaque)]
     pub(crate) struct Simd128Hash {
         shake128_state: [KeccakState; 2],
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_G $input"#))
+    ]
     #[inline(always)]
     fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
         let mut digest = [0u8; G_DIGEST_SIZE];
@@ -416,6 +502,9 @@ pub(crate) mod neon {
         digest
     }
 
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_H $input"#))
+    ]
     #[inline(always)]
     fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
         let mut digest = [0u8; H_DIGEST_SIZE];
@@ -423,6 +512,10 @@ pub(crate) mod neon {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
         let mut digest = [0u8; LEN];
@@ -431,6 +524,10 @@ pub(crate) mod neon {
         digest
     }
 
+    #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#))
+    ]
     #[inline(always)]
     fn PRFxN<const K: usize, const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
@@ -466,7 +563,7 @@ pub(crate) mod neon {
     }
 
     #[inline(always)]
-    fn shake128_init_absorb<const K: usize>(input: [[u8; 34]; K]) -> Simd128Hash {
+    fn shake128_init_absorb_final<const K: usize>(input: [[u8; 34]; K]) -> Simd128Hash {
         debug_assert!(K == 2 || K == 3 || K == 4);
         let mut state = [x2::incremental::init(), x2::incremental::init()];
         match K as u8 {
@@ -490,7 +587,7 @@ pub(crate) mod neon {
     }
 
     #[inline(always)]
-    fn shake128_squeeze_three_blocks<const K: usize>(
+    fn shake128_squeeze_first_three_blocks<const K: usize>(
         st: &mut Simd128Hash,
     ) -> [[u8; THREE_BLOCKS]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
@@ -548,7 +645,7 @@ pub(crate) mod neon {
     }
 
     #[inline(always)]
-    fn shake128_squeeze_block<const K: usize>(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] {
+    fn shake128_squeeze_next_block<const K: usize>(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] {
         debug_assert!(K == 2 || K == 3 || K == 4);
 
         let mut out = [[0u8; BLOCK_SIZE]; K];
@@ -603,40 +700,58 @@ pub(crate) mod neon {
         out
     }
 
+    #[hax_lib::attributes]
     impl<const K: usize> Hash<K> for Simd128Hash {
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_G $input"#))
+        ]
         #[inline(always)]
         fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
             G(input)
         }
 
+        #[ensures(|out|
+            fstar!(r#"$out == Spec.Utils.v_H $input"#))
+        ]
         #[inline(always)]
         fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
             H(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32"#))]
+        #[ensures(|out|
+            // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+            fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
             PRF::<LEN>(input)
         }
 
+        #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))]
+        #[ensures(|out|
+            // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784
+            fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==>
+                $out == Spec.Utils.v_PRFxN $K $LEN $input"#))
+        ]
         #[inline(always)]
         fn PRFxN<const LEN: usize>(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] {
             PRFxN::<K, LEN>(input)
         }
 
         #[inline(always)]
-        fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self {
-            shake128_init_absorb(input)
+        fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self {
+            shake128_init_absorb_final(input)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
-            shake128_squeeze_three_blocks(self)
+        fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] {
+            shake128_squeeze_first_three_blocks(self)
         }
 
         #[inline(always)]
-        fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
-            shake128_squeeze_block(self)
+        fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] {
+            shake128_squeeze_next_block(self)
         }
     }
 }
diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs
index acb113c29..916ff78a3 100644
--- a/libcrux-ml-kem/src/ind_cca.rs
+++ b/libcrux-ml-kem/src/ind_cca.rs
@@ -34,7 +34,18 @@ pub(crate) mod multiplexing;
 pub(crate) mod instantiations;
 
 /// Serialize the secret key.
+
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 150")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"${serialized}_future == Seq.append $private_key (
+                                              Seq.append $public_key (
+                                              Seq.append (Spec.Utils.v_H $public_key) 
+                                                  $implicit_rejection_value))"#))]
 fn serialize_kem_secret_key_mut<
     const K: usize,
     const SERIALIZED_KEY_LEN: usize,
@@ -54,16 +65,48 @@ fn serialize_kem_secret_key_mut<
     pointer += H_DIGEST_SIZE;
     serialized[pointer..pointer + implicit_rejection_value.len()]
         .copy_from_slice(implicit_rejection_value);
+
+    hax_lib::fstar!(
+   "let open Spec.Utils in
+    assert (Seq.slice serialized 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K)) `Seq.equal` $private_key);
+    assert (Seq.slice serialized (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K))
+                            (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K)) `Seq.equal` $public_key);
+    assert (Seq.slice serialized (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +!
+                                            Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K))
+                            (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +!
+                                            Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K +!
+                                            Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))
+            `Seq.equal` Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key);
+    assert (Seq.slice serialized (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +!
+                                            Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K +!
+                                            Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))
+                            (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +!
+                                            Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K +!
+                                            Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +!
+                                            Spec.MLKEM.v_SHARED_SECRET_SIZE))
+            == $implicit_rejection_value);
+    lemma_slice_append_4 serialized $private_key $public_key (Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key) $implicit_rejection_value"
+    );
 }
 
-/// Serialize the secret key.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 150")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"$result == Seq.append $private_key (
+                                              Seq.append $public_key (
+                                              Seq.append (Spec.Utils.v_H $public_key) 
+                                                  $implicit_rejection_value))"#))]
 fn serialize_kem_secret_key<const K: usize, const SERIALIZED_KEY_LEN: usize, Hasher: Hash<K>>(
     private_key: &[u8],
     public_key: &[u8],
     implicit_rejection_value: &[u8],
 ) -> [u8; SERIALIZED_KEY_LEN] {
     let mut out = [0u8; SERIALIZED_KEY_LEN];
+
     serialize_kem_secret_key_mut::<K, SERIALIZED_KEY_LEN, Hasher>(
         private_key,
         public_key,
@@ -79,6 +122,9 @@ fn serialize_kem_secret_key<const K: usize, const SERIALIZED_KEY_LEN: usize, Has
 /// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
 /// `public_key` type.
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 fn validate_public_key<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -87,7 +133,7 @@ fn validate_public_key<
 >(
     public_key: &[u8; PUBLIC_KEY_SIZE],
 ) -> bool {
-    let deserialized_pk = deserialize_ring_elements_reduced_out::<PUBLIC_KEY_SIZE, K, Vector>(
+    let deserialized_pk = deserialize_ring_elements_reduced_out::<K, Vector>(
         &public_key[..RANKED_BYTES_PER_RING_ELEMENT],
     );
     let public_key_serialized =
@@ -105,6 +151,10 @@ fn validate_public_key<
 /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE`
 /// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -121,6 +171,9 @@ fn validate_private_key<
 ///
 /// This implements the Hash check in 7.3 3.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
 fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize, Hasher: Hash<K>>(
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
 ) -> bool {
@@ -138,13 +191,23 @@ fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize, Hashe
 ///
 /// Depending on the `Vector` and `Hasher` used, this requires different hardware
 /// features
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_generate_keypair $K $randomness in
+                                    valid ==> (${result}.f_sk.f_value, ${result}.f_pk.f_value) == expected"#))]
 #[inline(always)]
 fn generate_keypair<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
     const PRIVATE_KEY_SIZE: usize,
     const PUBLIC_KEY_SIZE: usize,
-    const BYTES_PER_RING_ELEMENT: usize,
+    const RANKED_BYTES_PER_RING_ELEMENT: usize,
     const ETA1: usize,
     const ETA1_RANDOMNESS_SIZE: usize,
     Vector: Operations,
@@ -160,7 +223,7 @@ fn generate_keypair<
         K,
         CPA_PRIVATE_KEY_SIZE,
         PUBLIC_KEY_SIZE,
-        BYTES_PER_RING_ELEMENT,
+        RANKED_BYTES_PER_RING_ELEMENT,
         ETA1,
         ETA1_RANDOMNESS_SIZE,
         Vector,
@@ -179,6 +242,22 @@ fn generate_keypair<
     MlKemKeyPair::from(private_key, MlKemPublicKey::from(public_key))
 }
 
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness in
+                                    valid ==> (${result}._1.f_value, ${result}._2) == expected"#))]
 #[inline(always)]
 fn encapsulate<
     const K: usize,
@@ -189,7 +268,7 @@ fn encapsulate<
     const C2_SIZE: usize,
     const VECTOR_U_COMPRESSION_FACTOR: usize,
     const VECTOR_V_COMPRESSION_FACTOR: usize,
-    const VECTOR_U_BLOCK_LEN: usize,
+    const C1_BLOCK_SIZE: usize,
     const ETA1: usize,
     const ETA1_RANDOMNESS_SIZE: usize,
     const ETA2: usize,
@@ -203,8 +282,13 @@ fn encapsulate<
 ) -> (MlKemCiphertext<CIPHERTEXT_SIZE>, MlKemSharedSecret) {
     let randomness = Scheme::entropy_preprocess::<K, Hasher>(&randomness);
     let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness);
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $randomness"#);
     to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice()));
-
+    hax_lib::fstar!(
+        "assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness);
+        lemma_slice_append $to_hash $randomness (Spec.Utils.v_H ${public_key}.f_value);
+        assert ($to_hash == concat $randomness (Spec.Utils.v_H ${public_key}.f_value))"
+    );
     let hashed = Hasher::G(&to_hash);
     let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
 
@@ -216,7 +300,7 @@ fn encapsulate<
         C2_SIZE,
         VECTOR_U_COMPRESSION_FACTOR,
         VECTOR_V_COMPRESSION_FACTOR,
-        VECTOR_U_BLOCK_LEN,
+        C1_BLOCK_SIZE,
         ETA1,
         ETA1_RANDOMNESS_SIZE,
         ETA2,
@@ -227,10 +311,29 @@ fn encapsulate<
 
     let ciphertext = MlKemCiphertext::from(ciphertext);
     let shared_secret_array = Scheme::kdf::<K, CIPHERTEXT_SIZE, Hasher>(shared_secret, &ciphertext);
-
     (ciphertext, shared_secret_array)
 }
 
+/// This code verifies on some machines, runs out of memory on others
+#[hax_lib::fstar::options("--z3rlimit 500")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value in
+                                    valid ==> $result == expected"#))]
 #[inline(always)]
 pub(crate) fn decapsulate<
     const K: usize,
@@ -256,9 +359,20 @@ pub(crate) fn decapsulate<
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
     ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
 ) -> MlKemSharedSecret {
+    hax_lib::fstar!(
+        r#"assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)"#
+    );
     let (ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value) =
         unpack_private_key::<CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE>(&private_key.value);
 
+    hax_lib::fstar!(
+        r#"assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE);
+        assert ($ind_cpa_public_key == slice ${private_key}.f_value $CPA_SECRET_KEY_SIZE ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE));
+        assert ($ind_cpa_public_key_hash == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE)
+            ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE));
+        assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)
+            (length ${private_key}.f_value))"#
+    );
     let decrypted = crate::ind_cpa::decrypt::<
         K,
         CIPHERTEXT_SIZE,
@@ -269,16 +383,39 @@ pub(crate) fn decapsulate<
     >(ind_cpa_secret_key, &ciphertext.value);
 
     let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $decrypted"#);
     to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash);
 
+    hax_lib::fstar!(
+        r#"lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash;
+        assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value);
+        assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"#
+    );
     let hashed = Hasher::G(&to_hash);
     let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
 
+    hax_lib::fstar!(
+        r#"assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE);
+        assert (length $implicit_rejection_value = $SECRET_KEY_SIZE -! $CPA_SECRET_KEY_SIZE -! $PUBLIC_KEY_SIZE -! $H_DIGEST_SIZE);
+        assert (length $implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE);
+        assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)"#
+    );
     let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] =
         into_padded_array(implicit_rejection_value);
+    hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value"#);
     to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref());
+    hax_lib::fstar!(
+        "assert_norm (pow2 32 == 0x100000000);
+        assert (v (sz 32) < pow2 32);
+        assert (i4.f_PRF_pre (sz 32) $to_hash);
+        lemma_slice_append $to_hash $implicit_rejection_value ${ciphertext}.f_value"
+    );
     let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash);
 
+    hax_lib::fstar!(
+        "assert ($implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) $to_hash);
+        assert (Seq.length $ind_cpa_public_key == v $PUBLIC_KEY_SIZE)"
+    );
     let expected_ciphertext = crate::ind_cpa::encrypt::<
         K,
         CIPHERTEXT_SIZE,
@@ -345,6 +482,19 @@ pub(crate) mod unpacked {
     }
 
     /// Generate an unpacked key from a serialized key.
+    #[hax_lib::requires(
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
+    )]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"let (public_key_hash, (seed, (deserialized_pk, (matrix_A, valid)))) =
+            Spec.MLKEM.ind_cca_unpack_public_key $K ${public_key}.f_value in (valid ==>
+            Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key}_future.f_ind_cpa_public_key.f_A == matrix_A) /\
+        Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${unpacked_public_key}_future.f_ind_cpa_public_key.f_t_as_ntt == deserialized_pk /\
+        ${unpacked_public_key}_future.f_ind_cpa_public_key.f_seed_for_A == seed /\
+        ${unpacked_public_key}_future.f_public_key_hash == public_key_hash"#))
+    ]
     #[inline(always)]
     pub(crate) fn unpack_public_key<
         const K: usize,
@@ -357,10 +507,16 @@ pub(crate) mod unpacked {
         public_key: &MlKemPublicKey<PUBLIC_KEY_SIZE>,
         unpacked_public_key: &mut MlKemPublicKeyUnpacked<K, Vector>,
     ) {
-        deserialize_ring_elements_reduced::<T_AS_NTT_ENCODED_SIZE, K, Vector>(
+        deserialize_ring_elements_reduced::<K, Vector>(
             &public_key.value[..T_AS_NTT_ENCODED_SIZE],
             &mut unpacked_public_key.ind_cpa_public_key.t_as_ntt,
         );
+        hax_lib::fstar!(
+            r#"let (_, seed) = split ${public_key}.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K) in
+            Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed;
+            Lib.Sequence.eq_intro #u8 #32
+                (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32) seed"#
+        );
         unpacked_public_key.ind_cpa_public_key.seed_for_A =
             into_padded_array(&public_key.value[T_AS_NTT_ENCODED_SIZE..]);
         sample_matrix_A::<K, Vector, Hasher>(
@@ -371,9 +527,23 @@ pub(crate) mod unpacked {
         unpacked_public_key.public_key_hash = Hasher::H(public_key.as_slice());
     }
 
+    #[hax_lib::attributes]
     impl<const K: usize, Vector: Operations> MlKemPublicKeyUnpacked<K, Vector> {
         /// Get the serialized public key.
         #[inline(always)]
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            (forall (i:nat). i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                    self.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
+        #[ensures(|_|
+            fstar!(r#"${serialized}_future.f_value == 
+                Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
+                        self.f_ind_cpa_public_key.f_t_as_ntt))
+                self.f_ind_cpa_public_key.f_seed_for_A)"#)
+        )]
         pub fn serialized_mut<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
             const PUBLIC_KEY_SIZE: usize,
@@ -390,6 +560,18 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            (forall (i:nat). i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index
+                    self.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
+        #[ensures(|res|
+            fstar!(r#"${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
+                                self.f_ind_cpa_public_key.f_t_as_ntt))
+                        self.f_ind_cpa_public_key.f_seed_for_A)"#)
+        )]
         pub fn serialized<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
             const PUBLIC_KEY_SIZE: usize,
@@ -420,6 +602,12 @@ pub(crate) mod unpacked {
 
     /// Take a serialized private key and generate an unpacked key pair from it.
     #[inline(always)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+           v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+           v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+           v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+           v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
     pub fn keys_from_private_key<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -468,6 +656,7 @@ pub(crate) mod unpacked {
             .copy_from_slice(&ind_cpa_public_key[T_AS_NTT_ENCODED_SIZE..]);
     }
 
+    #[hax_lib::attributes]
     impl<const K: usize, Vector: Operations> MlKemKeyPairUnpacked<K, Vector> {
         /// Create a new empty unpacked key pair.
         #[inline(always)]
@@ -477,6 +666,12 @@ pub(crate) mod unpacked {
 
         /// Take a serialized private key and generate an unpacked key pair from it.
         #[inline(always)]
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+           v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+           v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+           v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+           v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+           v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#))]
         pub fn from_private_key<
             const SECRET_KEY_SIZE: usize,
             const CPA_SECRET_KEY_SIZE: usize,
@@ -501,6 +696,19 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            (forall (i:nat). i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
+        #[ensures(|_|
+            fstar!(r#"${serialized}_future.f_value == 
+                Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
+                        self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
+                self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)"#)
+        )]
         pub fn serialized_public_key_mut<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
             const PUBLIC_KEY_SIZE: usize,
@@ -514,6 +722,18 @@ pub(crate) mod unpacked {
 
         /// Get the serialized public key.
         #[inline(always)]
+        #[requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            (forall (i:nat). i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index
+                    self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
+        #[ensures(|res|
+            fstar!(r#"${res}.f_value == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector
+                                self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
+                        self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)"#)
+        )]
         pub fn serialized_public_key<
             const RANKED_BYTES_PER_RING_ELEMENT: usize,
             const PUBLIC_KEY_SIZE: usize,
@@ -538,6 +758,11 @@ pub(crate) mod unpacked {
 
         /// Get the serialized private key.
         #[inline(always)]
+        #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+            $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"#))]
         pub fn serialized_private_key_mut<
             const CPA_PRIVATE_KEY_SIZE: usize,
             const PRIVATE_KEY_SIZE: usize,
@@ -568,6 +793,11 @@ pub(crate) mod unpacked {
 
         /// Get the serialized private key.
         #[inline(always)]
+        #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+            $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+            $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+            $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+            $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K"#))]
         pub fn serialized_private_key<
             const CPA_PRIVATE_KEY_SIZE: usize,
             const PRIVATE_KEY_SIZE: usize,
@@ -595,8 +825,68 @@ pub(crate) mod unpacked {
         }
     }
 
+    #[hax_lib::fstar::options("--z3rlimit 200")]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"forall (i: nat). i < v $K ==>
+            (forall (j: nat). j < v $K ==>
+                Seq.index (Seq.index $result i) j ==
+                    Seq.index (Seq.index $ind_cpa_a j) i)"#))
+    ]
+    fn transpose_a<const K: usize, Vector: Operations>(
+        ind_cpa_a: [[PolynomialRingElement<Vector>; K]; K],
+    ) -> [[PolynomialRingElement<Vector>; K]; K] {
+        // We need to un-transpose the A_transpose matrix provided by IND-CPA
+        //  We would like to write the following but it is not supported by Eurydice yet.
+        //  https://github.com/AeneasVerif/eurydice/issues/39
+        //
+        //    let A = from_fn(|i| {
+        //        from_fn(|j| A_transpose[j][i])
+        //    });
+
+        #[allow(non_snake_case)]
+        let mut A = from_fn(|_i| from_fn(|_j| PolynomialRingElement::<Vector>::ZERO()));
+        for i in 0..K {
+            hax_lib::loop_invariant!(|i: usize| {
+                fstar!(
+                    r#"forall (j: nat). j < v $i ==>
+            (forall (k: nat). k < v $K ==>
+                Seq.index (Seq.index $A j) k ==
+                    Seq.index (Seq.index $ind_cpa_a k) j)"#
+                )
+            });
+            let _a_i = A;
+            for j in 0..K {
+                hax_lib::loop_invariant!(|j: usize| {
+                    fstar!(
+                        r#"(forall (k: nat). k < v $i ==>
+                    Seq.index $A k == Seq.index $_a_i k) /\
+                (forall (k: nat). k < v $j ==>
+                  Seq.index (Seq.index $A (v $i)) k ==
+                    Seq.index (Seq.index $ind_cpa_a k) (v $i))"#
+                    )
+                });
+                A[i][j] = ind_cpa_a[j][i].clone();
+            }
+        }
+        A
+    }
+
     /// Generate Unpacked Keys
     #[inline(always)]
+    #[hax_lib::fstar::options("--z3rlimit 1500 --ext context_pruning --z3refresh")]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"let ((m_A, public_key_hash), implicit_rejection_value), valid =
+            Spec.MLKEM.ind_cca_unpack_generate_keypair $K $randomness in
+        valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector
+            ${out}_future.f_public_key.f_ind_cpa_public_key.f_A == m_A /\
+        ${out}_future.f_public_key.f_public_key_hash == public_key_hash /\
+        ${out}_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value"#))
+    ]
     pub(crate) fn generate_keypair<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -621,21 +911,29 @@ pub(crate) mod unpacked {
             &mut out.public_key.ind_cpa_public_key,
         );
 
-        // We need to un-transpose the A_transpose matrix provided by IND-CPA
-        //  We would like to write the following but it is not supported by Eurydice yet.
-        //  https://github.com/AeneasVerif/eurydice/issues/39
-        //
-        //    let A = from_fn(|i| {
-        //        from_fn(|j| A_transpose[j][i])
-        //    });
-
         #[allow(non_snake_case)]
-        let mut A = from_fn(|_i| from_fn(|_j| PolynomialRingElement::<Vector>::ZERO()));
-        for i in 0..K {
-            for j in 0..K {
-                A[i][j] = out.public_key.ind_cpa_public_key.A[j][i].clone();
-            }
-        }
+        let A = transpose_a::<K, Vector>(out.public_key.ind_cpa_public_key.A);
+        hax_lib::fstar!(
+            r#"let (ind_cpa_keypair_randomness, _) = split $randomness Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE in
+        let ((((_, _), matrix_A_as_ntt), _), sufficient_randomness) =
+            Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K ind_cpa_keypair_randomness in
+        let m_v_A = Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector $A in
+        let m_f_A = Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector out.f_public_key.f_ind_cpa_public_key.f_A in
+        let m_A:Spec.MLKEM.matrix $K = createi $K (Spec.MLKEM.matrix_A_as_ntt_i matrix_A_as_ntt) in
+        assert (forall (i: nat). i < v $K ==>
+            (forall (j: nat). j < v $K ==>
+            Seq.index (Seq.index m_v_A i) j ==
+                Seq.index (Seq.index m_f_A j) i));
+        let lemma_aux (i: nat{ i < v $K }) : Lemma
+            (sufficient_randomness ==> Seq.index m_v_A i == Seq.index m_A i) =
+            if sufficient_randomness then
+            Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v $K)
+                (Seq.index m_v_A i) (Seq.index m_A i)
+        in
+        Classical.forall_intro lemma_aux;
+        if sufficient_randomness then
+            Lib.Sequence.eq_intro #(Spec.MLKEM.vector $K) #(v $K) m_A m_v_A"#
+        );
         out.public_key.ind_cpa_public_key.A = A;
 
         let pk_serialized =
@@ -649,6 +947,26 @@ pub(crate) mod unpacked {
 
     // Encapsulate with Unpacked Public Key
     #[inline(always)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
+    #[hax_lib::ensures(|(ciphertext_result, shared_secret_array)|
+        fstar!(r#"let (ciphertext, shared_secret) =
+            Spec.MLKEM.ind_cca_unpack_encapsulate $K ${public_key}.f_public_key_hash
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_ind_cpa_public_key.f_t_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}.f_ind_cpa_public_key.f_A)
+            $randomness in
+        ${ciphertext_result}.f_value == ciphertext /\
+        $shared_secret_array == shared_secret"#))
+    ]
     pub(crate) fn encapsulate<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -669,8 +987,16 @@ pub(crate) mod unpacked {
         public_key: &MlKemPublicKeyUnpacked<K, Vector>,
         randomness: [u8; SHARED_SECRET_SIZE],
     ) -> (MlKemCiphertext<CIPHERTEXT_SIZE>, MlKemSharedSecret) {
+        hax_lib::fstar!(
+            "Lib.Sequence.eq_intro #u8 #32 (Seq.slice (
+            Libcrux_ml_kem.Utils.into_padded_array (sz 64) $randomness) 0 32) $randomness"
+        );
         let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness);
         to_hash[H_DIGEST_SIZE..].copy_from_slice(&public_key.public_key_hash);
+        hax_lib::fstar!(
+            "Lib.Sequence.eq_intro #u8 #64 $to_hash (
+            concat $randomness ${public_key}.f_public_key_hash)"
+        );
 
         let hashed = Hasher::G(&to_hash);
         let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
@@ -698,6 +1024,28 @@ pub(crate) mod unpacked {
 
     // Decapsulate with Unpacked Private Key
     #[inline(always)]
+    #[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning --z3refresh")]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
+    #[hax_lib::ensures(|result|
+        fstar!(r#"$result ==
+            Spec.MLKEM.ind_cca_unpack_decapsulate $K ${key_pair}.f_public_key.f_public_key_hash
+            ${key_pair}.f_private_key.f_implicit_rejection_value
+            ${ciphertext}.f_value
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${key_pair}.f_private_key.f_ind_cpa_private_key.f_secret_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt)
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${key_pair}.f_public_key.f_ind_cpa_public_key.f_A)"#))
+    ]
     pub(crate) fn decapsulate<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -721,6 +1069,13 @@ pub(crate) mod unpacked {
         key_pair: &MlKemKeyPairUnpacked<K, Vector>,
         ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
     ) -> MlKemSharedSecret {
+        hax_lib::fstar!(
+            r#"assert (v $IMPLICIT_REJECTION_HASH_INPUT_SIZE == 32 + v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K));
+        assert (v (Spec.MLKEM.v_C1_SIZE $K +! Spec.MLKEM.v_C2_SIZE $K) == v (Spec.MLKEM.v_C1_SIZE $K) + v (Spec.MLKEM.v_C2_SIZE $K));
+        assert (v (Spec.MLKEM.v_C1_SIZE $K) == v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) * v $K);
+        assert (v (Spec.MLKEM.v_C1_BLOCK_SIZE $K)  == 32 * v (Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K));
+        assert (v (Spec.MLKEM.v_C2_SIZE $K) == 32 * v (Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K))"#
+        );
         let decrypted = ind_cpa::decrypt_unpacked::<
             K,
             CIPHERTEXT_SIZE,
@@ -731,14 +1086,26 @@ pub(crate) mod unpacked {
         >(&key_pair.private_key.ind_cpa_private_key, &ciphertext.value);
 
         let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
+        hax_lib::fstar!(r#"Lib.Sequence.eq_intro #u8 #32 (Seq.slice $to_hash 0 32) $decrypted"#);
         to_hash[SHARED_SECRET_SIZE..].copy_from_slice(&key_pair.public_key.public_key_hash);
+        hax_lib::fstar!(
+            r#"Lib.Sequence.lemma_concat2 32 $decrypted 32 ${key_pair}.f_public_key.f_public_key_hash $to_hash"#
+        );
 
         let hashed = Hasher::G(&to_hash);
         let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
 
         let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] =
             into_padded_array(&key_pair.private_key.implicit_rejection_value);
+        hax_lib::fstar!(
+            "Lib.Sequence.eq_intro #u8 #32
+            (Seq.slice $to_hash 0 32) ${key_pair}.f_private_key.f_implicit_rejection_value"
+        );
         to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref());
+        hax_lib::fstar!(
+            "Lib.Sequence.lemma_concat2 32 ${key_pair}.f_private_key.f_implicit_rejection_value
+            (v (Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K)) ${ciphertext}.f_value $to_hash"
+        );
         let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash);
 
         let expected_ciphertext = ind_cpa::encrypt_unpacked::<
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs
index 24bbd45c8..441279351 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs
@@ -7,12 +7,19 @@ macro_rules! instantiate {
             };
 
             /// Portable generate key pair.
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn generate_keypair<
                 const K: usize,
                 const CPA_PRIVATE_KEY_SIZE: usize,
                 const PRIVATE_KEY_SIZE: usize,
                 const PUBLIC_KEY_SIZE: usize,
-                const BYTES_PER_RING_ELEMENT: usize,
+                const RANKED_BYTES_PER_RING_ELEMENT: usize,
                 const ETA1: usize,
                 const ETA1_RANDOMNESS_SIZE: usize,
             >(
@@ -23,7 +30,7 @@ macro_rules! instantiate {
                     CPA_PRIVATE_KEY_SIZE,
                     PRIVATE_KEY_SIZE,
                     PUBLIC_KEY_SIZE,
-                    BYTES_PER_RING_ELEMENT,
+                    RANKED_BYTES_PER_RING_ELEMENT,
                     ETA1,
                     ETA1_RANDOMNESS_SIZE,
                     $vector,
@@ -60,6 +67,9 @@ macro_rules! instantiate {
 
             /// Public key validation
             #[inline(always)]
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
             pub(crate) fn validate_public_key<
                 const K: usize,
                 const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -77,6 +87,9 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
             pub(crate) fn validate_private_key<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -93,6 +106,8 @@ macro_rules! instantiate {
 
             /// Private key validation
             #[inline(always)]
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
             pub(crate) fn validate_private_key_only<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -142,6 +157,19 @@ macro_rules! instantiate {
                 >(public_key, randomness)
             }
 
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
             pub(crate) fn encapsulate<
                 const K: usize,
                 const CIPHERTEXT_SIZE: usize,
@@ -151,7 +179,7 @@ macro_rules! instantiate {
                 const C2_SIZE: usize,
                 const VECTOR_U_COMPRESSION_FACTOR: usize,
                 const VECTOR_V_COMPRESSION_FACTOR: usize,
-                const VECTOR_U_BLOCK_LEN: usize,
+                const C1_BLOCK_SIZE: usize,
                 const ETA1: usize,
                 const ETA1_RANDOMNESS_SIZE: usize,
                 const ETA2: usize,
@@ -169,7 +197,7 @@ macro_rules! instantiate {
                     C2_SIZE,
                     VECTOR_U_COMPRESSION_FACTOR,
                     VECTOR_V_COMPRESSION_FACTOR,
-                    VECTOR_U_BLOCK_LEN,
+                    C1_BLOCK_SIZE,
                     ETA1,
                     ETA1_RANDOMNESS_SIZE,
                     ETA2,
@@ -227,6 +255,22 @@ macro_rules! instantiate {
             }
 
             /// Portable decapsulate
+            #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+                $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
             pub fn decapsulate<
                 const K: usize,
                 const SECRET_KEY_SIZE: usize,
@@ -281,6 +325,11 @@ macro_rules! instantiate {
                     crate::ind_cca::unpacked::MlKemPublicKeyUnpacked<K, $vector>;
 
                 /// Get the unpacked public key.
+                #[hax_lib::requires(
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
+                )]
                 #[inline(always)]
                 pub(crate) fn unpack_public_key<
                     const K: usize,
@@ -303,6 +352,13 @@ macro_rules! instantiate {
 
                 /// Take a serialized private key and generate an unpacked key pair from it.
                 #[inline(always)]
+                #[hax_lib::requires(
+                    fstar!(r#"Spec.MLKEM.is_rank $K /\
+                            v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+                            v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+                            v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+                            v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+                            v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
                 pub(crate) fn keypair_from_private_key<
                     const K: usize,
                     const SECRET_KEY_SIZE: usize,
@@ -326,6 +382,13 @@ macro_rules! instantiate {
                 }
 
                 /// Generate a key pair
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn generate_keypair<
                     const K: usize,
@@ -354,6 +417,19 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked encapsulate
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn encapsulate<
                     const K: usize,
@@ -393,6 +469,22 @@ macro_rules! instantiate {
                 }
 
                 /// Unpacked decapsulate
+                #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+                    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+                    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+                    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+                    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+                    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+                    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+                    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+                    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+                    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+                    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+                    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+                    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+                    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
                 #[inline(always)]
                 pub(crate) fn decapsulate<
                     const K: usize,
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
index 5f157230b..94e59d1a6 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
@@ -6,6 +6,13 @@ use crate::{
 #[allow(unsafe_code)]
 /// Portable generate key pair.
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 unsafe fn generate_keypair_avx2<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -32,6 +39,13 @@ unsafe fn generate_keypair_avx2<
 }
 
 #[allow(unsafe_code)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn generate_keypair<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -112,6 +126,9 @@ pub(crate) fn kyber_generate_keypair<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 unsafe fn validate_public_key_avx2<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -128,6 +145,9 @@ unsafe fn validate_public_key_avx2<
 }
 
 #[allow(unsafe_code)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 pub(crate) fn validate_public_key<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -142,6 +162,9 @@ pub(crate) fn validate_public_key<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 unsafe fn validate_private_key_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -159,6 +182,9 @@ unsafe fn validate_private_key_avx2<
 }
 
 #[allow(unsafe_code)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 pub(crate) fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -174,6 +200,8 @@ pub(crate) fn validate_private_key<
 
 /// Private key validation
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K"#))]
 pub(crate) fn validate_private_key_only<const K: usize, const SECRET_KEY_SIZE: usize>(
     private_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
 ) -> bool {
@@ -266,6 +294,19 @@ pub(crate) fn kyber_encapsulate<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 unsafe fn encapsulate_avx2<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -305,6 +346,19 @@ unsafe fn encapsulate_avx2<
 }
 
 #[allow(unsafe_code)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn encapsulate<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -436,6 +490,22 @@ pub fn kyber_decapsulate<
 
 #[allow(unsafe_code)]
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 unsafe fn decapsulate_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -481,6 +551,22 @@ unsafe fn decapsulate_avx2<
 }
 
 #[allow(unsafe_code)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 pub fn decapsulate<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -536,6 +622,11 @@ pub(crate) mod unpacked {
     /// Get the unpacked public key.
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
+    #[hax_lib::requires(
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
+    )]
     unsafe fn unpack_public_key_avx2<
         const K: usize,
         const T_AS_NTT_ENCODED_SIZE: usize,
@@ -557,6 +648,11 @@ pub(crate) mod unpacked {
 
     /// Get the unpacked public key.
     #[allow(unsafe_code)]
+    #[hax_lib::requires(
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+        $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#)
+    )]
     pub(crate) fn unpack_public_key<
         const K: usize,
         const T_AS_NTT_ENCODED_SIZE: usize,
@@ -578,6 +674,13 @@ pub(crate) mod unpacked {
 
     /// Take a serialized private key and generate an unpacked key pair from it.
     #[inline(always)]
+    #[hax_lib::requires(
+        fstar!(r#"Spec.MLKEM.is_rank $K /\
+                v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+                v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+                v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+                v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+                v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))]
     pub(crate) fn keypair_from_private_key<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -602,6 +705,11 @@ pub(crate) mod unpacked {
 
     #[allow(unsafe_code)]
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
     unsafe fn generate_keypair_avx2<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -630,6 +738,11 @@ pub(crate) mod unpacked {
 
     /// Generate a key pair
     #[allow(unsafe_code)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+        $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
     pub(crate) fn generate_keypair<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -657,6 +770,17 @@ pub(crate) mod unpacked {
 
     #[allow(unsafe_code)]
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
     unsafe fn encapsulate_avx2<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -696,6 +820,17 @@ pub(crate) mod unpacked {
 
     /// Unpacked encapsulate
     #[allow(unsafe_code)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
     pub(crate) fn encapsulate<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -735,6 +870,18 @@ pub(crate) mod unpacked {
 
     #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
     unsafe fn decapsulate_avx2<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
@@ -780,6 +927,18 @@ pub(crate) mod unpacked {
 
     /// Unpacked decapsulate
     #[allow(unsafe_code)]
+    #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+        $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+        $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+        $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+        $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+        $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+        $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+        $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+        $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+        $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+        $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+        $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
     pub(crate) fn decapsulate<
         const K: usize,
         const SECRET_KEY_SIZE: usize,
diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
index 88098f375..ad13d9c58 100644
--- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs
+++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs
@@ -52,6 +52,9 @@ use instantiations::portable::{
     kyber_generate_keypair as kyber_generate_keypair_neon,
 };
 
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"#))]
 #[inline(always)]
 pub(crate) fn validate_public_key<
     const K: usize,
@@ -66,6 +69,9 @@ pub(crate) fn validate_public_key<
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+                $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+                $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))]
 pub(crate) fn validate_private_key<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -126,12 +132,19 @@ pub(crate) fn kyber_generate_keypair<
     }
 }
 
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn generate_keypair<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
     const PRIVATE_KEY_SIZE: usize,
     const PUBLIC_KEY_SIZE: usize,
-    const BYTES_PER_RING_ELEMENT: usize,
+    const RANKED_BYTES_PER_RING_ELEMENT: usize,
     const ETA1: usize,
     const ETA1_RANDOMNESS_SIZE: usize,
 >(
@@ -144,7 +157,7 @@ pub(crate) fn generate_keypair<
             CPA_PRIVATE_KEY_SIZE,
             PRIVATE_KEY_SIZE,
             PUBLIC_KEY_SIZE,
-            BYTES_PER_RING_ELEMENT,
+            RANKED_BYTES_PER_RING_ELEMENT,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
         >(randomness)
@@ -154,7 +167,7 @@ pub(crate) fn generate_keypair<
             CPA_PRIVATE_KEY_SIZE,
             PRIVATE_KEY_SIZE,
             PUBLIC_KEY_SIZE,
-            BYTES_PER_RING_ELEMENT,
+            RANKED_BYTES_PER_RING_ELEMENT,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
         >(randomness)
@@ -164,7 +177,7 @@ pub(crate) fn generate_keypair<
             CPA_PRIVATE_KEY_SIZE,
             PRIVATE_KEY_SIZE,
             PUBLIC_KEY_SIZE,
-            BYTES_PER_RING_ELEMENT,
+            RANKED_BYTES_PER_RING_ELEMENT,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
         >(randomness)
@@ -241,6 +254,19 @@ pub(crate) fn kyber_encapsulate<
     }
 }
 
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))]
 pub(crate) fn encapsulate<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -250,7 +276,7 @@ pub(crate) fn encapsulate<
     const C2_SIZE: usize,
     const VECTOR_U_COMPRESSION_FACTOR: usize,
     const VECTOR_V_COMPRESSION_FACTOR: usize,
-    const VECTOR_U_BLOCK_LEN: usize,
+    const C1_BLOCK_SIZE: usize,
     const ETA1: usize,
     const ETA1_RANDOMNESS_SIZE: usize,
     const ETA2: usize,
@@ -269,7 +295,7 @@ pub(crate) fn encapsulate<
             C2_SIZE,
             VECTOR_U_COMPRESSION_FACTOR,
             VECTOR_V_COMPRESSION_FACTOR,
-            VECTOR_U_BLOCK_LEN,
+            C1_BLOCK_SIZE,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
             ETA2,
@@ -285,7 +311,7 @@ pub(crate) fn encapsulate<
             C2_SIZE,
             VECTOR_U_COMPRESSION_FACTOR,
             VECTOR_V_COMPRESSION_FACTOR,
-            VECTOR_U_BLOCK_LEN,
+            C1_BLOCK_SIZE,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
             ETA2,
@@ -301,7 +327,7 @@ pub(crate) fn encapsulate<
             C2_SIZE,
             VECTOR_U_COMPRESSION_FACTOR,
             VECTOR_V_COMPRESSION_FACTOR,
-            VECTOR_U_BLOCK_LEN,
+            C1_BLOCK_SIZE,
             ETA1,
             ETA1_RANDOMNESS_SIZE,
             ETA2,
@@ -392,6 +418,22 @@ pub(crate) fn kyber_decapsulate<
     }
 }
 
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\
+    $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\
+    $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR  $K /\
+    $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR  $K /\
+    $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))]
 pub(crate) fn decapsulate<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs
index 3ec6b9e55..a552ba5dd 100644
--- a/libcrux-ml-kem/src/ind_cpa.rs
+++ b/libcrux-ml-kem/src/ind_cpa.rs
@@ -15,7 +15,7 @@ use crate::{
         deserialize_then_decompress_ring_element_v, deserialize_to_uncompressed_ring_element,
         serialize_uncompressed_ring_element,
     },
-    utils::into_padded_array,
+    utils::{into_padded_array, prf_input_inc},
     variant::Variant,
     vector::Operations,
 };
@@ -60,6 +60,17 @@ use unpacked::*;
 
 /// Concatenate `t` and `ρ` into the public key.
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $seed_for_a == sz 32 /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"$res == Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt))
+                        $seed_for_a)"#)
+)]
 pub(crate) fn serialize_public_key<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -80,6 +91,18 @@ pub(crate) fn serialize_public_key<
 
 /// Concatenate `t` and `ρ` into the public key.
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $seed_for_a == sz 32 /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"${serialized}_future == 
+                        Seq.append (Spec.MLKEM.vector_encode_12 #$K
+                            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt))
+                        $seed_for_a)"#)
+)]
 pub(crate) fn serialize_public_key_mut<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -96,27 +119,136 @@ pub(crate) fn serialize_public_key_mut<
         Vector,
     >(t_as_ntt));
     serialized[RANKED_BYTES_PER_RING_ELEMENT..].copy_from_slice(seed_for_a);
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #(v $PUBLIC_KEY_SIZE) serialized
+        (Seq.append (Spec.MLKEM.vector_encode_12 #$K (Libcrux_ml_kem.Polynomial.to_spec_vector_t
+            #$K #$:Vector $t_as_ntt)) $seed_for_a)"
+    );
 }
 
 /// Call [`serialize_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 1000 --ext context_pruning --z3refresh")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key i))"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"$res == Spec.MLKEM.vector_encode_12 #$K
+                    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key)"#)
+)]
 pub(crate) fn serialize_secret_key<const K: usize, const OUT_LEN: usize, Vector: Operations>(
     key: &[PolynomialRingElement<Vector>; K],
 ) -> [u8; OUT_LEN] {
+    hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#);
     let mut out = [0u8; OUT_LEN];
 
     cloop! {
         for (i, re) in key.into_iter().enumerate() {
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"(v $i < v $K ==>
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key (v $i))) /\
+                (forall (j: nat). j < v $i ==>
+                (j + 1) * v $BYTES_PER_RING_ELEMENT <= Seq.length $out /\
+                (Seq.slice $out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT) ==
+                    Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j))))"#) });
             out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT]
             .copy_from_slice(&serialize_uncompressed_ring_element(&re));
+            hax_lib::fstar!(r#"let lemma_aux (j: nat{ j < v $i }) : Lemma
+                (Seq.slice out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT) ==
+                    Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j))) =
+                Lib.Sequence.eq_intro #u8 #(v $BYTES_PER_RING_ELEMENT)
+                (Seq.slice out (j * v $BYTES_PER_RING_ELEMENT) ((j + 1) * v $BYTES_PER_RING_ELEMENT))
+                (Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $key j)))
+            in
+            Classical.forall_intro lemma_aux"#);
         }
     }
 
+    hax_lib::fstar!(
+        r#"assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key) ==
+        Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key);
+    reveal_opaque (`%Spec.MLKEM.vector_encode_12) (Spec.MLKEM.vector_encode_12 #$K);
+    Lib.Sequence.eq_intro #u8 #(v $OUT_LEN) $out
+        (Spec.MLKEM.vector_encode_12 #$K
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key))"#
+    );
     out
 }
 
 /// Sample a vector of ring elements from a centered binomial distribution.
 #[inline(always)]
+#[hax_lib::fstar::options(
+    "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        r#"let sample_ring_element_cbd_helper_2
+      (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+          v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
+            Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
+          (Spec.MLKEM.sample_vector_cbd2 #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) 
+    (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))"#
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        r#"let sample_ring_element_cbd_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"#
+    )
+)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
+#[hax_lib::ensures(|(err1,ds)|
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
+                Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $err1 ==
+                Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#)
+)]
 fn sample_ring_element_cbd<
     const K: usize,
     const ETA2_RANDOMNESS_SIZE: usize,
@@ -129,20 +261,104 @@ fn sample_ring_element_cbd<
 ) -> ([PolynomialRingElement<Vector>; K], u8) {
     let mut error_1 = from_fn(|_i| PolynomialRingElement::<Vector>::ZERO());
     let mut prf_inputs = [prf_input; K];
-    for i in 0..K {
-        prf_inputs[i][32] = domain_separator;
-        domain_separator += 1;
-    }
+    // See https://github.com/hacspec/hax/issues/1167
+    let _domain_separator_init = domain_separator;
+    domain_separator = prf_input_inc::<K>(&mut prf_inputs, domain_separator);
+    hax_lib::fstar!(
+        "sample_ring_element_cbd_helper_1 $K $prf_inputs $prf_input $_domain_separator_init"
+    );
     let prf_outputs: [[u8; ETA2_RANDOMNESS_SIZE]; K] = Hasher::PRFxN(&prf_inputs);
     for i in 0..K {
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                "forall (j:nat). j < v $i ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${error_1}.[ sz j ] ==
+              Spec.MLKEM.sample_poly_cbd $ETA2 ${prf_outputs}.[ sz j ]"
+            )
+        });
         error_1[i] = sample_from_binomial_distribution::<ETA2, Vector>(&prf_outputs[i]);
     }
+    hax_lib::fstar!(
+        "sample_ring_element_cbd_helper_2
+        $K $ETA2 $ETA2_RANDOMNESS_SIZE #$:Vector error_1_ $prf_input $_domain_separator_init"
+    );
     (error_1, domain_separator)
 }
 
 /// Sample a vector of ring elements from a centered binomial distribution and
 /// convert them into their NTT representations.
 #[inline(always)]
+#[hax_lib::fstar::options(
+    "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
+)]
+#[cfg_attr(hax, hax_lib::fstar::before(r#"let sample_vector_cbd_then_ntt_helper_2
+      (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
+      (#v_Vector: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i2:
+          Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+      (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma
+        (requires Spec.MLKEM.is_rank v_K /\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\
+          v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+          v domain_separator < 2 * v v_K /\ 
+          (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA_RANDOMNESS_SIZE
+            (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+              (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in 
+          forall (i: nat). i < v v_K ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_as_ntt.[ sz i ] ==
+            Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd v_ETA prf_outputs.[ sz i ])))
+        (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt ==
+          (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    reveal_opaque (`%Spec.MLKEM.sample_vector_cbd_then_ntt) (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K);
+    Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+      (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt)
+      (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator)))"#))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        r#"let sample_vector_cbd_then_ntt_helper_1
+      (v_K: usize)
+      (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8) : Lemma 
+        (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+          (forall (i: nat). i < v v_K ==>
+            v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+            Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+        (ensures prf_inputs == createi v_K
+          (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+            (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+    =
+    let lemma_aux (i: nat{i < v v_K}) : Lemma
+        (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+          (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+      Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+        (Seq.append (Seq.slice prf_input 0 32)
+          (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+    in
+    Classical.forall_intro lemma_aux;
+    Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+      (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+        (Seq.slice prf_input 0 32) (sz (v domain_separator))))"#
+    )
+)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA == Spec.MLKEM.v_ETA1 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
+#[hax_lib::ensures(|ds|
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
+            Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re_as_ntt}_future ==
+            Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator)) /\
+            (forall (i: nat). i < v $K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector (Seq.index ${re_as_ntt}_future i))"#)
+)]
 fn sample_vector_cbd_then_ntt<
     const K: usize,
     const ETA: usize,
@@ -155,19 +371,42 @@ fn sample_vector_cbd_then_ntt<
     mut domain_separator: u8,
 ) -> u8 {
     let mut prf_inputs = [prf_input; K];
-    for i in 0..K {
-        prf_inputs[i][32] = domain_separator;
-        domain_separator += 1;
-    }
+    let _domain_separator_init = domain_separator;
+    domain_separator = prf_input_inc::<K>(&mut prf_inputs, domain_separator);
+    hax_lib::fstar!(
+        "sample_vector_cbd_then_ntt_helper_1 $K $prf_inputs $prf_input $_domain_separator_init"
+    );
     let prf_outputs: [[u8; ETA_RANDOMNESS_SIZE]; K] = Hasher::PRFxN(&prf_inputs);
     for i in 0..K {
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"forall (j:nat). j < v $i ==>
+            Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector re_as_ntt.[ sz j ] ==
+              Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd $ETA ${prf_outputs}.[ sz j ]) /\
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector re_as_ntt.[ sz j ]"#
+            )
+        });
         re_as_ntt[i] = sample_from_binomial_distribution::<ETA, Vector>(&prf_outputs[i]);
         ntt_binomially_sampled_ring_element(&mut re_as_ntt[i]);
     }
+    hax_lib::fstar!(
+        "sample_vector_cbd_then_ntt_helper_2
+        $K $ETA $ETA_RANDOMNESS_SIZE #$:Vector re_as_ntt $prf_input $_domain_separator_init"
+    );
     domain_separator
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA == Spec.MLKEM.v_ETA1 $K /\
+    v $domain_separator < 2 * v $K /\
+    range (v $domain_separator + v $K) u8_inttype"#))]
+#[hax_lib::ensures(|(re,ds)|
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
+                Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re} ==
+                Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#)
+)]
 fn sample_vector_cbd_then_ntt_out<
     const K: usize,
     const ETA: usize,
@@ -226,6 +465,21 @@ fn sample_vector_cbd_then_ntt_out<
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
+#[hax_lib::fstar::options("--z3rlimit 500 --ext context_pruning --z3refresh")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))]
+#[hax_lib::ensures(|_| fstar!(r#"let ((((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid) = Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K $key_generation_seed in 
+    (valid ==> (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}_future.f_t_as_ntt == t_as_ntt) /\
+        (${public_key}_future.f_seed_for_A == seed_for_A) /\
+        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}_future.f_A == matrix_A_as_ntt) /\
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${private_key}_future.f_secret_as_ntt == secret_as_ntt)) /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${private_key}_future.f_secret_as_ntt i)) /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${public_key}_future.f_t_as_ntt i))
+"#))]
 #[inline(always)]
 pub(crate) fn generate_keypair_unpacked<
     const K: usize,
@@ -243,9 +497,20 @@ pub(crate) fn generate_keypair_unpacked<
     let hashed = Scheme::cpa_keygen_seed::<K, Hasher>(key_generation_seed);
     let (seed_for_A, seed_for_secret_and_error) = hashed.split_at(32);
 
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #32 $seed_for_A
+        (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) $seed_for_A) 0 32)"
+    );
     sample_matrix_A::<K, Vector, Hasher>(&mut public_key.A, into_padded_array(seed_for_A), true);
 
+    hax_lib::fstar!(
+        r#"let (matrix_A_as_ntt, valid) = Spec.MLKEM.sample_matrix_A_ntt #$K $seed_for_A in
+        assert (valid ==> matrix_A_as_ntt == Libcrux_ml_kem.Polynomial.to_spec_matrix_t public_key.f_A)"#
+    );
     let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #32 $seed_for_secret_and_error (Seq.slice $prf_input 0 32)"
+    );
     let domain_separator =
         sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE, Vector, Hasher>(
             &mut private_key.secret_as_ntt,
@@ -268,12 +533,36 @@ pub(crate) fn generate_keypair_unpacked<
 
     public_key.seed_for_A = seed_for_A.try_into().unwrap();
 
+    hax_lib::fstar!(
+        r#"let (((t_as_ntt,seed_for_A), matrix_A_as_ntt), secret_as_ntt), valid =
+        Spec.MLKEM.ind_cpa_generate_keypair_unpacked $K $key_generation_seed in
+        assert (valid ==>
+            ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector public_key.f_t_as_ntt) ==
+              t_as_ntt) /\ (public_key.f_seed_for_A == seed_for_A) /\
+            (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector public_key.f_A == matrix_A_as_ntt) /\
+            ((Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector private_key.f_secret_as_ntt) ==
+              secret_as_ntt));
+        assert ((forall (i: nat). i < v $K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key.f_secret_as_ntt i)) /\
+          (forall (i: nat). i < v $K ==>
+              Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key.f_t_as_ntt i)))"#
+    );
+
     // For encapsulation, we need to store A not Aˆ, and so we untranspose A
     // However, we pass A_transpose here and let the IND-CCA layer do the untranspose.
     // We could do it here, but then we would pay the performance cost (if any) for the packed API as well.
 }
 
 #[allow(non_snake_case)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\
+    $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in 
+                                    valid ==> $result == expected"#))]
 #[inline(always)]
 pub(crate) fn generate_keypair<
     const K: usize,
@@ -307,6 +596,7 @@ pub(crate) fn generate_keypair<
 }
 
 /// Serialize the secret key from the unpacked key pair generation.
+#[hax_lib::fstar::verification_status(lax)]
 pub(crate) fn serialize_unpacked_secret_key<
     const K: usize,
     const PRIVATE_KEY_SIZE: usize,
@@ -331,6 +621,18 @@ pub(crate) fn serialize_unpacked_secret_key<
 }
 
 /// Call [`compress_then_serialize_ring_element_u`] on each ring element.
+#[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning --z3refresh")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $OUT_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    ${out.len()} == $OUT_LEN /\
+    (forall (i:nat). i < v $K ==>
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input i))"#))]
+#[hax_lib::ensures(|_|
+    fstar!(r#"$out_future == Spec.MLKEM.compress_then_encode_u #$K
+               (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $input)"#)
+)]
 #[inline(always)]
 fn compress_then_serialize_u<
     const K: usize,
@@ -342,15 +644,47 @@ fn compress_then_serialize_u<
     input: [PolynomialRingElement<Vector>; K],
     out: &mut [u8],
 ) {
+    hax_lib::fstar!(
+        "assert (v (sz 32 *! $COMPRESSION_FACTOR) == 32 * v $COMPRESSION_FACTOR);
+        assert (v ($OUT_LEN /! $K) == v $OUT_LEN / v $K);
+        assert (v $OUT_LEN / v $K == 32 * v $COMPRESSION_FACTOR)"
+    );
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     cloop! {
         for (i, re) in input.into_iter().enumerate() {
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"(v $i < v $K ==> Seq.length out == v $OUT_LEN /\
+                Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input (v $i))) /\
+            (forall (j: nat). j < v $i ==>
+                Seq.length out == v $OUT_LEN /\
+                (j + 1) * (v $OUT_LEN / v $K) <= Seq.length out /\
+                (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == 
+                    Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+                        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j))))"#) });
+            hax_lib::fstar!(r#"assert (forall (j: nat). j < v $i ==>
+                ((Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == 
+                Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))))"#);
             out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice(
                 &compress_then_serialize_ring_element_u::<COMPRESSION_FACTOR, BLOCK_LEN, Vector>(&re),
             );
+            hax_lib::fstar!(r#"let lemma_aux (j: nat{ j < v $i }) : Lemma
+                (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) ==
+                Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index $input j))) =
+                Lib.Sequence.eq_intro #u8 #(v $OUT_LEN / v $K) 
+                (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)))
+                (Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+                    (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))
+            in
+            Classical.forall_intro lemma_aux"#);
         }
     };
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #(v $OUT_LEN) out
+        (Spec.MLKEM.compress_then_encode_u #$K
+            (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $input))"
+    );
     ()
 }
 
@@ -394,6 +728,24 @@ fn compress_then_serialize_u<
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
+#[hax_lib::fstar::options("--z3rlimit 200")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+      $ETA1 == Spec.MLKEM.v_ETA1 $K /\
+      $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+      $ETA2 == Spec.MLKEM.v_ETA2 $K /\
+      $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+      $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+      $C2_LEN == Spec.MLKEM.v_C2_SIZE $K /\
+      $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+      $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+      $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+      $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+      length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_t_as_ntt)
+        (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key}.f_A)"#)
+)]
 #[inline(always)]
 pub(crate) fn encrypt_unpacked<
     const K: usize,
@@ -425,6 +777,10 @@ pub(crate) fn encrypt_unpacked<
         sample_vector_cbd_then_ntt_out::<K, ETA1, ETA1_RANDOMNESS_SIZE, Vector, Hasher>(
             prf_input, 0,
         );
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #32 $randomness (Seq.slice $prf_input 0 32);
+        assert (v $domain_separator == v $K)"
+    );
 
     // for i from 0 to k−1 do
     //     e1[i] := CBD_{η2}(PRF(r,N))
@@ -438,6 +794,10 @@ pub(crate) fn encrypt_unpacked<
 
     // e_2 := CBD{η2}(PRF(r, N))
     prf_input[32] = domain_separator;
+    hax_lib::fstar!(
+        "assert (Seq.equal $prf_input (Seq.append $randomness (Seq.create 1 $domain_separator)));
+        assert ($prf_input == Seq.append $randomness (Seq.create 1 $domain_separator))"
+    );
     let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = Hasher::PRF(&prf_input);
     let error_2 = sample_from_binomial_distribution::<ETA2, Vector>(&prf_output);
 
@@ -452,6 +812,12 @@ pub(crate) fn encrypt_unpacked<
         &error_2,
         &message_as_ring_element,
     );
+    hax_lib::fstar!(
+        "assert ($C1_LEN = Spec.MLKEM.v_C1_SIZE v_K);
+        assert ($C2_LEN = Spec.MLKEM.v_C2_SIZE v_K);
+        assert ($CIPHERTEXT_SIZE == $C1_LEN +! $C2_LEN);
+        assert ($C1_LEN <=. $CIPHERTEXT_SIZE)"
+    );
 
     let mut ciphertext = [0u8; CIPHERTEXT_SIZE];
 
@@ -462,15 +828,38 @@ pub(crate) fn encrypt_unpacked<
     );
 
     // c_2 := Encode_{dv}(Compress_q(v,d_v))
-    compress_then_serialize_ring_element_v::<V_COMPRESSION_FACTOR, C2_LEN, Vector>(
+    compress_then_serialize_ring_element_v::<K, V_COMPRESSION_FACTOR, C2_LEN, Vector>(
         v,
         &mut ciphertext[C1_LEN..],
     );
+    hax_lib::fstar!(
+        "lemma_slice_append $ciphertext (Seq.slice $ciphertext 0 (Rust_primitives.v $C1_LEN))
+        (Seq.slice $ciphertext (Rust_primitives.v $C1_LEN) (Seq.length $ciphertext))"
+    );
 
     ciphertext
 }
 
 #[allow(non_snake_case)]
+#[hax_lib::fstar::options("--z3rlimit 500 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $ETA1 = Spec.MLKEM.v_ETA1 $K /\
+    $ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\
+    $ETA2 = Spec.MLKEM.v_ETA2 $K /\
+    $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\
+    $ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\
+    length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\
+    $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in
+            valid ==> $result == expected"#)
+)]
 #[inline(always)]
 pub(crate) fn encrypt<
     const K: usize,
@@ -492,6 +881,7 @@ pub(crate) fn encrypt<
     message: [u8; SHARED_SECRET_SIZE],
     randomness: &[u8],
 ) -> [u8; CIPHERTEXT_SIZE] {
+    hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt"#);
     let unpacked_public_key =
         build_unpacked_public_key::<K, T_AS_NTT_ENCODED_SIZE, Vector, Hasher>(public_key);
 
@@ -514,6 +904,16 @@ pub(crate) fn encrypt<
     >(&unpacked_public_key, message, randomness)
 }
 
+#[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
+#[hax_lib::ensures(|result| fstar!(r#"
+    let (t_as_ntt_bytes, seed_for_A) = split public_key $T_AS_NTT_ENCODED_SIZE in
+    let t_as_ntt = Spec.MLKEM.vector_decode_12 #$K t_as_ntt_bytes in 
+    let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #$K seed_for_A in
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${result}.f_t_as_ntt == t_as_ntt /\
+     valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${result}.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#))]
 fn build_unpacked_public_key<
     const K: usize,
     const T_AS_NTT_ENCODED_SIZE: usize,
@@ -530,6 +930,16 @@ fn build_unpacked_public_key<
     unpacked_public_key
 }
 
+#[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\
+    length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))]
+#[hax_lib::ensures(|_| fstar!(r#"
+    let (t_as_ntt_bytes, seed_for_A) = split public_key $T_AS_NTT_ENCODED_SIZE in
+    let t_as_ntt = Spec.MLKEM.vector_decode_12 #$K t_as_ntt_bytes in 
+    let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #$K seed_for_A in
+    (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${unpacked_public_key}_future.f_t_as_ntt == t_as_ntt /\
+    valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key}_future.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#))]
 pub(crate) fn build_unpacked_public_key_mut<
     const K: usize,
     const T_AS_NTT_ENCODED_SIZE: usize,
@@ -540,7 +950,7 @@ pub(crate) fn build_unpacked_public_key_mut<
     unpacked_public_key: &mut IndCpaPublicKeyUnpacked<K, Vector>,
 ) {
     // tˆ := Decode_12(pk)
-    deserialize_ring_elements_reduced::<T_AS_NTT_ENCODED_SIZE, K, Vector>(
+    deserialize_ring_elements_reduced::<K, Vector>(
         &public_key[..T_AS_NTT_ENCODED_SIZE],
         &mut unpacked_public_key.t_as_ntt,
     );
@@ -552,6 +962,10 @@ pub(crate) fn build_unpacked_public_key_mut<
     //     end for
     // end for
     let seed = &public_key[T_AS_NTT_ENCODED_SIZE..];
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #u8 #32 $seed
+      (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) $seed) 0 32)"
+    );
     sample_matrix_A::<K, Vector, Hasher>(
         &mut unpacked_public_key.A,
         into_padded_array(seed),
@@ -562,6 +976,14 @@ pub(crate) fn build_unpacked_public_key_mut<
 /// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
 /// in the `ciphertext`.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
+        Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K)))))"#)
+)]
 fn deserialize_then_decompress_u<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -570,30 +992,67 @@ fn deserialize_then_decompress_u<
 >(
     ciphertext: &[u8; CIPHERTEXT_SIZE],
 ) -> [PolynomialRingElement<Vector>; K] {
+    hax_lib::fstar!(
+        "assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! $U_COMPRESSION_FACTOR ) /!
+        sz 8) == v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))"
+    );
     let mut u_as_ntt = from_fn(|_| PolynomialRingElement::<Vector>::ZERO());
     cloop! {
         for (i, u_bytes) in ciphertext
             .chunks_exact((COEFFICIENTS_IN_RING_ELEMENT * U_COMPRESSION_FACTOR) / 8)
             .enumerate()
         {
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"forall (j: nat). j < v $i ==>
+              j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) <= v $CIPHERTEXT_SIZE /\
+              Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $u_as_ntt j) ==
+                Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v $U_COMPRESSION_FACTOR)
+                  (Seq.slice $ciphertext (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))
+                    (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))))"#) });
             u_as_ntt[i]  = deserialize_then_decompress_ring_element_u::<U_COMPRESSION_FACTOR, Vector>(u_bytes);
             ntt_vector_u::<U_COMPRESSION_FACTOR, Vector>(&mut u_as_ntt[i]);
         }
     }
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #Spec.MLKEM.polynomial #(v $K)
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $u_as_ntt)
+        (Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K
+        (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K))))))"
+    );
     u_as_ntt
 }
 
 /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\
+    v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res ==
+         Spec.MLKEM.vector_decode_12 #$K $secret_key"#)
+)]
 pub(crate) fn deserialize_secret_key<const K: usize, Vector: Operations>(
     secret_key: &[u8],
 ) -> [PolynomialRingElement<Vector>; K] {
+    hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#);
     let mut secret_as_ntt = from_fn(|_| PolynomialRingElement::<Vector>::ZERO());
     cloop! {
         for (i, secret_bytes) in secret_key.chunks_exact(BYTES_PER_RING_ELEMENT).enumerate() {
+            hax_lib::loop_invariant!(|i: usize| { fstar!(r#"forall (j: nat). j < v $i ==>
+                j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT <=
+                    v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K) /\
+                Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $secret_as_ntt j) ==
+                    Spec.MLKEM.byte_decode 12 (Seq.slice $secret_key
+                        (j * v $BYTES_PER_RING_ELEMENT)
+                        (j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT))"#) });
             secret_as_ntt[i] = deserialize_to_uncompressed_ring_element(secret_bytes);
         }
     }
+    hax_lib::fstar!(
+        "Lib.Sequence.eq_intro #Spec.MLKEM.polynomial #(v $K)
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $secret_as_ntt)
+        (Spec.MLKEM.vector_decode_12 #$K $secret_key)"
+    );
     secret_as_ntt
 }
 
@@ -620,6 +1079,15 @@ pub(crate) fn deserialize_secret_key<const K: usize, Vector: Operations>(
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[allow(non_snake_case)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt_unpacked $K $ciphertext
+        (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${secret_key}.f_secret_as_ntt)"#)
+)]
 #[inline(always)]
 pub(crate) fn decrypt_unpacked<
     const K: usize,
@@ -638,7 +1106,7 @@ pub(crate) fn decrypt_unpacked<
     );
 
     // v := Decompress_q(Decode_{d_v}(c + d_u·k·n / 8), d_v)
-    let v = deserialize_then_decompress_ring_element_v::<V_COMPRESSION_FACTOR, Vector>(
+    let v = deserialize_then_decompress_ring_element_v::<K, V_COMPRESSION_FACTOR, Vector>(
         &ciphertext[VECTOR_U_ENCODED_SIZE..],
     );
 
@@ -648,6 +1116,15 @@ pub(crate) fn decrypt_unpacked<
 }
 
 #[allow(non_snake_case)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\
+    length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ 
+    $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\
+    $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\
+    $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\
+    $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext"#)
+)]
 #[inline(always)]
 pub(crate) fn decrypt<
     const K: usize,
@@ -660,6 +1137,7 @@ pub(crate) fn decrypt<
     secret_key: &[u8],
     ciphertext: &[u8; CIPHERTEXT_SIZE],
 ) -> [u8; SHARED_SECRET_SIZE] {
+    hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt"#);
     // sˆ := Decode_12(sk)
     let secret_as_ntt = deserialize_secret_key::<K, Vector>(secret_key);
     let secret_key_unpacked = IndCpaPrivateKeyUnpacked { secret_as_ntt };
diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs
index 12b60f3cf..1d87eea97 100644
--- a/libcrux-ml-kem/src/invert_ntt.rs
+++ b/libcrux-ml-kem/src/invert_ntt.rs
@@ -1,68 +1,185 @@
 use crate::{
     hax_utils::hax_debug_assert,
-    polynomial::{PolynomialRingElement, ZETAS_TIMES_MONTGOMERY_R},
+    polynomial::{zeta, PolynomialRingElement},
     vector::{montgomery_multiply_fe, Operations, FIELD_ELEMENTS_IN_VECTOR},
 };
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::fstar::before(
+    interface,
+    "[@@ \"opaque_to_smt\"]
+   let invert_ntt_re_range_2 (#v_Vector: Type0)
+           {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+           (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328
+               (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
+)]
+#[hax_lib::fstar::before(
+    interface,
+    "[@@ \"opaque_to_smt\"]
+   let invert_ntt_re_range_1 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"
+)]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 128 /\
+    invert_ntt_re_range_1 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 64"#))]
 pub(crate) fn invert_ntt_at_layer_1<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init - v $round * 4 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque (4 * 3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i -= 1;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (4*3328) 
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] = Vector::inv_ntt_layer_1_step(
             re.coefficients[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3],
+            zeta(*zeta_i),
+            zeta(*zeta_i - 1),
+            zeta(*zeta_i - 2),
+            zeta(*zeta_i - 3),
         );
         *zeta_i -= 3;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque 3328 
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque 3328
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 64 /\
+    invert_ntt_re_range_2 $re "#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 32"#))]
 pub(crate) fn invert_ntt_at_layer_2<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init - v $round * 2 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque 3328
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i -= 1;
-        re.coefficients[round] = Vector::inv_ntt_layer_2_step(
-            re.coefficients[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1],
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque 3328 
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
         );
+        re.coefficients[round] =
+            Vector::inv_ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i - 1));
         *zeta_i -= 1;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque 3328 
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque 3328
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 32 /\
+    invert_ntt_re_range_2 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"invert_ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 16"#))]
 pub(crate) fn invert_ntt_at_layer_3<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init - v $round /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque 3328
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i -= 1;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque 3328 
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] =
-            Vector::inv_ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
+            Vector::inv_ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i));
+        hax_lib::fstar!(
+            "reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+            (Spec.Utils.is_i16b_array_opaque 3328 
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque 3328
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\
+    (forall i. i < 16 ==>
+        Spec.Utils.is_intb (pow2 15 - 1)
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) -
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\
+    (forall i. i < 16 ==>
+        Spec.Utils.is_intb (pow2 15 - 1)
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) +
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\
+    Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array
+        (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"#))]
 pub(crate) fn inv_ntt_layer_int_vec_step_reduce<Vector: Operations>(
     mut a: Vector,
     mut b: Vector,
@@ -73,7 +190,10 @@ pub(crate) fn inv_ntt_layer_int_vec_step_reduce<Vector: Operations>(
     b = montgomery_multiply_fe::<Vector>(a_minus_b, zeta_r);
     (a, b)
 }
+
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"v $layer >= 4 /\ v $layer <= 7"#))]
 pub(crate) fn invert_ntt_at_layer_4_plus<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
@@ -94,7 +214,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus<Vector: Operations>(
             let (x, y) = inv_ntt_layer_int_vec_step_reduce(
                 re.coefficients[j],
                 re.coefficients[j + step_vec],
-                ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
+                zeta(*zeta_i),
             );
             re.coefficients[j] = x;
             re.coefficients[j + step_vec] = y;
@@ -104,6 +224,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"invert_ntt_re_range_1 $re"#))]
 pub(crate) fn invert_ntt_montgomery<const K: usize, Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
@@ -114,9 +235,9 @@ pub(crate) fn invert_ntt_montgomery<const K: usize, Vector: Operations>(
 
     let mut zeta_i = super::constants::COEFFICIENTS_IN_RING_ELEMENT / 2;
 
-    invert_ntt_at_layer_1(&mut zeta_i, re, 1);
-    invert_ntt_at_layer_2(&mut zeta_i, re, 2);
-    invert_ntt_at_layer_3(&mut zeta_i, re, 3);
+    invert_ntt_at_layer_1(&mut zeta_i, re);
+    invert_ntt_at_layer_2(&mut zeta_i, re);
+    invert_ntt_at_layer_3(&mut zeta_i, re);
     invert_ntt_at_layer_4_plus(&mut zeta_i, re, 4);
     invert_ntt_at_layer_4_plus(&mut zeta_i, re, 5);
     invert_ntt_at_layer_4_plus(&mut zeta_i, re, 6);
diff --git a/libcrux-ml-kem/src/kem.rs b/libcrux-ml-kem/src/kem.rs
deleted file mode 100644
index e99d4d1ee..000000000
--- a/libcrux-ml-kem/src/kem.rs
+++ /dev/null
@@ -1,28 +0,0 @@
-// hacspec code: don't let clippy touch it.
-#[allow(clippy::all)]
-pub mod kyber;
-
-// // TODO: These functions are currently exposed simply in order to make NIST KAT
-// // testing possible without an implementation of the NIST AES-CTR DRBG. Remove them
-// // (and change the visibility of the exported functions to pub(crate)) the
-// // moment we have an implementation of one. This is tracked by:
-// // https://github.com/cryspen/libcrux/issues/36
-// #[cfg(feature = "tests")]
-// pub mod deterministic {
-//     pub use super::kyber::kyber1024::decapsulate as kyber1024_decapsulate_derand;
-//     pub use super::kyber::kyber1024::encapsulate as kyber1024_encapsulate_derand;
-//     pub use super::kyber::kyber1024::generate_key_pair as kyber1024_generate_keypair_derand;
-//     pub use super::kyber::kyber512::decapsulate as kyber512_decapsulate_derand;
-//     pub use super::kyber::kyber512::encapsulate as kyber512_encapsulate_derand;
-//     pub use super::kyber::kyber512::generate_key_pair as kyber512_generate_keypair_derand;
-//     pub use super::kyber::kyber768::decapsulate as kyber768_decapsulate_derand;
-//     pub use super::kyber::kyber768::encapsulate as kyber768_encapsulate_derand;
-//     pub use super::kyber::kyber768::generate_key_pair as kyber768_generate_keypair_derand;
-// }
-
-// #[cfg(feature = "tests")]
-// pub use kyber::{
-//     kyber1024::validate_public_key as ml_kem1024_validate_public_key,
-//     kyber512::validate_public_key as ml_kem512_validate_public_key,
-//     kyber768::validate_public_key as ml_kem768_validate_public_key,
-// };
diff --git a/libcrux-ml-kem/src/kem/kyber.rs b/libcrux-ml-kem/src/kem/kyber.rs
deleted file mode 100644
index e63fb7f92..000000000
--- a/libcrux-ml-kem/src/kem/kyber.rs
+++ /dev/null
@@ -1,358 +0,0 @@
-// This module is declared here since otherwise, hax reports the following error:
-//
-// The THIR body of item
-// DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT)
-// was stolen.
-//
-// This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27
-pub(crate) mod constants;
-
-/// Helpers for verification and extraction
-mod helper;
-
-mod arithmetic;
-mod compress;
-mod constant_time_ops;
-mod hash_functions;
-mod ind_cpa;
-mod matrix;
-mod ntt;
-mod sampling;
-mod serialize;
-mod types;
-
-// Variants
-#[cfg(feature = "mlkem1024")]
-pub mod kyber1024;
-#[cfg(feature = "mlkem512")]
-pub mod kyber512;
-#[cfg(feature = "mlkem768")]
-pub mod kyber768;
-
-pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey};
-
-// TODO: We should make this an actual type as opposed to alias so we can enforce
-// some checks at the type level. This is being tracked in:
-// https://github.com/cryspen/libcrux/issues/123
-pub type MlKemSharedSecret = [u8; SHARED_SECRET_SIZE];
-
-use self::{
-    arithmetic::PolynomialRingElement,
-    constant_time_ops::{
-        compare_ciphertexts_in_constant_time, select_shared_secret_in_constant_time,
-    },
-    constants::{CPA_PKE_KEY_GENERATION_SEED_SIZE, H_DIGEST_SIZE, SHARED_SECRET_SIZE},
-    hash_functions::{G, H, PRF},
-    ind_cpa::{into_padded_array, serialize_public_key},
-    serialize::deserialize_ring_elements_reduced,
-};
-
-/// Seed size for key generation
-pub(crate) const KEY_GENERATION_SEED_SIZE: usize =
-    CPA_PKE_KEY_GENERATION_SEED_SIZE + SHARED_SECRET_SIZE;
-
-/// Serialize the secret key.
-#[inline(always)]
-fn serialize_kem_secret_key<const SERIALIZED_KEY_LEN: usize>(
-    private_key: &[u8],
-    public_key: &[u8],
-    implicit_rejection_value: &[u8],
-) -> [u8; SERIALIZED_KEY_LEN] {
-    let mut out = [0u8; SERIALIZED_KEY_LEN];
-    let mut pointer = 0;
-    out[pointer..pointer + private_key.len()].copy_from_slice(private_key);
-    pointer += private_key.len();
-    out[pointer..pointer + public_key.len()].copy_from_slice(public_key);
-    pointer += public_key.len();
-    out[pointer..pointer + H_DIGEST_SIZE].copy_from_slice(&H(public_key));
-    pointer += H_DIGEST_SIZE;
-    out[pointer..pointer + implicit_rejection_value.len()]
-        .copy_from_slice(implicit_rejection_value);
-    out
-}
-
-pub(super) fn validate_public_key<
-    const K: usize,
-    const RANKED_BYTES_PER_RING_ELEMENT: usize,
-    const PUBLIC_KEY_SIZE: usize,
->(
-    public_key: &[u8; PUBLIC_KEY_SIZE],
-) -> bool {
-    let deserialized_pk = deserialize_ring_elements_reduced::<PUBLIC_KEY_SIZE, K>(
-        &public_key[..RANKED_BYTES_PER_RING_ELEMENT],
-    );
-
-    let public_key_serialized =
-        serialize_public_key::<K, RANKED_BYTES_PER_RING_ELEMENT, PUBLIC_KEY_SIZE>(
-            deserialized_pk,
-            &public_key[RANKED_BYTES_PER_RING_ELEMENT..],
-        );
-
-    *public_key == public_key_serialized
-}
-
-pub struct MlKemState<const K: usize> {
-    secret_as_ntt: [PolynomialRingElement; K],
-    t_as_ntt: [PolynomialRingElement; K],
-    a_transpose: [[PolynomialRingElement; K]; K],
-    rej: [u8; 32],
-    ind_cpa_public_key_hash: [u8; 32],
-}
-
-pub(super) fn generate_keypair_unpacked<
-    const K: usize,
-    const CPA_PRIVATE_KEY_SIZE: usize,
-    const PRIVATE_KEY_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const BYTES_PER_RING_ELEMENT: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
->(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> (MlKemState<K>, MlKemPublicKey<PUBLIC_KEY_SIZE>) {
-    let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE];
-    let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..];
-
-    let ((secret_as_ntt, t_as_ntt, a_transpose), ind_cpa_public_key) =
-        ind_cpa::generate_keypair_unpacked::<
-            K,
-            PUBLIC_KEY_SIZE,
-            BYTES_PER_RING_ELEMENT,
-            ETA1,
-            ETA1_RANDOMNESS_SIZE,
-        >(ind_cpa_keypair_randomness);
-
-    let ind_cpa_public_key_hash = H(&ind_cpa_public_key);
-
-    let rej: [u8; 32] = implicit_rejection_value.try_into().unwrap();
-    let pubkey: MlKemPublicKey<PUBLIC_KEY_SIZE> = MlKemPublicKey::from(ind_cpa_public_key);
-    (
-        MlKemState {
-            secret_as_ntt,
-            t_as_ntt,
-            a_transpose,
-            rej,
-            ind_cpa_public_key_hash,
-        },
-        pubkey,
-    )
-}
-
-pub(super) fn generate_keypair<
-    const K: usize,
-    const CPA_PRIVATE_KEY_SIZE: usize,
-    const PRIVATE_KEY_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const BYTES_PER_RING_ELEMENT: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
->(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE> {
-    let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE];
-    let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..];
-
-    let (ind_cpa_private_key, public_key) = ind_cpa::generate_keypair::<
-        K,
-        CPA_PRIVATE_KEY_SIZE,
-        PUBLIC_KEY_SIZE,
-        BYTES_PER_RING_ELEMENT,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(ind_cpa_keypair_randomness);
-
-    let secret_key_serialized =
-        serialize_kem_secret_key(&ind_cpa_private_key, &public_key, implicit_rejection_value);
-    let private_key: MlKemPrivateKey<PRIVATE_KEY_SIZE> =
-        MlKemPrivateKey::from(secret_key_serialized);
-
-    MlKemKeyPair::from(private_key, public_key.into())
-}
-
-pub(super) fn encapsulate<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const T_AS_NTT_ENCODED_SIZE: usize,
-    const C1_SIZE: usize,
-    const C2_SIZE: usize,
-    const VECTOR_U_COMPRESSION_FACTOR: usize,
-    const VECTOR_V_COMPRESSION_FACTOR: usize,
-    const VECTOR_U_BLOCK_LEN: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
-    const ETA2: usize,
-    const ETA2_RANDOMNESS_SIZE: usize,
->(
-    public_key: &MlKemPublicKey<PUBLIC_KEY_SIZE>,
-    randomness: [u8; SHARED_SECRET_SIZE],
-) -> (MlKemCiphertext<CIPHERTEXT_SIZE>, MlKemSharedSecret) {
-    let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness);
-    to_hash[H_DIGEST_SIZE..].copy_from_slice(&H(public_key.as_slice()));
-
-    let hashed = G(&to_hash);
-    let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
-
-    let ciphertext = ind_cpa::encrypt::<
-        K,
-        CIPHERTEXT_SIZE,
-        T_AS_NTT_ENCODED_SIZE,
-        C1_SIZE,
-        C2_SIZE,
-        VECTOR_U_COMPRESSION_FACTOR,
-        VECTOR_V_COMPRESSION_FACTOR,
-        VECTOR_U_BLOCK_LEN,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(public_key.as_slice(), randomness, pseudorandomness);
-
-    let mut shared_secret_array = [0u8; SHARED_SECRET_SIZE];
-    shared_secret_array.copy_from_slice(shared_secret);
-    (ciphertext.into(), shared_secret_array)
-}
-
-pub(super) fn decapsulate_unpacked<
-    const K: usize,
-    const SECRET_KEY_SIZE: usize,
-    const CPA_SECRET_KEY_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const T_AS_NTT_ENCODED_SIZE: usize,
-    const C1_SIZE: usize,
-    const C2_SIZE: usize,
-    const VECTOR_U_COMPRESSION_FACTOR: usize,
-    const VECTOR_V_COMPRESSION_FACTOR: usize,
-    const C1_BLOCK_SIZE: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
-    const ETA2: usize,
-    const ETA2_RANDOMNESS_SIZE: usize,
-    const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize,
->(
-    state: &MlKemState<K>,
-    ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
-) -> MlKemSharedSecret {
-    let secret_as_ntt: &[PolynomialRingElement; K] = &state.secret_as_ntt;
-    let t_as_ntt: &[PolynomialRingElement; K] = &state.t_as_ntt;
-    let a_transpose: &[[PolynomialRingElement; K]; K] = &state.a_transpose;
-    let implicit_rejection_value: &[u8] = &state.rej;
-    let ind_cpa_public_key_hash: &[u8] = &state.ind_cpa_public_key_hash;
-
-    let decrypted = ind_cpa::decrypt_unpacked::<
-        K,
-        CIPHERTEXT_SIZE,
-        C1_SIZE,
-        VECTOR_U_COMPRESSION_FACTOR,
-        VECTOR_V_COMPRESSION_FACTOR,
-    >(secret_as_ntt, &ciphertext.value);
-
-    let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
-    to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash);
-
-    let hashed = G(&to_hash);
-    let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
-
-    let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] =
-        into_padded_array(&implicit_rejection_value);
-    to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref());
-    let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = PRF(&to_hash);
-
-    let expected_ciphertext = ind_cpa::encrypt_unpacked::<
-        K,
-        CIPHERTEXT_SIZE,
-        T_AS_NTT_ENCODED_SIZE,
-        C1_SIZE,
-        C2_SIZE,
-        VECTOR_U_COMPRESSION_FACTOR,
-        VECTOR_V_COMPRESSION_FACTOR,
-        C1_BLOCK_SIZE,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(t_as_ntt, a_transpose, decrypted, pseudorandomness);
-
-    let selector = compare_ciphertexts_in_constant_time::<CIPHERTEXT_SIZE>(
-        ciphertext.as_ref(),
-        &expected_ciphertext,
-    );
-
-    select_shared_secret_in_constant_time(
-        shared_secret,
-        &implicit_rejection_shared_secret,
-        selector,
-    )
-}
-
-pub(super) fn decapsulate<
-    const K: usize,
-    const SECRET_KEY_SIZE: usize,
-    const CPA_SECRET_KEY_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const T_AS_NTT_ENCODED_SIZE: usize,
-    const C1_SIZE: usize,
-    const C2_SIZE: usize,
-    const VECTOR_U_COMPRESSION_FACTOR: usize,
-    const VECTOR_V_COMPRESSION_FACTOR: usize,
-    const C1_BLOCK_SIZE: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
-    const ETA2: usize,
-    const ETA2_RANDOMNESS_SIZE: usize,
-    const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize,
->(
-    secret_key: &MlKemPrivateKey<SECRET_KEY_SIZE>,
-    ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
-) -> MlKemSharedSecret {
-    let (ind_cpa_secret_key, secret_key) = secret_key.split_at(CPA_SECRET_KEY_SIZE);
-    let (ind_cpa_public_key, secret_key) = secret_key.split_at(PUBLIC_KEY_SIZE);
-    let (ind_cpa_public_key_hash, implicit_rejection_value) = secret_key.split_at(H_DIGEST_SIZE);
-
-    let decrypted = ind_cpa::decrypt::<
-        K,
-        CIPHERTEXT_SIZE,
-        C1_SIZE,
-        VECTOR_U_COMPRESSION_FACTOR,
-        VECTOR_V_COMPRESSION_FACTOR,
-    >(ind_cpa_secret_key, &ciphertext.value);
-
-    let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted);
-    to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash);
-
-    let hashed = G(&to_hash);
-    let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE);
-
-    let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] =
-        into_padded_array(&implicit_rejection_value);
-    to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref());
-    let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = PRF(&to_hash);
-
-    let expected_ciphertext = ind_cpa::encrypt::<
-        K,
-        CIPHERTEXT_SIZE,
-        T_AS_NTT_ENCODED_SIZE,
-        C1_SIZE,
-        C2_SIZE,
-        VECTOR_U_COMPRESSION_FACTOR,
-        VECTOR_V_COMPRESSION_FACTOR,
-        C1_BLOCK_SIZE,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(ind_cpa_public_key, decrypted, pseudorandomness);
-
-    let selector = compare_ciphertexts_in_constant_time::<CIPHERTEXT_SIZE>(
-        ciphertext.as_ref(),
-        &expected_ciphertext,
-    );
-
-    select_shared_secret_in_constant_time(
-        shared_secret,
-        &implicit_rejection_shared_secret,
-        selector,
-    )
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md b/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md
deleted file mode 100644
index 93bf98dd9..000000000
--- a/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md
+++ /dev/null
@@ -1,8 +0,0 @@
-N.B.: All measurements were taken on an M1 MacBook Air with 16 GB of memory.
-
-|           |   Key Generation (µs) |   Encapsulation (µs) |   Decapsulation (µs) |
-|:----------|----------------------:|---------------------:|---------------------:|
-| libcrux   |               30.671  |              36.31   |              36.3    |
-| BoringSSL |               33.8152 |              28.7323 |              35.2664 |
-| CIRCL     |               39.785  |              44.517  |              49.626  |
-| PQClean   |               30.671  |              38.511  |              43.458  |
\ No newline at end of file
diff --git a/libcrux-ml-kem/src/kem/kyber/arithmetic.rs b/libcrux-ml-kem/src/kem/kyber/arithmetic.rs
deleted file mode 100644
index de38ff72d..000000000
--- a/libcrux-ml-kem/src/kem/kyber/arithmetic.rs
+++ /dev/null
@@ -1,201 +0,0 @@
-use crate::hax_utils::hax_debug_assert;
-
-use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS};
-
-/// Values having this type hold a representative 'x' of the Kyber field.
-/// We use 'fe' as a shorthand for this type.
-pub(crate) type FieldElement = i32;
-
-const MONTGOMERY_SHIFT: u8 = 16;
-const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT;
-
-/// If 'x' denotes a value of type `fe`, values having this type hold a
-/// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS).
-/// We use 'mfe' as a shorthand for this type
-pub(crate) type MontgomeryFieldElement = i32;
-
-/// If 'x' denotes a value of type `fe`, values having this type hold a
-/// representative y ≡ x·MONTGOMERY_R (mod FIELD_MODULUS).
-/// We use 'fer' as a shorthand for this type.
-pub(crate) type FieldElementTimesMontgomeryR = i32;
-
-#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))]
-#[inline(always)]
-pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
-    hax_debug_assert!(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT);
-
-    value & ((1 << n) - 1)
-}
-
-const BARRETT_SHIFT: i64 = 26;
-const BARRETT_R: i64 = 1 << BARRETT_SHIFT;
-
-/// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋
-const BARRETT_MULTIPLIER: i64 = 20159;
-
-/// Signed Barrett Reduction
-///
-/// Given an input `value`, `barrett_reduce` outputs a representative `result`
-/// such that:
-///
-/// - result ≡ value (mod FIELD_MODULUS)
-/// - the absolute value of `result` is bound as follows:
-///
-/// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
-///
-/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
-
-#[cfg_attr(hax, hax_lib::requires((i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R)))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))]
-pub(crate) fn barrett_reduce(value: FieldElement) -> FieldElement {
-    hax_debug_assert!(
-        i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R,
-        "value is {value}"
-    );
-
-    let t = (i64::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1);
-    let quotient = (t >> BARRETT_SHIFT) as i32;
-
-    let result = value - (quotient * FIELD_MODULUS);
-
-    hax_debug_assert!(
-        result > -FIELD_MODULUS && result < FIELD_MODULUS,
-        "value is {value}"
-    );
-
-    result
-}
-
-const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R
-
-/// Signed Montgomery Reduction
-///
-/// Given an input `value`, `montgomery_reduce` outputs a representative `o`
-/// such that:
-///
-/// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
-/// - the absolute value of `o` is bound as follows:
-///
-/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
-///
-/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`.
-#[cfg_attr(hax, hax_lib::requires(value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))]
-pub(crate) fn montgomery_reduce(value: FieldElement) -> MontgomeryFieldElement {
-    // This forces hax to extract code for MONTGOMERY_R before it extracts code
-    // for this function. The removal of this line is being tracked in:
-    // https://github.com/cryspen/libcrux/issues/134
-    let _ = MONTGOMERY_R;
-
-    hax_debug_assert!(
-        value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R,
-        "value is {value}"
-    );
-
-    let t = get_n_least_significant_bits(MONTGOMERY_SHIFT, value as u32)
-        * INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
-    let k = get_n_least_significant_bits(MONTGOMERY_SHIFT, t) as i16;
-
-    let k_times_modulus = (k as i32) * FIELD_MODULUS;
-
-    let c = k_times_modulus >> MONTGOMERY_SHIFT;
-    let value_high = value >> MONTGOMERY_SHIFT;
-
-    value_high - c
-}
-
-/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to
-/// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to
-/// `x · y`, as follows:
-///
-///    `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)`
-///
-/// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative
-/// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`.
-#[inline(always)]
-pub(crate) fn montgomery_multiply_fe_by_fer(
-    fe: FieldElement,
-    fer: FieldElementTimesMontgomeryR,
-) -> FieldElement {
-    montgomery_reduce(fe * fer)
-}
-
-/// This is calculated as (MONTGOMERY_R)^2 mod FIELD_MODULUS
-const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i32 = 1353;
-
-/// If x is some field element of the Kyber field and `mfe` is congruent to
-/// x · MONTGOMERY_R^{-1}, this procedure outputs a value that is congruent to
-/// `x`, as follows:
-///
-///    mfe · MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ≡ x · MONTGOMERY_R^{-1} * (MONTGOMERY_R)^2 (mod FIELD_MODULUS)
-/// => mfe · MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ≡ x · MONTGOMERY_R (mod FIELD_MODULUS)
-///
-/// `montgomery_reduce` takes the value `x · MONTGOMERY_R` and outputs a representative
-/// `x · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x (mod FIELD_MODULUS)`
-#[inline(always)]
-pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> FieldElement {
-    montgomery_reduce(mfe * MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS)
-}
-
-/// Given a field element `fe` such that -FIELD_MODULUS ≤ fe < FIELD_MODULUS,
-/// output `o` such that:
-/// - `o` is congruent to `fe`
-/// - 0 ≤ `o` FIELD_MODULUS
-#[cfg_attr(hax, hax_lib::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))]
-#[inline(always)]
-pub(crate) fn to_unsigned_representative(fe: FieldElement) -> u16 {
-    hax_debug_assert!(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS);
-    (fe + (FIELD_MODULUS & (fe >> 31))) as u16
-}
-
-#[derive(Clone, Copy)]
-pub struct PolynomialRingElement {
-    pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_RING_ELEMENT],
-}
-
-impl PolynomialRingElement {
-    pub const ZERO: Self = Self {
-        coefficients: [0i32; 256], // FIXME: hax issue, this is COEFFICIENTS_IN_RING_ELEMENT
-    };
-}
-
-/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
-/// sum of their constituent coefficients.
-#[cfg_attr(hax, hax_lib::requires(
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
-            (lhs.coefficients[i].abs() <= ((K as i32) - 1) * FIELD_MODULUS) &&
-            (rhs.coefficients[i].abs() <= FIELD_MODULUS)
-
-))))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), ||
-                result.coefficients[i].abs() <= (K as i32) * FIELD_MODULUS
-))))]
-pub(crate) fn add_to_ring_element<const K: usize>(
-    mut lhs: PolynomialRingElement,
-    rhs: &PolynomialRingElement,
-) -> PolynomialRingElement {
-    hax_debug_assert!(lhs
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() <= ((K as i32) - 1) * FIELD_MODULUS));
-    hax_debug_assert!(rhs
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() < FIELD_MODULUS));
-
-    for i in 0..lhs.coefficients.len() {
-        lhs.coefficients[i] += rhs.coefficients[i];
-    }
-
-    hax_debug_assert!(lhs
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() <= (K as i32) * FIELD_MODULUS));
-
-    lhs
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/compress.rs b/libcrux-ml-kem/src/kem/kyber/compress.rs
deleted file mode 100644
index dd1ebd4d3..000000000
--- a/libcrux-ml-kem/src/kem/kyber/compress.rs
+++ /dev/null
@@ -1,135 +0,0 @@
-use crate::hax_utils::hax_debug_assert;
-
-use super::{
-    arithmetic::{get_n_least_significant_bits, FieldElement},
-    constants::FIELD_MODULUS,
-};
-
-/// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS
-/// 203 standard (Page 18, Expression 4.5), which is defined as:
-///
-/// ```plaintext
-/// Compress_d: ℤq -> ℤ_{2ᵈ}
-/// Compress_d(x) = ⌈(2ᵈ/q)·x⌋
-/// ```
-///
-/// Since `⌈x⌋ = ⌊x + 1/2⌋` we have:
-///
-/// ```plaintext
-/// Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋
-///               = ⌊(2^{d+1}·x + q) / 2q⌋
-/// ```
-///
-/// For further information about the function implementations, consult the
-/// `implementation_notes.pdf` document in this directory.
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-
-#[cfg_attr(hax, hax_lib::requires(fe < (FIELD_MODULUS as u16)))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-        hax_lib::implies(833 <= fe && fe <= 2596, || result == 1) &&
-        hax_lib::implies(!(833 <= fe && fe <= 2596), || result == 0)
-))]
-pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
-    // The approach used here is inspired by:
-    // https://github.com/cloudflare/circl/blob/main/pke/kyber/internal/common/poly.go#L150
-
-    // If 833 <= fe <= 2496,
-    // then -832 <= shifted <= 831
-    let shifted: i16 = 1664 - (fe as i16);
-
-    // If shifted < 0, then
-    // (shifted >> 15) ^ shifted = flip_bits(shifted) = -shifted - 1, and so
-    // if -832 <= shifted < 0 then 0 < shifted_positive <= 831
-    //
-    // If shifted >= 0 then
-    // (shifted >> 15) ^ shifted = shifted, and so
-    // if 0 <= shifted <= 831 then 0 <= shifted_positive <= 831
-    let mask = shifted >> 15;
-    let shifted_to_positive = mask ^ shifted;
-
-    let shifted_positive_in_range = shifted_to_positive - 832;
-
-    // If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which means
-    // the most significant bit of shifted_positive_in_range will be 1.
-    ((shifted_positive_in_range >> 15) & 1) as u8
-}
-
-#[cfg_attr(hax,
-    hax_lib::requires(
-        (coefficient_bits == 4 ||
-         coefficient_bits == 5 ||
-         coefficient_bits == 10 ||
-         coefficient_bits == 11) &&
-         fe < (FIELD_MODULUS as u16)))]
-#[cfg_attr(hax,
-     hax_lib::ensures(
-     |result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
-pub(super) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> FieldElement {
-    hax_debug_assert!(
-        coefficient_bits == 4
-            || coefficient_bits == 5
-            || coefficient_bits == 10
-            || coefficient_bits == 11
-    );
-    hax_debug_assert!(fe <= (FIELD_MODULUS as u16));
-
-    // This has to be constant time due to:
-    // https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ
-    let mut compressed = (fe as u64) << coefficient_bits;
-    compressed += 1664 as u64;
-
-    compressed *= 10_321_340;
-    compressed >>= 35;
-
-    get_n_least_significant_bits(coefficient_bits, compressed as u32) as FieldElement
-}
-
-/// The `decompress_*` functions implement the `Decompress` function specified in the NIST FIPS
-/// 203 standard (Page 18, Expression 4.6), which is defined as:
-///
-/// ```plaintext
-/// Decompress_d: ℤ_{2ᵈ} -> ℤq
-/// Decompress_d(y) = ⌈(q/2ᵈ)·y⌋
-/// ```
-///
-/// Since `⌈x⌋ = ⌊x + 1/2⌋` we have:
-///
-/// ```plaintext
-/// Decompress_d(y) = ⌊(q/2ᵈ)·y + 1/2⌋
-///                 = ⌊(2·y·q + 2ᵈ) / 2^{d+1})⌋
-/// ```
-///
-/// For further information about the function implementations, consult the
-/// `implementation_notes.pdf` document in this directory.
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-
-#[cfg_attr(hax, hax_lib::requires((fe == 0) || (fe == 1)))]
-#[inline(always)]
-pub(super) fn decompress_message_coefficient(fe: FieldElement) -> FieldElement {
-    -fe & ((FIELD_MODULUS + 1) / 2)
-}
-
-#[cfg_attr(hax, hax_lib::requires((coefficient_bits == 4 || coefficient_bits == 5 || coefficient_bits == 10 || coefficient_bits == 11) && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result < FIELD_MODULUS))]
-pub(super) fn decompress_ciphertext_coefficient(
-    coefficient_bits: u8,
-    fe: FieldElement,
-) -> FieldElement {
-    hax_debug_assert!(
-        coefficient_bits == 4
-            || coefficient_bits == 5
-            || coefficient_bits == 10
-            || coefficient_bits == 11
-    );
-    hax_debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32));
-
-    let mut decompressed = (fe as u32) * (FIELD_MODULUS as u32);
-    decompressed = (decompressed << 1) + (1 << coefficient_bits);
-    decompressed >>= coefficient_bits + 1;
-
-    decompressed as FieldElement
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs b/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs
deleted file mode 100644
index 66b667dad..000000000
--- a/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs
+++ /dev/null
@@ -1,64 +0,0 @@
-use super::constants::SHARED_SECRET_SIZE;
-use crate::hax_utils::hax_debug_assert;
-
-// Examine the output that LLVM produces for this code from time to time to ensure
-// operations are not being optimized away/constant-timedness is not being broken.
-
-/// Return 1 if `value` is not zero and 0 otherwise.
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::implies(value == 0, || result == 0) &&
-    hax_lib::implies(value != 0, || result == 1)
-))]
-#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
-fn is_non_zero(value: u8) -> u8 {
-    let value = value as u16;
-
-    let result = ((value | (!value).wrapping_add(1)) >> 8) & 1;
-
-    result as u8
-}
-
-/// Return 1 if the bytes of `lhs` and `rhs` do not exactly
-/// match and 0 otherwise.
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::implies(lhs == rhs, || result == 0) &&
-    hax_lib::implies(lhs != rhs, || result == 1)
-))]
-pub(crate) fn compare_ciphertexts_in_constant_time<const CIPHERTEXT_SIZE: usize>(
-    lhs: &[u8],
-    rhs: &[u8],
-) -> u8 {
-    hax_debug_assert!(lhs.len() == rhs.len());
-    hax_debug_assert!(lhs.len() == CIPHERTEXT_SIZE);
-
-    let mut r: u8 = 0;
-    for i in 0..CIPHERTEXT_SIZE {
-        r |= lhs[i] ^ rhs[i];
-    }
-
-    is_non_zero(r)
-}
-
-/// If `selector` is not zero, return the bytes in `rhs`; return the bytes in
-/// `lhs` otherwise.
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::implies(selector == 0, || result == lhs) &&
-    hax_lib::implies(selector != 0, || result == rhs)
-))]
-pub(crate) fn select_shared_secret_in_constant_time(
-    lhs: &[u8],
-    rhs: &[u8],
-    selector: u8,
-) -> [u8; SHARED_SECRET_SIZE] {
-    hax_debug_assert!(lhs.len() == rhs.len());
-    hax_debug_assert!(lhs.len() == SHARED_SECRET_SIZE);
-
-    let mask = is_non_zero(selector).wrapping_sub(1);
-    let mut out = [0u8; SHARED_SECRET_SIZE];
-
-    for i in 0..SHARED_SECRET_SIZE {
-        out[i] = (lhs[i] & mask) | (rhs[i] & !mask);
-    }
-
-    out
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/constants.rs b/libcrux-ml-kem/src/kem/kyber/constants.rs
deleted file mode 100644
index a48705a2f..000000000
--- a/libcrux-ml-kem/src/kem/kyber/constants.rs
+++ /dev/null
@@ -1,35 +0,0 @@
-/// Field modulus: 3329
-pub(crate) const FIELD_MODULUS: i32 = 3329;
-
-/// Each field element needs floor(log_2(FIELD_MODULUS)) + 1 = 12 bits to represent
-pub(crate) const BITS_PER_COEFFICIENT: usize = 12;
-
-/// Coefficients per ring element
-pub(crate) const COEFFICIENTS_IN_RING_ELEMENT: usize = 256;
-
-/// Bits required per (uncompressed) ring element
-pub(crate) const BITS_PER_RING_ELEMENT: usize = COEFFICIENTS_IN_RING_ELEMENT * 12;
-
-/// Bytes required per (uncompressed) ring element
-pub(crate) const BYTES_PER_RING_ELEMENT: usize = BITS_PER_RING_ELEMENT / 8;
-
-/// PKE message size
-pub(crate) const SHARED_SECRET_SIZE: usize = 32;
-
-pub(crate) const CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = 32;
-
-// [hax]: hacspec/hacspec-v2#27 stealing error
-//        Using these functions causes stealing errors in hax.
-// /// Compute serialized length for output size of ByteEncode
-// pub(in crate::kem::kyber) const fn serialized_len<const K: usize, const OUT_LEN: usize>() -> usize {
-//     OUT_LEN * K
-// }
-
-// /// Compute block length for output block size of ByteEncode u (c1)
-// pub(in crate::kem::kyber) const fn block_len<const FACTOR: usize>() -> usize {
-//     (COEFFICIENTS_IN_RING_ELEMENT * FACTOR) / 8
-// }
-
-// XXX: Eurydice can't handle this.
-// digest_size(Algorithm::Sha3_256);
-pub(crate) const H_DIGEST_SIZE: usize = 32;
diff --git a/libcrux-ml-kem/src/kem/kyber/hash_functions.rs b/libcrux-ml-kem/src/kem/kyber/hash_functions.rs
deleted file mode 100644
index 57e930c87..000000000
--- a/libcrux-ml-kem/src/kem/kyber/hash_functions.rs
+++ /dev/null
@@ -1,116 +0,0 @@
-#![allow(non_snake_case)]
-
-use super::constants::H_DIGEST_SIZE;
-const G_DIGEST_SIZE: usize = 64;
-
-use libcrux_sha3::portable::{
-    self,
-    incremental::{
-        shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks,
-        shake128_squeeze_next_block,
-    },
-    KeccakState,
-};
-pub(crate) fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] {
-    let mut digest = [0u8; G_DIGEST_SIZE];
-    portable::sha512(&mut digest, input);
-    digest
-}
-
-pub(crate) fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] {
-    let mut digest = [0u8; H_DIGEST_SIZE];
-    portable::sha256(&mut digest, input);
-    digest
-}
-
-pub(crate) fn PRF<const LEN: usize>(input: &[u8]) -> [u8; LEN] {
-    let mut digest = [0u8; LEN];
-    portable::shake256(&mut digest, input);
-    digest
-}
-
-// #[inline(always)]
-// pub(crate) fn absorb<const K: usize>(input: [[u8; 34]; K]) -> Shake128StateX4 {
-//     debug_assert!(K == 2 || K == 3 || K == 4);
-
-//     let mut state = Shake128StateX4::new();
-//     // XXX: We need to do this dance to get it through hax and eurydice for now.
-//     let mut data: [&[u8]; K] = [&[0u8]; K];
-//     for i in 0..K {
-//         data[i] = &input[i] as &[u8];
-//     }
-//     state.absorb_final(data);
-//     state
-// }
-
-#[inline(always)]
-pub(crate) fn absorb<const K: usize>(input: [[u8; 34]; K]) -> [KeccakState; K] {
-    debug_assert!(K == 2 || K == 3 || K == 4);
-
-    let mut state = [shake128_init(); K];
-    for i in 0..K {
-        shake128_absorb_final(&mut state[i], &input[i]);
-    }
-    state
-}
-
-const BLOCK_SIZE: usize = 168;
-const THREE_BLOCKS: usize = BLOCK_SIZE * 3;
-
-// #[inline(always)]
-// pub(crate) fn squeeze_three_blocks<const K: usize>(
-//     xof_state: &mut Shake128StateX4,
-// ) -> [[u8; THREE_BLOCKS]; K] {
-//     let output: [[u8; THREE_BLOCKS]; K] = xof_state.squeeze_blocks();
-//     let mut out = [[0u8; THREE_BLOCKS]; K];
-//     for i in 0..K {
-//         out[i] = output[i];
-//     }
-//     out
-// }
-
-#[inline(always)]
-pub(crate) fn squeeze_three_blocks<const K: usize>(
-    xof_state: &mut [KeccakState; K],
-) -> [[u8; THREE_BLOCKS]; K] {
-    debug_assert!(K == 2 || K == 3 || K == 4);
-
-    let mut out = [[0u8; THREE_BLOCKS]; K];
-    for i in 0..K {
-        shake128_squeeze_first_three_blocks(&mut xof_state[i], &mut out[i]);
-    }
-    out
-}
-
-// #[inline(always)]
-// pub(crate) fn squeeze_block<const K: usize>(
-//     xof_state: &mut Shake128StateX4,
-// ) -> [[u8; BLOCK_SIZE]; K] {
-//     let output: [[u8; BLOCK_SIZE]; K] = xof_state.squeeze_blocks();
-//     let mut out = [[0u8; BLOCK_SIZE]; K];
-//     for i in 0..K {
-//         out[i] = output[i];
-//     }
-//     out
-// }
-
-#[inline(always)]
-pub(crate) fn squeeze_block<const K: usize>(
-    xof_state: &mut [KeccakState; K],
-) -> [[u8; BLOCK_SIZE]; K] {
-    debug_assert!(K == 2 || K == 3 || K == 4);
-
-    let mut out = [[0u8; BLOCK_SIZE]; K];
-    for i in 0..K {
-        shake128_squeeze_next_block(&mut xof_state[i], &mut out[i]);
-    }
-    out
-}
-
-/// Free the memory of the state.
-///
-/// **NOTE:** That this needs to be done manually for now.
-#[inline(always)]
-pub(crate) fn free_state<const K: usize>(_xof_state: [KeccakState; K]) {
-    // xof_state.free_memory();
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/helper.rs b/libcrux-ml-kem/src/kem/kyber/helper.rs
deleted file mode 100644
index 47fa920aa..000000000
--- a/libcrux-ml-kem/src/kem/kyber/helper.rs
+++ /dev/null
@@ -1,59 +0,0 @@
-/// The following macros are defined so that the extraction from Rust to C code
-/// can go through.
-
-#[cfg(not(hax))]
-#[doc(hidden)]
-macro_rules! cloop {
-    (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => {
-        for $i in 0..$val.$values.len() / ($($chunk_size)*) {
-            let $chunk = &$val.$values[$i*($($chunk_size)*) .. $i*($($chunk_size)*)+($($chunk_size)*)];
-            $body
-        }
-    };
-    (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => {
-        for $i in 0..$val.len() / ($($chunk_size)*) {
-            let $chunk = &$val[$i*($($chunk_size)*) .. $i*($($chunk_size)*)+($($chunk_size)*)];
-            $body
-        }
-    };
-    (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => {
-        for $i in 0..$val.len() {
-            let $item = &$val[$i];
-            $body
-        }
-    };
-    (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => {
-        for $i in 0..$val.len() {
-            let $item = $val[$i];
-            $body
-        }
-    };
-    (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => {
-        for $i in $start..$end / $step {
-            let $i = $i * $step;
-            $body
-        }
-    };
-}
-
-#[cfg(hax)]
-#[doc(hidden)]
-macro_rules! cloop {
-    (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => {
-        for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body
-    };
-    (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => {
-        for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body
-    };
-    (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => {
-        for ($i, $item) in $val.iter().enumerate() $body
-    };
-    (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => {
-        for ($i, $item) in $val.into_iter().enumerate() $body
-    };
-    (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => {
-        for $i in ($start..$end).step_by($step) $body
-    };
-}
-
-pub(super) use cloop;
diff --git a/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf b/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf
deleted file mode 100644
index adc843026..000000000
Binary files a/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf and /dev/null differ
diff --git a/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs b/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs
deleted file mode 100644
index 88605b8b1..000000000
--- a/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs
+++ /dev/null
@@ -1,508 +0,0 @@
-use super::{
-    arithmetic::{to_unsigned_representative, PolynomialRingElement},
-    constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
-    hash_functions::{G, PRF},
-    helper::cloop,
-    matrix::*,
-    ntt::*,
-    sampling::sample_from_binomial_distribution,
-    serialize::{
-        compress_then_serialize_message, compress_then_serialize_ring_element_u,
-        compress_then_serialize_ring_element_v, deserialize_ring_elements_reduced,
-        deserialize_then_decompress_message, deserialize_then_decompress_ring_element_u,
-        deserialize_then_decompress_ring_element_v, deserialize_to_uncompressed_ring_element,
-        serialize_uncompressed_ring_element,
-    },
-};
-
-/// Pad the `slice` with `0`s at the end.
-#[inline(always)]
-pub(super) fn into_padded_array<const LEN: usize>(slice: &[u8]) -> [u8; LEN] {
-    debug_assert!(slice.len() <= LEN);
-    let mut out = [0u8; LEN];
-    out[0..slice.len()].copy_from_slice(slice);
-    out
-}
-
-/// Concatenate `t` and `ρ` into the public key.
-#[inline(always)]
-pub(super) fn serialize_public_key<
-    const K: usize,
-    const RANKED_BYTES_PER_RING_ELEMENT: usize,
-    const PUBLIC_KEY_SIZE: usize,
->(
-    t_as_ntt: [PolynomialRingElement; K],
-    seed_for_a: &[u8],
-) -> [u8; PUBLIC_KEY_SIZE] {
-    let mut public_key_serialized = [0u8; PUBLIC_KEY_SIZE];
-    public_key_serialized[0..RANKED_BYTES_PER_RING_ELEMENT].copy_from_slice(
-        &serialize_secret_key::<K, RANKED_BYTES_PER_RING_ELEMENT>(t_as_ntt),
-    );
-    public_key_serialized[RANKED_BYTES_PER_RING_ELEMENT..].copy_from_slice(seed_for_a);
-    public_key_serialized
-}
-
-/// Call [`serialize_uncompressed_ring_element`] for each ring element.
-#[inline(always)]
-fn serialize_secret_key<const K: usize, const OUT_LEN: usize>(
-    key: [PolynomialRingElement; K],
-) -> [u8; OUT_LEN] {
-    let mut out = [0u8; OUT_LEN];
-
-    cloop! {
-        for (i, re) in key.into_iter().enumerate() {
-            out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT]
-            .copy_from_slice(&serialize_uncompressed_ring_element(re));
-        }
-    }
-
-    out
-}
-
-/// Sample a vector of ring elements from a centered binomial distribution.
-#[inline(always)]
-fn sample_ring_element_cbd<const K: usize, const ETA2_RANDOMNESS_SIZE: usize, const ETA2: usize>(
-    prf_input: &mut [u8; 33],
-    domain_separator: &mut u8,
-) -> [PolynomialRingElement; K] {
-    let mut error_1 = [PolynomialRingElement::ZERO; K];
-    for i in 0..K {
-        prf_input[32] = *domain_separator;
-        *domain_separator += 1;
-
-        let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = PRF(prf_input);
-        error_1[i] = sample_from_binomial_distribution::<ETA2>(&prf_output);
-    }
-    error_1
-}
-
-/// Sample a vector of ring elements from a centered binomial distribution and
-/// convert them into their NTT representations.
-#[inline(always)]
-fn sample_vector_cbd_then_ntt<
-    const K: usize,
-    const ETA: usize,
-    const ETA_RANDOMNESS_SIZE: usize,
->(
-    mut prf_input: [u8; 33],
-    mut domain_separator: u8,
-) -> ([PolynomialRingElement; K], u8) {
-    let mut re_as_ntt = [PolynomialRingElement::ZERO; K];
-    for i in 0..K {
-        prf_input[32] = domain_separator;
-        domain_separator += 1;
-
-        let prf_output: [u8; ETA_RANDOMNESS_SIZE] = PRF(&prf_input);
-
-        let r = sample_from_binomial_distribution::<ETA>(&prf_output);
-        re_as_ntt[i] = ntt_binomially_sampled_ring_element(r);
-    }
-    (re_as_ntt, domain_separator)
-}
-
-/// This function implements most of <strong>Algorithm 12</strong> of the
-/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm.
-///
-/// We say "most of" since Algorithm 12 samples the required randomness within
-/// the function itself, whereas this implementation expects it to be provided
-/// through the `key_generation_seed` parameter.
-///
-/// Algorithm 12 is reproduced below:
-///
-/// ```plaintext
-/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}.
-/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
-///
-/// d ←$ B
-/// (ρ,σ) ← G(d)
-/// N ← 0
-/// for (i ← 0; i < k; i++)
-///     for(j ← 0; j < k; j++)
-///         Â[i,j] ← SampleNTT(XOF(ρ, i, j))
-///     end for
-/// end for
-/// for(i ← 0; i < k; i++)
-///     s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N))
-///     N ← N + 1
-/// end for
-/// for(i ← 0; i < k; i++)
-///     e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N))
-///     N ← N + 1
-/// end for
-/// ŝ ← NTT(s)
-/// ê ← NTT(e)
-/// t̂ ← Â◦ŝ + ê
-/// ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ
-/// dkₚₖₑ ← ByteEncode₁₂(ŝ)
-/// ```
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[allow(non_snake_case)]
-pub(super) fn generate_keypair_unpacked<
-    const K: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const RANKED_BYTES_PER_RING_ELEMENT: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
->(
-    key_generation_seed: &[u8],
-) -> (
-    (
-        [PolynomialRingElement; K],
-        [PolynomialRingElement; K],
-        [[PolynomialRingElement; K]; K],
-    ),
-    [u8; PUBLIC_KEY_SIZE],
-) {
-    // (ρ,σ) := G(d)
-    let hashed = G(key_generation_seed);
-    let (seed_for_A, seed_for_secret_and_error) = hashed.split_at(32);
-
-    let a_transpose = sample_matrix_A(into_padded_array(seed_for_A), true);
-
-    let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
-    let (mut secret_as_ntt, domain_separator) =
-        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, 0);
-    let (error_as_ntt, _) =
-        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, domain_separator);
-
-    // tˆ := Aˆ ◦ sˆ + eˆ
-    let mut t_as_ntt = compute_As_plus_e(&a_transpose, &secret_as_ntt, &error_as_ntt);
-
-    // pk := (Encode_12(tˆ mod^{+}q) || ρ)
-    let public_key_serialized = serialize_public_key::<
-        K,
-        RANKED_BYTES_PER_RING_ELEMENT,
-        PUBLIC_KEY_SIZE,
-    >(t_as_ntt, &seed_for_A);
-
-    // Need to do the following otherwise it violates invariants in NTT (the values are expected to be >=0 and <4096).
-    // Maybe we can remove these reductions later if we make those constraints looser
-    for i in 0..K {
-        for j in 0..COEFFICIENTS_IN_RING_ELEMENT {
-            secret_as_ntt[i].coefficients[j] =
-                to_unsigned_representative(secret_as_ntt[i].coefficients[j]) as i32;
-            t_as_ntt[i].coefficients[j] =
-                to_unsigned_representative(t_as_ntt[i].coefficients[j]) as i32;
-        }
-    }
-
-    // We also need to transpose the A array.
-    let mut a_matrix = a_transpose;
-    for i in 0..K {
-        for j in 0..K {
-            a_matrix[i][j] = a_transpose[j][i];
-        }
-    }
-
-    ((secret_as_ntt, t_as_ntt, a_matrix), public_key_serialized)
-}
-
-#[allow(non_snake_case)]
-pub(super) fn generate_keypair<
-    const K: usize,
-    const PRIVATE_KEY_SIZE: usize,
-    const PUBLIC_KEY_SIZE: usize,
-    const RANKED_BYTES_PER_RING_ELEMENT: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
->(
-    key_generation_seed: &[u8],
-) -> ([u8; PRIVATE_KEY_SIZE], [u8; PUBLIC_KEY_SIZE]) {
-    let ((secret_as_ntt, _t_as_ntt, _a_transpose), public_key_serialized) =
-        generate_keypair_unpacked::<
-            K,
-            PUBLIC_KEY_SIZE,
-            RANKED_BYTES_PER_RING_ELEMENT,
-            ETA1,
-            ETA1_RANDOMNESS_SIZE,
-        >(key_generation_seed);
-
-    // sk := Encode_12(sˆ mod^{+}q)
-    let secret_key_serialized = serialize_secret_key(secret_as_ntt);
-
-    (secret_key_serialized, public_key_serialized)
-}
-
-/// Call [`compress_then_serialize_ring_element_u`] on each ring element.
-fn compress_then_serialize_u<
-    const K: usize,
-    const OUT_LEN: usize,
-    const COMPRESSION_FACTOR: usize,
-    const BLOCK_LEN: usize,
->(
-    input: [PolynomialRingElement; K],
-) -> [u8; OUT_LEN] {
-    let mut out = [0u8; OUT_LEN];
-    cloop! {
-        for (i, re) in input.into_iter().enumerate() {
-            out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice(
-                &compress_then_serialize_ring_element_u::<COMPRESSION_FACTOR, BLOCK_LEN>(re),
-            );
-        }
-    }
-
-    out
-}
-
-/// This function implements <strong>Algorithm 13</strong> of the
-/// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm.
-///
-/// Algorithm 13 is reproduced below:
-///
-/// ```plaintext
-/// Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}.
-/// Input: message m ∈ 𝔹^{32}.
-/// Input: encryption randomness r ∈ 𝔹^{32}.
-/// Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}.
-///
-/// N ← 0
-/// t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k])
-/// ρ ← ekₚₖₑ[384k: 384k + 32]
-/// for (i ← 0; i < k; i++)
-///     for(j ← 0; j < k; j++)
-///         Â[i,j] ← SampleNTT(XOF(ρ, i, j))
-///     end for
-/// end for
-/// for(i ← 0; i < k; i++)
-///     r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N))
-///     N ← N + 1
-/// end for
-/// for(i ← 0; i < k; i++)
-///     e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N))
-///     N ← N + 1
-/// end for
-/// e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N))
-/// r̂ ← NTT(r)
-/// u ← NTT-¹(Âᵀ ◦ r̂) + e₁
-/// μ ← Decompress₁(ByteDecode₁(m)))
-/// v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ
-/// c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u))
-/// c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v))
-/// return c ← (c₁ ‖ c₂)
-/// ```
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[allow(non_snake_case)]
-pub(crate) fn encrypt_unpacked<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const T_AS_NTT_ENCODED_SIZE: usize,
-    const C1_LEN: usize,
-    const C2_LEN: usize,
-    const U_COMPRESSION_FACTOR: usize,
-    const V_COMPRESSION_FACTOR: usize,
-    const BLOCK_LEN: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
-    const ETA2: usize,
-    const ETA2_RANDOMNESS_SIZE: usize,
->(
-    t_as_ntt: &[PolynomialRingElement; K],
-    a_transpose: &[[PolynomialRingElement; K]; K],
-    message: [u8; SHARED_SECRET_SIZE],
-    randomness: &[u8],
-) -> [u8; CIPHERTEXT_SIZE] {
-    // for i from 0 to k−1 do
-    //     r[i] := CBD{η1}(PRF(r, N))
-    //     N := N + 1
-    // end for
-    // rˆ := NTT(r)
-    let mut prf_input: [u8; 33] = into_padded_array(randomness);
-    let (r_as_ntt, mut domain_separator) =
-        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, 0);
-
-    // for i from 0 to k−1 do
-    //     e1[i] := CBD_{η2}(PRF(r,N))
-    //     N := N + 1
-    // end for
-    let error_1 = sample_ring_element_cbd::<K, ETA2_RANDOMNESS_SIZE, ETA2>(
-        &mut prf_input,
-        &mut domain_separator,
-    );
-
-    // e_2 := CBD{η2}(PRF(r, N))
-    prf_input[32] = domain_separator;
-    let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = PRF(&prf_input);
-    let error_2 = sample_from_binomial_distribution::<ETA2>(&prf_output);
-
-    // u := NTT^{-1}(AˆT ◦ rˆ) + e_1
-    let u = compute_vector_u(&a_transpose, &r_as_ntt, &error_1);
-
-    // v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
-    let message_as_ring_element = deserialize_then_decompress_message(message);
-    let v = compute_ring_element_v(&t_as_ntt, &r_as_ntt, &error_2, &message_as_ring_element);
-
-    // c_1 := Encode_{du}(Compress_q(u,d_u))
-    let c1 = compress_then_serialize_u::<K, C1_LEN, U_COMPRESSION_FACTOR, BLOCK_LEN>(u);
-
-    // c_2 := Encode_{dv}(Compress_q(v,d_v))
-    let c2 = compress_then_serialize_ring_element_v::<V_COMPRESSION_FACTOR, C2_LEN>(v);
-
-    let mut ciphertext: [u8; CIPHERTEXT_SIZE] = into_padded_array(&c1);
-    ciphertext[C1_LEN..].copy_from_slice(c2.as_slice());
-
-    ciphertext
-}
-
-#[allow(non_snake_case)]
-pub(crate) fn encrypt<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const T_AS_NTT_ENCODED_SIZE: usize,
-    const C1_LEN: usize,
-    const C2_LEN: usize,
-    const U_COMPRESSION_FACTOR: usize,
-    const V_COMPRESSION_FACTOR: usize,
-    const BLOCK_LEN: usize,
-    const ETA1: usize,
-    const ETA1_RANDOMNESS_SIZE: usize,
-    const ETA2: usize,
-    const ETA2_RANDOMNESS_SIZE: usize,
->(
-    public_key: &[u8],
-    message: [u8; SHARED_SECRET_SIZE],
-    randomness: &[u8],
-) -> [u8; CIPHERTEXT_SIZE] {
-    // tˆ := Decode_12(pk)
-    let t_as_ntt = deserialize_ring_elements_reduced::<T_AS_NTT_ENCODED_SIZE, K>(
-        &public_key[..T_AS_NTT_ENCODED_SIZE],
-    );
-
-    // ρ := pk + 12·k·n / 8
-    // for i from 0 to k−1 do
-    //     for j from 0 to k − 1 do
-    //         AˆT[i][j] := Parse(XOF(ρ, i, j))
-    //     end for
-    // end for
-    let seed = &public_key[T_AS_NTT_ENCODED_SIZE..];
-    // ρ := pk + 12·k·n / 8
-    // for i from 0 to k−1 do
-    //     for j from 0 to k − 1 do
-    //         AˆT[i][j] := Parse(XOF(ρ, i, j))
-    //     end for
-    // end for
-    let a_transpose = sample_matrix_A(into_padded_array(seed), false);
-
-    encrypt_unpacked::<
-        K,
-        CIPHERTEXT_SIZE,
-        T_AS_NTT_ENCODED_SIZE,
-        C1_LEN,
-        C2_LEN,
-        U_COMPRESSION_FACTOR,
-        V_COMPRESSION_FACTOR,
-        BLOCK_LEN,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(&t_as_ntt, &a_transpose, message, randomness)
-}
-
-/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
-/// in the `ciphertext`.
-#[inline(always)]
-fn deserialize_then_decompress_u<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const U_COMPRESSION_FACTOR: usize,
->(
-    ciphertext: &[u8; CIPHERTEXT_SIZE],
-) -> [PolynomialRingElement; K] {
-    let mut u_as_ntt = [PolynomialRingElement::ZERO; K];
-    cloop! {
-        for (i, u_bytes) in ciphertext
-            .chunks_exact((COEFFICIENTS_IN_RING_ELEMENT * U_COMPRESSION_FACTOR) / 8)
-            .enumerate()
-        {
-            let u = deserialize_then_decompress_ring_element_u::<U_COMPRESSION_FACTOR>(u_bytes);
-            u_as_ntt[i] = ntt_vector_u::<U_COMPRESSION_FACTOR>(u);
-        }
-    }
-    u_as_ntt
-}
-
-/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
-#[inline(always)]
-fn deserialize_secret_key<const K: usize>(secret_key: &[u8]) -> [PolynomialRingElement; K] {
-    let mut secret_as_ntt = [PolynomialRingElement::ZERO; K];
-    cloop! {
-        for (i, secret_bytes) in secret_key.chunks_exact(BYTES_PER_RING_ELEMENT).enumerate() {
-            secret_as_ntt[i] = deserialize_to_uncompressed_ring_element(secret_bytes);
-        }
-    }
-    secret_as_ntt
-}
-
-/// This function implements <strong>Algorithm 14</strong> of the
-/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm.
-///
-/// Algorithm 14 is reproduced below:
-///
-/// ```plaintext
-/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
-/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}.
-/// Output: message m ∈ 𝔹^{32}.
-///
-/// c₁ ← c[0 : 32dᵤk]
-/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)]
-/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁))
-/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂))
-/// ŝ ← ByteDecode₁₂(dkₚₖₑ)
-/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u))
-/// m ← ByteEncode₁(Compress₁(w))
-/// return m
-/// ```
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[allow(non_snake_case)]
-pub(super) fn decrypt_unpacked<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const VECTOR_U_ENCODED_SIZE: usize,
-    const U_COMPRESSION_FACTOR: usize,
-    const V_COMPRESSION_FACTOR: usize,
->(
-    secret_as_ntt: &[PolynomialRingElement; K],
-    ciphertext: &[u8; CIPHERTEXT_SIZE],
-) -> [u8; SHARED_SECRET_SIZE] {
-    // u := Decompress_q(Decode_{d_u}(c), d_u)
-    let u_as_ntt =
-        deserialize_then_decompress_u::<K, CIPHERTEXT_SIZE, U_COMPRESSION_FACTOR>(ciphertext);
-
-    // v := Decompress_q(Decode_{d_v}(c + d_u·k·n / 8), d_v)
-    let v = deserialize_then_decompress_ring_element_v::<V_COMPRESSION_FACTOR>(
-        &ciphertext[VECTOR_U_ENCODED_SIZE..],
-    );
-
-    // m := Encode_1(Compress_q(v − NTT^{−1}(sˆT ◦ NTT(u)) , 1))
-    let message = compute_message(&v, &secret_as_ntt, &u_as_ntt);
-    compress_then_serialize_message(message)
-}
-
-#[allow(non_snake_case)]
-pub(super) fn decrypt<
-    const K: usize,
-    const CIPHERTEXT_SIZE: usize,
-    const VECTOR_U_ENCODED_SIZE: usize,
-    const U_COMPRESSION_FACTOR: usize,
-    const V_COMPRESSION_FACTOR: usize,
->(
-    secret_key: &[u8],
-    ciphertext: &[u8; CIPHERTEXT_SIZE],
-) -> [u8; SHARED_SECRET_SIZE] {
-    // sˆ := Decode_12(sk)
-    let secret_as_ntt = deserialize_secret_key::<K>(secret_key);
-
-    decrypt_unpacked::<
-        K,
-        CIPHERTEXT_SIZE,
-        VECTOR_U_ENCODED_SIZE,
-        U_COMPRESSION_FACTOR,
-        V_COMPRESSION_FACTOR,
-    >(&secret_as_ntt, ciphertext)
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/kyber1024.rs b/libcrux-ml-kem/src/kem/kyber/kyber1024.rs
deleted file mode 100644
index 41bfff6ed..000000000
--- a/libcrux-ml-kem/src/kem/kyber/kyber1024.rs
+++ /dev/null
@@ -1,171 +0,0 @@
-use super::{constants::*, *};
-
-// Kyber 1024 parameters
-const RANK_1024: usize = 4;
-const RANKED_BYTES_PER_RING_ELEMENT_1024: usize = RANK_1024 * BITS_PER_RING_ELEMENT / 8;
-const T_AS_NTT_ENCODED_SIZE_1024: usize =
-    (RANK_1024 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const VECTOR_U_COMPRESSION_FACTOR_1024: usize = 11;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_U_COMPRESSION_FACTOR_1024>();
-const C1_BLOCK_SIZE_1024: usize =
-    (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_1024) / 8;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// serialized_len::<RANK_1024, C1_BLOCK_SIZE_1024>();
-const C1_SIZE_1024: usize = C1_BLOCK_SIZE_1024 * RANK_1024;
-const VECTOR_V_COMPRESSION_FACTOR_1024: usize = 5;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_V_COMPRESSION_FACTOR_1024>()
-const C2_SIZE_1024: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_1024) / 8;
-const CPA_PKE_SECRET_KEY_SIZE_1024: usize =
-    (RANK_1024 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const CPA_PKE_PUBLIC_KEY_SIZE_1024: usize = T_AS_NTT_ENCODED_SIZE_1024 + 32;
-const CPA_PKE_CIPHERTEXT_SIZE_1024: usize = C1_SIZE_1024 + C2_SIZE_1024;
-const SECRET_KEY_SIZE_1024: usize = CPA_PKE_SECRET_KEY_SIZE_1024
-    + CPA_PKE_PUBLIC_KEY_SIZE_1024
-    + H_DIGEST_SIZE
-    + SHARED_SECRET_SIZE;
-
-const ETA1: usize = 2;
-const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64;
-const ETA2: usize = 2;
-const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64;
-
-const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_1024;
-
-// Kyber 1024 types
-/// An ML-KEM 1024 Ciphertext
-pub type MlKem1024Ciphertext = MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_1024>;
-/// An ML-KEM 1024 Private key
-pub type MlKem1024PrivateKey = MlKemPrivateKey<SECRET_KEY_SIZE_1024>;
-/// An ML-KEM 1024 Public key
-pub type MlKem1024PublicKey = MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_1024>;
-
-/// Validate a public key.
-///
-/// Returns `true` if valid, and `false` otherwise.
-pub fn validate_public_key(public_key: &MlKem1024PublicKey) -> bool {
-    super::validate_public_key::<
-        RANK_1024,
-        RANKED_BYTES_PER_RING_ELEMENT_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-    >(&public_key.value)
-}
-
-/// Generate ML-KEM 1024 Key Pair
-///
-/// Generate an ML-KEM key pair. The input is a byte array of size
-/// [`crate::KEY_GENERATION_SEED_SIZE`].
-pub fn generate_key_pair(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> MlKemKeyPair<SECRET_KEY_SIZE_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024> {
-    generate_keypair::<
-        RANK_1024,
-        CPA_PKE_SECRET_KEY_SIZE_1024,
-        SECRET_KEY_SIZE_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-        RANKED_BYTES_PER_RING_ELEMENT_1024,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-#[allow(unused)]
-pub(crate) type MlKem1024State = MlKemState<RANK_1024>;
-
-#[allow(unused)]
-pub(crate) fn generate_key_pair_unpacked(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> (MlKem1024State, MlKem1024PublicKey) {
-    generate_keypair_unpacked::<
-        RANK_1024,
-        CPA_PKE_SECRET_KEY_SIZE_1024,
-        SECRET_KEY_SIZE_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-        RANKED_BYTES_PER_RING_ELEMENT_1024,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-/// Encapsulate ML-KEM 1024
-///
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem1024PublicKey`] and [`crate::SHARED_SECRET_SIZE`]
-/// bytes of `randomness`.
-pub fn encapsulate(
-    public_key: &MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_1024>,
-    randomness: [u8; SHARED_SECRET_SIZE],
-) -> (
-    MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_1024>,
-    MlKemSharedSecret,
-) {
-    super::encapsulate::<
-        RANK_1024,
-        CPA_PKE_CIPHERTEXT_SIZE_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-        T_AS_NTT_ENCODED_SIZE_1024,
-        C1_SIZE_1024,
-        C2_SIZE_1024,
-        VECTOR_U_COMPRESSION_FACTOR_1024,
-        VECTOR_V_COMPRESSION_FACTOR_1024,
-        C1_BLOCK_SIZE_1024,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(public_key, randomness)
-}
-
-/// Decapsulate ML-KEM 1024
-///
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
-pub fn decapsulate(
-    secret_key: &MlKemPrivateKey<SECRET_KEY_SIZE_1024>,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_1024>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate::<
-        RANK_1024,
-        SECRET_KEY_SIZE_1024,
-        CPA_PKE_SECRET_KEY_SIZE_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-        CPA_PKE_CIPHERTEXT_SIZE_1024,
-        T_AS_NTT_ENCODED_SIZE_1024,
-        C1_SIZE_1024,
-        C2_SIZE_1024,
-        VECTOR_U_COMPRESSION_FACTOR_1024,
-        VECTOR_V_COMPRESSION_FACTOR_1024,
-        C1_BLOCK_SIZE_1024,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(secret_key, ciphertext)
-}
-
-#[allow(unused)]
-pub(crate) fn decapsulate_unpacked(
-    state: &MlKem1024State,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_1024>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate_unpacked::<
-        RANK_1024,
-        SECRET_KEY_SIZE_1024,
-        CPA_PKE_SECRET_KEY_SIZE_1024,
-        CPA_PKE_PUBLIC_KEY_SIZE_1024,
-        CPA_PKE_CIPHERTEXT_SIZE_1024,
-        T_AS_NTT_ENCODED_SIZE_1024,
-        C1_SIZE_1024,
-        C2_SIZE_1024,
-        VECTOR_U_COMPRESSION_FACTOR_1024,
-        VECTOR_V_COMPRESSION_FACTOR_1024,
-        C1_BLOCK_SIZE_1024,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(state, ciphertext)
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/kyber512.rs b/libcrux-ml-kem/src/kem/kyber/kyber512.rs
deleted file mode 100644
index 01968b5f2..000000000
--- a/libcrux-ml-kem/src/kem/kyber/kyber512.rs
+++ /dev/null
@@ -1,168 +0,0 @@
-use super::{constants::*, *};
-
-// Kyber 512 parameters
-const RANK_512: usize = 2;
-const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMENT / 8;
-const T_AS_NTT_ENCODED_SIZE_512: usize =
-    (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_U_COMPRESSION_FACTOR_512>()
-const C1_BLOCK_SIZE_512: usize =
-    (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// serialized_len::<RANK_512, C1_BLOCK_SIZE_512>()
-const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512;
-const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_V_COMPRESSION_FACTOR_512>()
-const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8;
-const CPA_PKE_SECRET_KEY_SIZE_512: usize =
-    (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32;
-const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512;
-const SECRET_KEY_SIZE_512: usize =
-    CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE;
-
-const ETA1: usize = 3;
-const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64;
-const ETA2: usize = 2;
-const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64;
-
-const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_512;
-
-// Kyber 512 types
-/// An ML-KEM 512 Ciphertext
-pub type MlKem512Ciphertext = MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_512>;
-/// An ML-KEM 512 Private key
-pub type MlKem512PrivateKey = MlKemPrivateKey<SECRET_KEY_SIZE_512>;
-/// An ML-KEM 512 Public key
-pub type MlKem512PublicKey = MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_512>;
-
-/// Validate a public key.
-///
-/// Returns `true` if valid, and `false` otherwise.
-pub fn validate_public_key(public_key: &MlKem512PublicKey) -> bool {
-    super::validate_public_key::<
-        RANK_512,
-        RANKED_BYTES_PER_RING_ELEMENT_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-    >(&public_key.value)
-}
-
-/// Generate ML-KEM 512 Key Pair
-///
-/// The input is a byte array of size
-/// [`crate::KEY_GENERATION_SEED_SIZE`].
-pub fn generate_key_pair(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> MlKemKeyPair<SECRET_KEY_SIZE_512, CPA_PKE_PUBLIC_KEY_SIZE_512> {
-    generate_keypair::<
-        RANK_512,
-        CPA_PKE_SECRET_KEY_SIZE_512,
-        SECRET_KEY_SIZE_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-        RANKED_BYTES_PER_RING_ELEMENT_512,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-#[allow(unused)]
-pub(crate) type MlKem512State = MlKemState<RANK_512>;
-
-#[allow(unused)]
-pub(crate) fn generate_key_pair_unpacked(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> (MlKem512State, MlKem512PublicKey) {
-    generate_keypair_unpacked::<
-        RANK_512,
-        CPA_PKE_SECRET_KEY_SIZE_512,
-        SECRET_KEY_SIZE_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-        RANKED_BYTES_PER_RING_ELEMENT_512,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-/// Encapsulate ML-KEM 512
-///
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem512PublicKey`] and [`crate::SHARED_SECRET_SIZE`]
-pub fn encapsulate(
-    public_key: &MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_512>,
-    randomness: [u8; SHARED_SECRET_SIZE],
-) -> (
-    MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_512>,
-    MlKemSharedSecret,
-) {
-    super::encapsulate::<
-        RANK_512,
-        CPA_PKE_CIPHERTEXT_SIZE_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-        T_AS_NTT_ENCODED_SIZE_512,
-        C1_SIZE_512,
-        C2_SIZE_512,
-        VECTOR_U_COMPRESSION_FACTOR_512,
-        VECTOR_V_COMPRESSION_FACTOR_512,
-        C1_BLOCK_SIZE_512,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(public_key, randomness)
-}
-
-/// Decapsulate ML-KEM 512
-///
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
-pub fn decapsulate(
-    secret_key: &MlKemPrivateKey<SECRET_KEY_SIZE_512>,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_512>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate::<
-        RANK_512,
-        SECRET_KEY_SIZE_512,
-        CPA_PKE_SECRET_KEY_SIZE_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-        CPA_PKE_CIPHERTEXT_SIZE_512,
-        T_AS_NTT_ENCODED_SIZE_512,
-        C1_SIZE_512,
-        C2_SIZE_512,
-        VECTOR_U_COMPRESSION_FACTOR_512,
-        VECTOR_V_COMPRESSION_FACTOR_512,
-        C1_BLOCK_SIZE_512,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(secret_key, ciphertext)
-}
-
-#[allow(unused)]
-pub(crate) fn decapsulate_unpacked(
-    state: &MlKem512State,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_512>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate_unpacked::<
-        RANK_512,
-        SECRET_KEY_SIZE_512,
-        CPA_PKE_SECRET_KEY_SIZE_512,
-        CPA_PKE_PUBLIC_KEY_SIZE_512,
-        CPA_PKE_CIPHERTEXT_SIZE_512,
-        T_AS_NTT_ENCODED_SIZE_512,
-        C1_SIZE_512,
-        C2_SIZE_512,
-        VECTOR_U_COMPRESSION_FACTOR_512,
-        VECTOR_V_COMPRESSION_FACTOR_512,
-        C1_BLOCK_SIZE_512,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(state, ciphertext)
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/kyber768.rs b/libcrux-ml-kem/src/kem/kyber/kyber768.rs
deleted file mode 100644
index 261582f59..000000000
--- a/libcrux-ml-kem/src/kem/kyber/kyber768.rs
+++ /dev/null
@@ -1,189 +0,0 @@
-use super::{constants::*, *};
-
-// Kyber 768 parameters
-const RANK_768: usize = 3;
-const RANKED_BYTES_PER_RING_ELEMENT_768: usize = RANK_768 * BITS_PER_RING_ELEMENT / 8;
-const T_AS_NTT_ENCODED_SIZE_768: usize =
-    (RANK_768 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const VECTOR_U_COMPRESSION_FACTOR_768: usize = 10;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_U_COMPRESSION_FACTOR_768>()
-const C1_BLOCK_SIZE_768: usize =
-    (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_768) / 8;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-//  serialized_len::<RANK_768, C1_BLOCK_SIZE_768>();
-const C1_SIZE_768: usize = C1_BLOCK_SIZE_768 * RANK_768;
-const VECTOR_V_COMPRESSION_FACTOR_768: usize = 4;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-//  block_len::<VECTOR_V_COMPRESSION_FACTOR_768>()
-const C2_SIZE_768: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_768) / 8;
-const CPA_PKE_SECRET_KEY_SIZE_768: usize =
-    (RANK_768 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
-const CPA_PKE_PUBLIC_KEY_SIZE_768: usize = T_AS_NTT_ENCODED_SIZE_768 + 32;
-// These two are used in the hybrid kem. This could probably be improved.
-pub(crate) const CPA_PKE_CIPHERTEXT_SIZE_768: usize = C1_SIZE_768 + C2_SIZE_768;
-pub(crate) const SECRET_KEY_SIZE_768: usize =
-    CPA_PKE_SECRET_KEY_SIZE_768 + CPA_PKE_PUBLIC_KEY_SIZE_768 + H_DIGEST_SIZE + SHARED_SECRET_SIZE;
-
-const ETA1: usize = 2;
-const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64;
-const ETA2: usize = 2;
-const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64;
-
-const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_768;
-
-// Kyber 768 types
-/// An ML-KEM 768 Ciphertext
-pub type MlKem768Ciphertext = MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_768>;
-/// An ML-KEM 768 Private key
-pub type MlKem768PrivateKey = MlKemPrivateKey<SECRET_KEY_SIZE_768>;
-/// An ML-KEM 768 Public key
-pub type MlKem768PublicKey = MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_768>;
-
-/// Validate a public key.
-///
-/// Returns `true` if valid, and `false` otherwise.
-pub fn validate_public_key(public_key: &MlKem768PublicKey) -> bool {
-    super::validate_public_key::<
-        RANK_768,
-        RANKED_BYTES_PER_RING_ELEMENT_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-    >(&public_key.value)
-}
-
-/// Generate ML-KEM 768 Key Pair
-///
-/// Generate an ML-KEM key pair. The input is a byte array of size
-/// [`crate::KEY_GENERATION_SEED_SIZE`].
-pub fn generate_key_pair(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> MlKemKeyPair<SECRET_KEY_SIZE_768, CPA_PKE_PUBLIC_KEY_SIZE_768> {
-    generate_keypair::<
-        RANK_768,
-        CPA_PKE_SECRET_KEY_SIZE_768,
-        SECRET_KEY_SIZE_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-        RANKED_BYTES_PER_RING_ELEMENT_768,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-#[allow(unused)]
-pub(crate) type MlKem768State = MlKemState<RANK_768>;
-
-#[allow(unused)]
-pub(crate) fn generate_key_pair_unpacked(
-    randomness: [u8; KEY_GENERATION_SEED_SIZE],
-) -> (MlKem768State, MlKem768PublicKey) {
-    generate_keypair_unpacked::<
-        RANK_768,
-        CPA_PKE_SECRET_KEY_SIZE_768,
-        SECRET_KEY_SIZE_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-        RANKED_BYTES_PER_RING_ELEMENT_768,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-    >(randomness)
-}
-
-/// Encapsulate ML-KEM 768
-///
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem768PublicKey`] and [`crate::SHARED_SECRET_SIZE`]
-/// bytes of `randomness`.
-pub fn encapsulate(
-    public_key: &MlKemPublicKey<CPA_PKE_PUBLIC_KEY_SIZE_768>,
-    randomness: [u8; SHARED_SECRET_SIZE],
-) -> (
-    MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_768>,
-    MlKemSharedSecret,
-) {
-    super::encapsulate::<
-        RANK_768,
-        CPA_PKE_CIPHERTEXT_SIZE_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-        T_AS_NTT_ENCODED_SIZE_768,
-        C1_SIZE_768,
-        C2_SIZE_768,
-        VECTOR_U_COMPRESSION_FACTOR_768,
-        VECTOR_V_COMPRESSION_FACTOR_768,
-        C1_BLOCK_SIZE_768,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-    >(public_key, randomness)
-}
-
-/// Decapsulate ML-KEM 768
-///
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
-pub fn decapsulate(
-    secret_key: &MlKemPrivateKey<SECRET_KEY_SIZE_768>,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_768>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate::<
-        RANK_768,
-        SECRET_KEY_SIZE_768,
-        CPA_PKE_SECRET_KEY_SIZE_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-        CPA_PKE_CIPHERTEXT_SIZE_768,
-        T_AS_NTT_ENCODED_SIZE_768,
-        C1_SIZE_768,
-        C2_SIZE_768,
-        VECTOR_U_COMPRESSION_FACTOR_768,
-        VECTOR_V_COMPRESSION_FACTOR_768,
-        C1_BLOCK_SIZE_768,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(secret_key, ciphertext)
-}
-
-#[allow(unused)]
-pub(crate) fn decapsulate_unpacked(
-    state: &MlKem768State,
-    ciphertext: &MlKemCiphertext<CPA_PKE_CIPHERTEXT_SIZE_768>,
-) -> [u8; SHARED_SECRET_SIZE] {
-    super::decapsulate_unpacked::<
-        RANK_768,
-        SECRET_KEY_SIZE_768,
-        CPA_PKE_SECRET_KEY_SIZE_768,
-        CPA_PKE_PUBLIC_KEY_SIZE_768,
-        CPA_PKE_CIPHERTEXT_SIZE_768,
-        T_AS_NTT_ENCODED_SIZE_768,
-        C1_SIZE_768,
-        C2_SIZE_768,
-        VECTOR_U_COMPRESSION_FACTOR_768,
-        VECTOR_V_COMPRESSION_FACTOR_768,
-        C1_BLOCK_SIZE_768,
-        ETA1,
-        ETA1_RANDOMNESS_SIZE,
-        ETA2,
-        ETA2_RANDOMNESS_SIZE,
-        IMPLICIT_REJECTION_HASH_INPUT_SIZE,
-    >(state, ciphertext)
-}
-
-#[cfg(test)]
-mod tests {
-    use rand::{rngs::OsRng, RngCore};
-
-    use super::{
-        kyber768::{generate_key_pair, validate_public_key},
-        KEY_GENERATION_SEED_SIZE,
-    };
-
-    #[test]
-    fn pk_validation() {
-        let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE];
-        OsRng.fill_bytes(&mut randomness);
-
-        let key_pair = generate_key_pair(randomness);
-        assert!(validate_public_key(&key_pair.pk));
-    }
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/matrix.rs b/libcrux-ml-kem/src/kem/kyber/matrix.rs
deleted file mode 100644
index 15f624e6d..000000000
--- a/libcrux-ml-kem/src/kem/kyber/matrix.rs
+++ /dev/null
@@ -1,158 +0,0 @@
-use super::{
-    arithmetic::{
-        add_to_ring_element, barrett_reduce, montgomery_reduce, to_standard_domain,
-        PolynomialRingElement,
-    },
-    constants::COEFFICIENTS_IN_RING_ELEMENT,
-    helper::cloop,
-    ntt::{invert_ntt_montgomery, ntt_multiply},
-    sampling::sample_from_xof,
-};
-
-#[inline(always)]
-#[allow(non_snake_case)]
-pub(in crate::kem::kyber) fn sample_matrix_A<const K: usize>(
-    seed: [u8; 34],
-    transpose: bool,
-) -> [[PolynomialRingElement; K]; K] {
-    let mut A_transpose = [[PolynomialRingElement::ZERO; K]; K];
-
-    for i in 0..K {
-        let mut seeds = [seed; K];
-        for j in 0..K {
-            seeds[j][32] = i as u8;
-            seeds[j][33] = j as u8;
-        }
-        let sampled = sample_from_xof(seeds);
-        for j in 0..K {
-            // A[i][j] = A_transpose[j][i]
-            if transpose {
-                A_transpose[j][i] = sampled[j];
-            } else {
-                A_transpose[i][j] = sampled[j];
-            }
-        }
-    }
-
-    A_transpose
-}
-
-/// The following functions compute various expressions involving
-/// vectors and matrices. The computation of these expressions has been
-/// abstracted away into these functions in order to save on loop iterations.
-
-/// Compute v − InverseNTT(sᵀ ◦ NTT(u))
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_message<const K: usize>(
-    v: &PolynomialRingElement,
-    secret_as_ntt: &[PolynomialRingElement; K],
-    u_as_ntt: &[PolynomialRingElement; K],
-) -> PolynomialRingElement {
-    let mut result = PolynomialRingElement::ZERO;
-
-    for i in 0..K {
-        let product = ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i]);
-        result = add_to_ring_element::<K>(result, &product);
-    }
-
-    result = invert_ntt_montgomery::<K>(result);
-
-    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
-        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
-        result.coefficients[i] = barrett_reduce(v.coefficients[i] - coefficient_normal_form);
-    }
-
-    result
-}
-
-/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
-    t_as_ntt: &[PolynomialRingElement; K],
-    r_as_ntt: &[PolynomialRingElement; K],
-    error_2: &PolynomialRingElement,
-    message: &PolynomialRingElement,
-) -> PolynomialRingElement {
-    let mut result = PolynomialRingElement::ZERO;
-
-    for i in 0..K {
-        let product = ntt_multiply(&t_as_ntt[i], &r_as_ntt[i]);
-        result = add_to_ring_element::<K>(result, &product);
-    }
-
-    result = invert_ntt_montgomery::<K>(result);
-
-    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
-        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
-        result.coefficients[i] = barrett_reduce(
-            coefficient_normal_form + error_2.coefficients[i] + message.coefficients[i],
-        );
-    }
-
-    result
-}
-
-/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
-    a_as_ntt: &[[PolynomialRingElement; K]; K],
-    r_as_ntt: &[PolynomialRingElement; K],
-    error_1: &[PolynomialRingElement; K],
-) -> [PolynomialRingElement; K] {
-    let mut result = [PolynomialRingElement::ZERO; K];
-
-    cloop! {
-        for (i, row) in a_as_ntt.iter().enumerate() {
-            cloop! {
-                for (j, a_element) in row.iter().enumerate() {
-                    let product = ntt_multiply(a_element, &r_as_ntt[j]);
-                    result[i] = add_to_ring_element::<K>(result[i], &product);
-                }
-            }
-
-            result[i] = invert_ntt_montgomery::<K>(result[i]);
-
-            for j in 0..COEFFICIENTS_IN_RING_ELEMENT {
-                let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1441);
-
-                result[i].coefficients[j] =
-                    barrett_reduce(coefficient_normal_form + error_1[i].coefficients[j]);
-            }
-        }
-    }
-
-    result
-}
-
-/// Compute  ◦ ŝ + ê
-#[inline(always)]
-#[allow(non_snake_case)]
-pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
-    matrix_A: &[[PolynomialRingElement; K]; K],
-    s_as_ntt: &[PolynomialRingElement; K],
-    error_as_ntt: &[PolynomialRingElement; K],
-) -> [PolynomialRingElement; K] {
-    let mut result = [PolynomialRingElement::ZERO; K];
-
-    cloop! {
-        for (i, row) in matrix_A.iter().enumerate() {
-            cloop! {
-                for (j, matrix_element) in row.iter().enumerate() {
-                    let product = ntt_multiply(matrix_element, &s_as_ntt[j]);
-                    result[i] = add_to_ring_element::<K>(result[i], &product);
-                }
-            }
-
-            for j in 0..COEFFICIENTS_IN_RING_ELEMENT {
-                // The coefficients are of the form aR^{-1} mod q, which means
-                // calling to_montgomery_domain() on them should return a mod q.
-                let coefficient_normal_form = to_standard_domain(result[i].coefficients[j]);
-
-                result[i].coefficients[j] =
-                    barrett_reduce(coefficient_normal_form + error_as_ntt[i].coefficients[j])
-            }
-        }
-    }
-
-    result
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/ntt.rs b/libcrux-ml-kem/src/kem/kyber/ntt.rs
deleted file mode 100644
index 6d154211e..000000000
--- a/libcrux-ml-kem/src/kem/kyber/ntt.rs
+++ /dev/null
@@ -1,341 +0,0 @@
-use crate::hax_utils::hax_debug_assert;
-
-use super::{
-    arithmetic::{
-        barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce, FieldElement,
-        FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
-    },
-    constants::COEFFICIENTS_IN_RING_ELEMENT,
-};
-#[cfg(hax)]
-use crate::kem::kyber::constants::FIELD_MODULUS;
-
-const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
-    -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
-    573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,
-    1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469,
-    -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275,
-    -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246,
-    778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097,
-    603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185,
-    -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628,
-];
-
-/// Represents an intermediate polynomial splitting step in the NTT. All
-/// resulting coefficients are in the normal domain since the zetas have been
-/// multiplied by MONTGOMERY_R.
-#[inline(always)]
-fn ntt_at_layer(
-    zeta_i: &mut usize,
-    mut re: PolynomialRingElement,
-    layer: usize,
-    _initial_coefficient_bound: usize,
-) -> PolynomialRingElement {
-    let step = 1 << layer;
-
-    for round in 0..(128 >> layer) {
-        *zeta_i += 1;
-
-        let offset = round * step * 2;
-
-        for j in offset..offset + step {
-            let t = montgomery_multiply_fe_by_fer(
-                re.coefficients[j + step],
-                ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            );
-            re.coefficients[j + step] = re.coefficients[j] - t;
-            re.coefficients[j] = re.coefficients[j] + t;
-        }
-    }
-
-    hax_debug_assert!(re.coefficients.into_iter().all(|coefficient| {
-        coefficient.abs()
-            < _initial_coefficient_bound as i32 + ((8 - layer as i32) * ((3 * FIELD_MODULUS) / 2))
-    }));
-
-    re
-}
-
-/// See [`ntt_at_layer`].
-#[inline(always)]
-fn ntt_at_layer_3(
-    zeta_i: &mut usize,
-    re: PolynomialRingElement,
-    layer: usize,
-) -> PolynomialRingElement {
-    ntt_at_layer(zeta_i, re, layer, 3)
-}
-
-/// See [`ntt_at_layer`].
-#[inline(always)]
-fn ntt_at_layer_3328(
-    zeta_i: &mut usize,
-    re: PolynomialRingElement,
-    layer: usize,
-) -> PolynomialRingElement {
-    ntt_at_layer(zeta_i, re, layer, 3328)
-}
-
-/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation
-/// of a `KyberPolynomialRingElement`.
-///
-/// This function operates only on those which were produced by binomial
-/// sampling, and thus those which have small coefficients. The small
-/// coefficients let us skip the first round of Montgomery reductions.
-#[cfg_attr(hax, hax_lib::requires(
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < re.coefficients.len(), || re.coefficients[i].abs() <= 3
-))))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), ||
-            result.coefficients[i].abs() < FIELD_MODULUS
-))))]
-#[inline(always)]
-pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
-    mut re: PolynomialRingElement,
-) -> PolynomialRingElement {
-    hax_debug_assert!(re
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() <= 3));
-
-    // Due to the small coefficient bound, we can skip the first round of
-    // Montgomery reductions.
-    let mut zeta_i = 1;
-
-    for j in 0..128 {
-        // Multiply by the appropriate zeta in the normal domain.
-        let t = re.coefficients[j + 128] * -1600;
-
-        re.coefficients[j + 128] = re.coefficients[j] - t;
-        re.coefficients[j] = re.coefficients[j] + t;
-    }
-
-    hax_debug_assert!(re
-        .coefficients
-        .into_iter()
-        .all(|coefficient| { coefficient.abs() < 3 + ((3 * FIELD_MODULUS) / 2) }));
-
-    re = ntt_at_layer_3(&mut zeta_i, re, 6);
-    re = ntt_at_layer_3(&mut zeta_i, re, 5);
-    re = ntt_at_layer_3(&mut zeta_i, re, 4);
-    re = ntt_at_layer_3(&mut zeta_i, re, 3);
-    re = ntt_at_layer_3(&mut zeta_i, re, 2);
-    re = ntt_at_layer_3(&mut zeta_i, re, 1);
-
-    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
-        re.coefficients[i] = barrett_reduce(re.coefficients[i]);
-    }
-
-    re
-}
-
-/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation
-/// of a `KyberPolynomialRingElement`.
-///
-/// This function operates on the ring element that partly constitutes
-/// the ciphertext.
-#[cfg_attr(hax, hax_lib::requires(
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < re.coefficients.len(), || re.coefficients[i].abs() <= 3328
-))))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), ||
-            result.coefficients[i].abs() < FIELD_MODULUS
-))))]
-#[inline(always)]
-pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize>(
-    mut re: PolynomialRingElement,
-) -> PolynomialRingElement {
-    hax_debug_assert!(re
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() <= 3328));
-
-    let mut zeta_i = 0;
-
-    re = ntt_at_layer_3328(&mut zeta_i, re, 7);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 6);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 5);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 4);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 3);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 2);
-    re = ntt_at_layer_3328(&mut zeta_i, re, 1);
-
-    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
-        re.coefficients[i] = barrett_reduce(re.coefficients[i]);
-    }
-
-    re
-}
-
-#[inline(always)]
-fn invert_ntt_at_layer(
-    zeta_i: &mut usize,
-    mut re: PolynomialRingElement,
-    layer: usize,
-) -> PolynomialRingElement {
-    let step = 1 << layer;
-
-    for round in 0..(128 >> layer) {
-        *zeta_i -= 1;
-
-        let offset = round * step * 2;
-
-        for j in offset..offset + step {
-            let a_minus_b = re.coefficients[j + step] - re.coefficients[j];
-
-            // Instead of dividing by 2 here, we just divide by
-            // 2^7 in one go in the end.
-            re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
-            re.coefficients[j + step] =
-                montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
-        }
-    }
-
-    re
-}
-
-/// Use the Gentleman-Sande butterfly to invert, in-place, the NTT representation
-/// of a `KyberPolynomialRingElement`. The coefficients of the output
-/// ring element are in the Montgomery domain.
-#[inline(always)]
-pub(crate) fn invert_ntt_montgomery<const K: usize>(
-    mut re: PolynomialRingElement,
-) -> PolynomialRingElement {
-    // We only ever call this function after matrix/vector multiplication
-    hax_debug_assert!(re
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient.abs() < (K as i32) * FIELD_MODULUS));
-
-    let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT / 2;
-
-    re = invert_ntt_at_layer(&mut zeta_i, re, 1);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 2);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 3);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 4);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 5);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 6);
-    re = invert_ntt_at_layer(&mut zeta_i, re, 7);
-
-    hax_debug_assert!(
-        re.coefficients[0].abs() < 128 * (K as i32) * FIELD_MODULUS
-            && re.coefficients[1].abs() < 128 * (K as i32) * FIELD_MODULUS
-    );
-    hax_debug_assert!(re
-        .coefficients
-        .into_iter()
-        .enumerate()
-        .skip(2)
-        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS));
-
-    for i in 0..2 {
-        re.coefficients[i] = barrett_reduce(re.coefficients[i]);
-    }
-    re
-}
-
-/// Compute the product of two Kyber binomials with respect to the
-/// modulus `X² - zeta`.
-///
-/// This function almost implements <strong>Algorithm 11</strong> of the
-/// NIST FIPS 203 standard, which is reproduced below:
-///
-/// ```plaintext
-/// Input:  a₀, a₁, b₀, b₁ ∈ ℤq.
-/// Input: γ ∈ ℤq.
-/// Output: c₀, c₁ ∈ ℤq.
-///
-/// c₀ ← a₀·b₀ + a₁·b₁·γ
-/// c₁ ← a₀·b₁ + a₁·b₀
-/// return c₀, c₁
-/// ```
-/// We say "almost" because the coefficients output by this function are in
-/// the Montgomery domain (unlike in the specification).
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[inline(always)]
-fn ntt_multiply_binomials(
-    (a0, a1): (FieldElement, FieldElement),
-    (b0, b1): (FieldElement, FieldElement),
-    zeta: FieldElementTimesMontgomeryR,
-) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
-    (
-        montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta),
-        montgomery_reduce(a0 * b1 + a1 * b0),
-    )
-}
-
-/// Given two `KyberPolynomialRingElement`s in their NTT representations,
-/// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
-/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
-///
-/// ```plaintext
-/// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
-/// ```
-///
-/// This function almost implements <strong>Algorithm 10</strong> of the
-/// NIST FIPS 203 standard, which is reproduced below:
-///
-/// ```plaintext
-/// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
-/// Output: An array ĥ ∈ ℤq.
-///
-/// for(i ← 0; i < 128; i++)
-///     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1))
-/// end for
-/// return ĥ
-/// ```
-/// We say "almost" because the coefficients of the ring element output by
-/// this function are in the Montgomery domain.
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[cfg_attr(hax, hax_lib::requires(
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
-            (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) &&
-            (rhs.coefficients[i].abs() <= FIELD_MODULUS)
-
-))))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), ||
-                result.coefficients[i].abs() <= FIELD_MODULUS
-))))]
-#[inline(always)]
-pub(crate) fn ntt_multiply(
-    lhs: &PolynomialRingElement,
-    rhs: &PolynomialRingElement,
-) -> PolynomialRingElement {
-    hax_debug_assert!(lhs
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient >= 0 && coefficient < 4096));
-
-    let mut out = PolynomialRingElement::ZERO;
-
-    for i in 0..(COEFFICIENTS_IN_RING_ELEMENT / 4) {
-        let product = ntt_multiply_binomials(
-            (lhs.coefficients[4 * i], lhs.coefficients[4 * i + 1]),
-            (rhs.coefficients[4 * i], rhs.coefficients[4 * i + 1]),
-            ZETAS_TIMES_MONTGOMERY_R[64 + i],
-        );
-        out.coefficients[4 * i] = product.0;
-        out.coefficients[4 * i + 1] = product.1;
-
-        let product = ntt_multiply_binomials(
-            (lhs.coefficients[4 * i + 2], lhs.coefficients[4 * i + 3]),
-            (rhs.coefficients[4 * i + 2], rhs.coefficients[4 * i + 3]),
-            -ZETAS_TIMES_MONTGOMERY_R[64 + i],
-        );
-        out.coefficients[4 * i + 2] = product.0;
-        out.coefficients[4 * i + 3] = product.1;
-    }
-
-    out
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/sampling.rs b/libcrux-ml-kem/src/kem/kyber/sampling.rs
deleted file mode 100644
index 64e74d517..000000000
--- a/libcrux-ml-kem/src/kem/kyber/sampling.rs
+++ /dev/null
@@ -1,240 +0,0 @@
-use super::{
-    arithmetic::{FieldElement, PolynomialRingElement},
-    constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
-    hash_functions::*,
-    helper::cloop,
-};
-use crate::hax_utils::hax_debug_assert;
-
-/// If `bytes` contains a set of uniformly random bytes, this function
-/// uniformly samples a ring element `â` that is treated as being the NTT representation
-/// of the corresponding polynomial `a`.
-///
-/// Since rejection sampling is used, it is possible the supplied bytes are
-/// not enough to sample the element, in which case an `Err` is returned and the
-/// caller must try again with a fresh set of bytes.
-///
-/// This function <strong>partially</strong> implements <strong>Algorithm 6</strong> of the NIST FIPS 203 standard,
-/// We say "partially" because this implementation only accepts a finite set of
-/// bytes as input and returns an error if the set is not enough; Algorithm 6 of
-/// the FIPS 203 standard on the other hand samples from an infinite stream of bytes
-/// until the ring element is filled. Algorithm 6 is reproduced below:
-///
-/// ```plaintext
-/// Input: byte stream B ∈ 𝔹*.
-/// Output: array â ∈ ℤ₂₅₆.
-///
-/// i ← 0
-/// j ← 0
-/// while j < 256 do
-///     d₁ ← B[i] + 256·(B[i+1] mod 16)
-///     d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2]
-///     if d₁ < q then
-///         â[j] ← d₁
-///         j ← j + 1
-///     end if
-///     if d₂ < q and j < 256 then
-///         â[j] ← d₂
-///         j ← j + 1
-///     end if
-///     i ← i + 3
-/// end while
-/// return â
-/// ```
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-fn sample_from_uniform_distribution_next<const K: usize, const N: usize>(
-    randomness: [[u8; N]; K],
-    sampled_coefficients: &mut [usize; K],
-    out: &mut [PolynomialRingElement; K],
-) -> bool {
-    let mut done = true;
-    for i in 0..K {
-        for bytes in randomness[i].chunks(3) {
-            let b1 = bytes[0] as i32;
-            let b2 = bytes[1] as i32;
-            let b3 = bytes[2] as i32;
-
-            let d1 = ((b2 & 0xF) << 8) | b1;
-            let d2 = (b3 << 4) | (b2 >> 4);
-
-            if d1 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT {
-                out[i].coefficients[sampled_coefficients[i]] = d1;
-                sampled_coefficients[i] += 1
-            }
-            if d2 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT {
-                out[i].coefficients[sampled_coefficients[i]] = d2;
-                sampled_coefficients[i] += 1;
-            }
-        }
-        if sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT {
-            done = false
-        }
-    }
-    done
-}
-
-pub(super) fn sample_from_xof<const K: usize>(seeds: [[u8; 34]; K]) -> [PolynomialRingElement; K] {
-    let mut sampled_coefficients: [usize; K] = [0; K];
-    let mut out: [PolynomialRingElement; K] = [PolynomialRingElement::ZERO; K];
-
-    let mut xof_state = absorb(seeds);
-    let randomness = squeeze_three_blocks(&mut xof_state);
-
-    let mut done =
-        sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out);
-
-    // Requiring more than 5 blocks to sample a ring element should be very
-    // unlikely according to:
-    // https://eprint.iacr.org/2023/708.pdf
-    // To avoid failing here, we squeeze more blocks out of the state until
-    // we have enough.
-    while !done {
-        let randomness = squeeze_block(&mut xof_state);
-        done =
-            sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out);
-    }
-    // XXX: We have to manually free the state here due to a Eurydice issue.
-    free_state(xof_state);
-
-    out
-}
-
-/// Given a series of uniformly random bytes in `randomness`, for some number `eta`,
-/// the `sample_from_binomial_distribution_{eta}` functions sample
-/// a ring element from a binomial distribution centered at 0 that uses two sets
-/// of `eta` coin flips. If, for example,
-/// `eta = ETA`, each ring coefficient is a value `v` such
-/// such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and:
-///
-/// ```plaintext
-/// - If v < 0, Pr[v] = Pr[-v]
-/// - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA)
-/// ```
-///
-/// The values `v < 0` are mapped to the appropriate `KyberFieldElement`.
-///
-/// The expected value is:
-///
-/// ```plaintext
-/// E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + (ETA)Pr[ETA]
-///      = 0 since Pr[-v] = Pr[v] when v < 0.
-/// ```
-///
-/// And the variance is:
-///
-/// ```plaintext
-/// Var(X) = E[(X - E[X])^2]
-///        = E[X^2]
-///        = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2^(2 * ETA))
-///        = ETA / 2
-/// ```
-///
-/// This function implements <strong>Algorithm 7</strong> of the NIST FIPS 203 standard, which is
-/// reproduced below:
-///
-/// ```plaintext
-/// Input: byte array B ∈ 𝔹^{64η}.
-/// Output: array f ∈ ℤ₂₅₆.
-///
-/// b ← BytesToBits(B)
-/// for (i ← 0; i < 256; i++)
-///     x ← ∑(j=0 to η - 1) b[2iη + j]
-///     y ← ∑(j=0 to η - 1) b[2iη + η + j]
-///     f[i] ← x−y mod q
-/// end for
-/// return f
-/// ```
-///
-/// The NIST FIPS 203 standard can be found at
-/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2
-))))]
-fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingElement {
-    let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (chunk_number, byte_chunk) in randomness.chunks_exact(4).enumerate() {
-            let random_bits_as_u32: u32 = (byte_chunk[0] as u32)
-                | (byte_chunk[1] as u32) << 8
-                | (byte_chunk[2] as u32) << 16
-                | (byte_chunk[3] as u32) << 24;
-
-            let even_bits = random_bits_as_u32 & 0x55555555;
-            let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555;
-
-            let coin_toss_outcomes = even_bits + odd_bits;
-
-            cloop! {
-                for outcome_set in (0..u32::BITS).step_by(4) {
-                    let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as FieldElement;
-                    let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as FieldElement;
-
-                    let offset = (outcome_set >> 2) as usize;
-                    sampled.coefficients[8 * chunk_number + offset] = outcome_1 - outcome_2;
-                }
-            }
-        }
-    }
-
-    hax_debug_assert!(sampled
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient >= -2 && coefficient <= 2));
-    sampled
-}
-
-#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))]
-#[cfg_attr(hax, hax_lib::ensures(|result|
-    hax_lib::forall(|i:usize|
-        hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3
-))))]
-fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingElement {
-    let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (chunk_number, byte_chunk) in randomness.chunks_exact(3).enumerate() {
-            let random_bits_as_u24: u32 =
-                (byte_chunk[0] as u32) | (byte_chunk[1] as u32) << 8 | (byte_chunk[2] as u32) << 16;
-
-            let first_bits = random_bits_as_u24 & 0x00249249;
-            let second_bits = (random_bits_as_u24 >> 1) & 0x00249249;
-            let third_bits = (random_bits_as_u24 >> 2) & 0x00249249;
-
-            let coin_toss_outcomes = first_bits + second_bits + third_bits;
-
-            cloop! {
-                for outcome_set in (0..24).step_by(6) {
-                    let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as FieldElement;
-                    let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as FieldElement;
-
-                    let offset = (outcome_set / 6) as usize;
-                    sampled.coefficients[4 * chunk_number + offset] = outcome_1 - outcome_2;
-                }
-            }
-        }
-    }
-
-    hax_debug_assert!(sampled
-        .coefficients
-        .into_iter()
-        .all(|coefficient| coefficient >= -3 && coefficient <= 3));
-    sampled
-}
-
-#[inline(always)]
-pub(super) fn sample_from_binomial_distribution<const ETA: usize>(
-    randomness: &[u8],
-) -> PolynomialRingElement {
-    hax_debug_assert!(randomness.len() == ETA * 64);
-
-    match ETA as u32 {
-        2 => sample_from_binomial_distribution_2(randomness),
-        3 => sample_from_binomial_distribution_3(randomness),
-        _ => unreachable!(),
-    }
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/serialize.rs b/libcrux-ml-kem/src/kem/kyber/serialize.rs
deleted file mode 100644
index 6943b8164..000000000
--- a/libcrux-ml-kem/src/kem/kyber/serialize.rs
+++ /dev/null
@@ -1,623 +0,0 @@
-use super::{
-    arithmetic::{to_unsigned_representative, FieldElement, PolynomialRingElement},
-    compress::{
-        compress_ciphertext_coefficient, compress_message_coefficient,
-        decompress_ciphertext_coefficient, decompress_message_coefficient,
-    },
-    constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE},
-    helper::cloop,
-};
-use crate::hax_utils::hax_debug_assert;
-
-#[inline(always)]
-pub(super) fn compress_then_serialize_message(
-    re: PolynomialRingElement,
-) -> [u8; SHARED_SECRET_SIZE] {
-    let mut serialized = [0u8; SHARED_SECRET_SIZE];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
-            cloop! {
-                for (j, coefficient) in coefficients.iter().enumerate() {
-                    let coefficient = to_unsigned_representative(*coefficient);
-
-                    let coefficient_compressed = compress_message_coefficient(coefficient);
-
-                    serialized[i] |= coefficient_compressed << j
-                }
-            }
-        }
-    }
-
-    serialized
-}
-#[inline(always)]
-pub(super) fn deserialize_then_decompress_message(
-    serialized: [u8; SHARED_SECRET_SIZE],
-) -> PolynomialRingElement {
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, byte) in serialized.into_iter().enumerate() {
-            for j in 0..8 {
-                let coefficient_compressed = ((byte >> j) & 0x1) as FieldElement;
-                re.coefficients[8 * i + j] = decompress_message_coefficient(coefficient_compressed);
-            }
-        }
-    }
-
-    re
-}
-
-#[inline(always)]
-pub(super) fn serialize_uncompressed_ring_element(
-    re: PolynomialRingElement,
-) -> [u8; BYTES_PER_RING_ELEMENT] {
-    let mut serialized = [0u8; BYTES_PER_RING_ELEMENT];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() {
-            let coefficient1 = to_unsigned_representative(coefficients[0]);
-            let coefficient2 = to_unsigned_representative(coefficients[1]);
-
-            let (coef1, coef2, coef3) = compress_coefficients_3(coefficient1, coefficient2);
-            serialized[3 * i] = coef1;
-            serialized[3 * i + 1] = coef2;
-            serialized[3 * i + 2] = coef3;
-        }
-    }
-
-    serialized
-}
-
-#[inline(always)]
-fn compress_coefficients_3(coefficient1: u16, coefficient2: u16) -> (u8, u8, u8) {
-    let coef1 = (coefficient1 & 0xFF) as u8;
-    let coef2 = ((coefficient1 >> 8) | ((coefficient2 & 0x0F) << 4)) as u8;
-    let coef3 = ((coefficient2 >> 4) & 0xFF) as u8;
-    (coef1, coef2, coef3)
-}
-
-#[inline(always)]
-pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, bytes) in serialized.chunks_exact(3).enumerate() {
-            let byte1 = bytes[0] as FieldElement;
-            let byte2 = bytes[1] as FieldElement;
-            let byte3 = bytes[2] as FieldElement;
-
-            re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF);
-            re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F);
-        }
-    }
-
-    re
-}
-
-/// Only use with public values.
-///
-/// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`.
-#[inline(always)]
-fn deserialize_to_reduced_ring_element(ring_element: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(ring_element.len() == BYTES_PER_RING_ELEMENT);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, bytes) in ring_element.chunks_exact(3).enumerate() {
-            let byte1 = bytes[0] as FieldElement;
-            let byte2 = bytes[1] as FieldElement;
-            let byte3 = bytes[2] as FieldElement;
-
-            // The modulus here is ok because the input must be public.
-            // XXX: The awkward code here is necessary to work around Charon shortcomings.
-            re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF);
-            let tmp = re.coefficients[2 * i] % 3329; // FIELD_MODULUS
-            re.coefficients[2 * i] = tmp;
-
-            re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F);
-            let tmp = re.coefficients[2 * i + 1] % 3329; // FIELD_MODULUS
-            re.coefficients[2 * i + 1] = tmp;
-        }
-    }
-
-    re
-}
-
-/// This function deserializes ring elements and reduces the result by the field
-/// modulus.
-///
-/// This function MUST NOT be used on secret inputs.
-#[inline(always)]
-pub(super) fn deserialize_ring_elements_reduced<const PUBLIC_KEY_SIZE: usize, const K: usize>(
-    public_key: &[u8],
-) -> [PolynomialRingElement; K] {
-    let mut deserialized_pk = [PolynomialRingElement::ZERO; K];
-    cloop! {
-        for (i, ring_element) in public_key
-            .chunks_exact(BYTES_PER_RING_ELEMENT)
-            .enumerate()
-        {
-            deserialized_pk[i] =deserialize_to_reduced_ring_element(ring_element);
-        }
-    }
-    deserialized_pk
-}
-
-#[inline(always)]
-fn compress_then_serialize_10<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
-    let mut serialized = [0u8; OUT_LEN];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(4).enumerate() {
-            let coefficient1 =
-                compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[0]));
-            let coefficient2 =
-                compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[1]));
-            let coefficient3 =
-                compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[2]));
-            let coefficient4 =
-                compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[3]));
-
-            let (coef1, coef2, coef3, coef4, coef5) =
-                compress_coefficients_10(coefficient1, coefficient2, coefficient3, coefficient4);
-            serialized[5 * i] = coef1;
-            serialized[5 * i + 1] = coef2;
-            serialized[5 * i + 2] = coef3;
-            serialized[5 * i + 3] = coef4;
-            serialized[5 * i + 4] = coef5;
-        }
-    }
-
-    serialized
-}
-
-#[inline(always)]
-fn compress_coefficients_10(
-    coefficient1: i32,
-    coefficient2: i32,
-    coefficient3: i32,
-    coefficient4: i32,
-) -> (u8, u8, u8, u8, u8) {
-    let coef1 = (coefficient1 & 0xFF) as u8;
-    let coef2 = ((coefficient2 & 0x3F) as u8) << 2 | ((coefficient1 >> 8) & 0x03) as u8;
-    let coef3 = ((coefficient3 & 0x0F) as u8) << 4 | ((coefficient2 >> 6) & 0x0F) as u8;
-    let coef4 = ((coefficient4 & 0x03) as u8) << 6 | ((coefficient3 >> 4) & 0x3F) as u8;
-    let coef5 = ((coefficient4 >> 2) & 0xFF) as u8;
-    (coef1, coef2, coef3, coef4, coef5)
-}
-
-#[inline(always)]
-fn compress_then_serialize_11<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
-    let mut serialized = [0u8; OUT_LEN];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
-            let coefficient1 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[0]));
-            let coefficient2 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[1]));
-            let coefficient3 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[2]));
-            let coefficient4 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[3]));
-            let coefficient5 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[4]));
-            let coefficient6 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[5]));
-            let coefficient7 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[6]));
-            let coefficient8 =
-                compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[7]));
-
-            let (coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11) =
-                compress_coefficients_11(
-                    coefficient1,
-                    coefficient2,
-                    coefficient3,
-                    coefficient4,
-                    coefficient5,
-                    coefficient6,
-                    coefficient7,
-                    coefficient8,
-                );
-            serialized[11 * i] = coef1;
-            serialized[11 * i + 1] = coef2;
-            serialized[11 * i + 2] = coef3;
-            serialized[11 * i + 3] = coef4;
-            serialized[11 * i + 4] = coef5;
-            serialized[11 * i + 5] = coef6;
-            serialized[11 * i + 6] = coef7;
-            serialized[11 * i + 7] = coef8;
-            serialized[11 * i + 8] = coef9;
-            serialized[11 * i + 9] = coef10;
-            serialized[11 * i + 10] = coef11;
-        }
-    }
-
-    serialized
-}
-
-#[inline(always)]
-fn compress_coefficients_11(
-    coefficient1: i32,
-    coefficient2: i32,
-    coefficient3: i32,
-    coefficient4: i32,
-    coefficient5: i32,
-    coefficient6: i32,
-    coefficient7: i32,
-    coefficient8: i32,
-) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) {
-    let coef1 = coefficient1 as u8;
-    let coef2 = ((coefficient2 & 0x1F) as u8) << 3 | ((coefficient1 >> 8) as u8);
-    let coef3 = ((coefficient3 & 0x3) as u8) << 6 | ((coefficient2 >> 5) as u8);
-    let coef4 = ((coefficient3 >> 2) & 0xFF) as u8;
-    let coef5 = ((coefficient4 & 0x7F) as u8) << 1 | (coefficient3 >> 10) as u8;
-    let coef6 = ((coefficient5 & 0xF) as u8) << 4 | (coefficient4 >> 7) as u8;
-    let coef7 = ((coefficient6 & 0x1) as u8) << 7 | (coefficient5 >> 4) as u8;
-    let coef8 = ((coefficient6 >> 1) & 0xFF) as u8;
-    let coef9 = ((coefficient7 & 0x3F) as u8) << 2 | (coefficient6 >> 9) as u8;
-    let coef10 = ((coefficient8 & 0x7) as u8) << 5 | (coefficient7 >> 6) as u8;
-    let coef11 = (coefficient8 >> 3) as u8;
-    (
-        coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11,
-    )
-}
-#[inline(always)]
-pub(super) fn compress_then_serialize_ring_element_u<
-    const COMPRESSION_FACTOR: usize,
-    const OUT_LEN: usize,
->(
-    re: PolynomialRingElement,
-) -> [u8; OUT_LEN] {
-    hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
-
-    match COMPRESSION_FACTOR as u32 {
-        10 => compress_then_serialize_10(re),
-        11 => compress_then_serialize_11(re),
-        _ => unreachable!(),
-    }
-}
-
-#[inline(always)]
-fn compress_then_serialize_4<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
-    let mut serialized = [0u8; OUT_LEN];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() {
-            let coefficient1 =
-                compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[0])) as u8;
-            let coefficient2 =
-                compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[1])) as u8;
-
-            serialized[i] = (coefficient2 << 4) | coefficient1;
-        }
-    }
-
-    serialized
-}
-
-#[inline(always)]
-fn compress_then_serialize_5<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
-    let mut serialized = [0u8; OUT_LEN];
-
-    cloop! {
-        for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
-            let coefficient1 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[0])) as u8;
-            let coefficient2 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[1])) as u8;
-            let coefficient3 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[2])) as u8;
-            let coefficient4 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[3])) as u8;
-            let coefficient5 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[4])) as u8;
-            let coefficient6 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[5])) as u8;
-            let coefficient7 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[6])) as u8;
-            let coefficient8 =
-                compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[7])) as u8;
-
-            let (coef1, coef2, coef3, coef4, coef5) = compress_coefficients_5(
-                coefficient2,
-                coefficient1,
-                coefficient4,
-                coefficient3,
-                coefficient5,
-                coefficient7,
-                coefficient6,
-                coefficient8,
-            );
-            serialized[5 * i] = coef1;
-            serialized[5 * i + 1] = coef2;
-            serialized[5 * i + 2] = coef3;
-            serialized[5 * i + 3] = coef4;
-            serialized[5 * i + 4] = coef5;
-        }
-    }
-
-    serialized
-}
-
-#[inline(always)]
-fn compress_coefficients_5(
-    coefficient2: u8,
-    coefficient1: u8,
-    coefficient4: u8,
-    coefficient3: u8,
-    coefficient5: u8,
-    coefficient7: u8,
-    coefficient6: u8,
-    coefficient8: u8,
-) -> (u8, u8, u8, u8, u8) {
-    let coef1 = (coefficient2 & 0x7) << 5 | coefficient1;
-    let coef2 = ((coefficient4 & 1) << 7) | (coefficient3 << 2) | (coefficient2 >> 3);
-    let coef3 = ((coefficient5 & 0xF) << 4) | (coefficient4 >> 1);
-    let coef4 = ((coefficient7 & 0x3) << 6) | (coefficient6 << 1) | (coefficient5 >> 4);
-    let coef5 = (coefficient8 << 3) | (coefficient7 >> 2);
-    (coef1, coef2, coef3, coef4, coef5)
-}
-
-#[inline(always)]
-pub(super) fn compress_then_serialize_ring_element_v<
-    const COMPRESSION_FACTOR: usize,
-    const OUT_LEN: usize,
->(
-    re: PolynomialRingElement,
-) -> [u8; OUT_LEN] {
-    hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
-
-    match COMPRESSION_FACTOR as u32 {
-        4 => compress_then_serialize_4(re),
-        5 => compress_then_serialize_5(re),
-        _ => unreachable!(),
-    }
-}
-
-#[inline(always)]
-fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-            let byte1 = bytes[0] as FieldElement;
-            let byte2 = bytes[1] as FieldElement;
-            let byte3 = bytes[2] as FieldElement;
-            let byte4 = bytes[3] as FieldElement;
-            let byte5 = bytes[4] as FieldElement;
-
-            let (coefficient1, coefficient2, coefficient3, coefficient4) =
-                decompress_coefficients_10(byte2, byte1, byte3, byte4, byte5);
-
-            re.coefficients[4 * i] = decompress_ciphertext_coefficient(10, coefficient1);
-            re.coefficients[4 * i + 1] = decompress_ciphertext_coefficient(10, coefficient2);
-            re.coefficients[4 * i + 2] = decompress_ciphertext_coefficient(10, coefficient3);
-            re.coefficients[4 * i + 3] = decompress_ciphertext_coefficient(10, coefficient4);
-        }
-    }
-
-    re
-}
-
-#[inline(always)]
-fn decompress_coefficients_10(
-    byte2: i32,
-    byte1: i32,
-    byte3: i32,
-    byte4: i32,
-    byte5: i32,
-) -> (i32, i32, i32, i32) {
-    let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF);
-    let coefficient2 = (byte3 & 0x0F) << 6 | (byte2 >> 2);
-    let coefficient3 = (byte4 & 0x3F) << 4 | (byte3 >> 4);
-    let coefficient4 = (byte5 << 2) | (byte4 >> 6);
-    (coefficient1, coefficient2, coefficient3, coefficient4)
-}
-
-#[inline(always)]
-fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, bytes) in serialized.chunks_exact(11).enumerate() {
-            let byte1 = bytes[0] as FieldElement;
-            let byte2 = bytes[1] as FieldElement;
-            let byte3 = bytes[2] as FieldElement;
-            let byte4 = bytes[3] as FieldElement;
-            let byte5 = bytes[4] as FieldElement;
-            let byte6 = bytes[5] as FieldElement;
-            let byte7 = bytes[6] as FieldElement;
-            let byte8 = bytes[7] as FieldElement;
-            let byte9 = bytes[8] as FieldElement;
-            let byte10 = bytes[9] as FieldElement;
-            let byte11 = bytes[10] as FieldElement;
-
-            let (
-                coefficient1,
-                coefficient2,
-                coefficient3,
-                coefficient4,
-                coefficient5,
-                coefficient6,
-                coefficient7,
-                coefficient8,
-            ) = decompress_coefficients_11(
-                byte2, byte1, byte3, byte5, byte4, byte6, byte7, byte9, byte8, byte10, byte11,
-            );
-
-            re.coefficients[8 * i] = decompress_ciphertext_coefficient(11, coefficient1);
-            re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(11, coefficient2);
-            re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(11, coefficient3);
-            re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(11, coefficient4);
-            re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(11, coefficient5);
-            re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(11, coefficient6);
-            re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(11, coefficient7);
-            re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(11, coefficient8);
-        }
-    }
-
-    re
-}
-
-#[inline(always)]
-fn decompress_coefficients_11(
-    byte2: i32,
-    byte1: i32,
-    byte3: i32,
-    byte5: i32,
-    byte4: i32,
-    byte6: i32,
-    byte7: i32,
-    byte9: i32,
-    byte8: i32,
-    byte10: i32,
-    byte11: i32,
-) -> (i32, i32, i32, i32, i32, i32, i32, i32) {
-    let coefficient1 = (byte2 & 0x7) << 8 | byte1;
-    let coefficient2 = (byte3 & 0x3F) << 5 | (byte2 >> 3);
-    let coefficient3 = (byte5 & 0x1) << 10 | (byte4 << 2) | (byte3 >> 6);
-    let coefficient4 = (byte6 & 0xF) << 7 | (byte5 >> 1);
-    let coefficient5 = (byte7 & 0x7F) << 4 | (byte6 >> 4);
-    let coefficient6 = (byte9 & 0x3) << 9 | (byte8 << 1) | (byte7 >> 7);
-    let coefficient7 = (byte10 & 0x1F) << 6 | (byte9 >> 2);
-    let coefficient8 = (byte11 << 3) | (byte10 >> 5);
-    (
-        coefficient1,
-        coefficient2,
-        coefficient3,
-        coefficient4,
-        coefficient5,
-        coefficient6,
-        coefficient7,
-        coefficient8,
-    )
-}
-
-#[inline(always)]
-pub(super) fn deserialize_then_decompress_ring_element_u<const COMPRESSION_FACTOR: usize>(
-    serialized: &[u8],
-) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8);
-
-    match COMPRESSION_FACTOR as u32 {
-        10 => deserialize_then_decompress_10(serialized),
-        11 => deserialize_then_decompress_11(serialized),
-        _ => unreachable!(),
-    }
-}
-
-#[inline(always)]
-fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, byte) in serialized.iter().enumerate() {
-            let (coefficient1, coefficient2) = decompress_coefficients_4(byte);
-
-            re.coefficients[2 * i] = decompress_ciphertext_coefficient(4, coefficient1);
-            re.coefficients[2 * i + 1] = decompress_ciphertext_coefficient(4, coefficient2);
-        }
-    }
-
-    re
-}
-
-#[inline(always)]
-fn decompress_coefficients_4(byte: &u8) -> (i32, i32) {
-    let coefficient1 = (byte & 0x0F) as FieldElement;
-    let coefficient2 = ((byte >> 4) & 0x0F) as FieldElement;
-    (coefficient1, coefficient2)
-}
-
-#[inline(always)]
-fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8);
-
-    let mut re = PolynomialRingElement::ZERO;
-
-    cloop! {
-        for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-            let byte1 = bytes[0] as FieldElement;
-            let byte2 = bytes[1] as FieldElement;
-            let byte3 = bytes[2] as FieldElement;
-            let byte4 = bytes[3] as FieldElement;
-            let byte5 = bytes[4] as FieldElement;
-
-            let (
-                coefficient1,
-                coefficient2,
-                coefficient3,
-                coefficient4,
-                coefficient5,
-                coefficient6,
-                coefficient7,
-                coefficient8,
-            ) = decompress_coefficients_5(byte1, byte2, byte3, byte4, byte5);
-
-            re.coefficients[8 * i] = decompress_ciphertext_coefficient(5, coefficient1);
-            re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(5, coefficient2);
-            re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(5, coefficient3);
-            re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(5, coefficient4);
-            re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(5, coefficient5);
-            re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(5, coefficient6);
-            re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(5, coefficient7);
-            re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(5, coefficient8);
-        }
-    }
-
-    re
-}
-
-#[inline(always)]
-fn decompress_coefficients_5(
-    byte1: i32,
-    byte2: i32,
-    byte3: i32,
-    byte4: i32,
-    byte5: i32,
-) -> (i32, i32, i32, i32, i32, i32, i32, i32) {
-    let coefficient1 = byte1 & 0x1F;
-    let coefficient2 = (byte2 & 0x3) << 3 | (byte1 >> 5);
-    let coefficient3 = (byte2 >> 2) & 0x1F;
-    let coefficient4 = ((byte3 & 0xF) << 1) | (byte2 >> 7);
-    let coefficient5 = ((byte4 & 1) << 4) | (byte3 >> 4);
-    let coefficient6 = (byte4 >> 1) & 0x1F;
-    let coefficient7 = ((byte5 & 0x7) << 2) | (byte4 >> 6);
-    let coefficient8 = byte5 >> 3;
-    (
-        coefficient1,
-        coefficient2,
-        coefficient3,
-        coefficient4,
-        coefficient5,
-        coefficient6,
-        coefficient7,
-        coefficient8,
-    )
-}
-
-#[inline(always)]
-pub(super) fn deserialize_then_decompress_ring_element_v<const COMPRESSION_FACTOR: usize>(
-    serialized: &[u8],
-) -> PolynomialRingElement {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8);
-
-    match COMPRESSION_FACTOR as u32 {
-        4 => deserialize_then_decompress_4(serialized),
-        5 => deserialize_then_decompress_5(serialized),
-        _ => unreachable!(),
-    }
-}
diff --git a/libcrux-ml-kem/src/kem/kyber/types.rs b/libcrux-ml-kem/src/kem/kyber/types.rs
deleted file mode 100644
index 8789a254b..000000000
--- a/libcrux-ml-kem/src/kem/kyber/types.rs
+++ /dev/null
@@ -1,166 +0,0 @@
-macro_rules! impl_generic_struct {
-    ($name:ident, $doc:expr) => {
-        #[doc = $doc]
-        pub struct $name<const SIZE: usize> {
-            pub(super) value: [u8; SIZE],
-        }
-
-        impl<const SIZE: usize> AsRef<[u8]> for $name<SIZE> {
-            fn as_ref(&self) -> &[u8] {
-                &self.value
-            }
-        }
-
-        impl<const SIZE: usize> From<[u8; SIZE]> for $name<SIZE> {
-            fn from(value: [u8; SIZE]) -> Self {
-                Self { value }
-            }
-        }
-
-        impl<const SIZE: usize> From<&[u8; SIZE]> for $name<SIZE> {
-            fn from(value: &[u8; SIZE]) -> Self {
-                Self {
-                    value: value.clone(),
-                }
-            }
-        }
-
-        impl<const SIZE: usize> From<$name<SIZE>> for [u8; SIZE] {
-            fn from(value: $name<SIZE>) -> Self {
-                value.value
-            }
-        }
-
-        impl<const SIZE: usize> TryFrom<&[u8]> for $name<SIZE> {
-            type Error = core::array::TryFromSliceError;
-
-            fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
-                match value.try_into() {
-                    Ok(value) => Ok(Self { value }),
-                    Err(e) => Err(e),
-                }
-            }
-        }
-
-        impl<const SIZE: usize> $name<SIZE> {
-            /// A reference to the raw byte slice.
-            pub fn as_slice(&self) -> &[u8; SIZE] {
-                &self.value
-            }
-
-            // This is only used for some of the macro callers.
-            #[allow(dead_code)]
-            // /// Split this value and return the raw byte slices.
-            pub(crate) fn split_at(&self, mid: usize) -> (&[u8], &[u8]) {
-                self.value.split_at(mid)
-            }
-            /// The number of bytes
-            pub const fn len() -> usize {
-                SIZE
-            }
-        }
-    };
-}
-macro_rules! impl_index_impls_for_generic_struct {
-    ($name:ident) => {
-        impl<const SIZE: usize> core::ops::Index<usize> for $name<SIZE> {
-            type Output = u8;
-
-            fn index(&self, index: usize) -> &Self::Output {
-                &self.value[index]
-            }
-        }
-
-        impl<const SIZE: usize> core::ops::Index<core::ops::Range<usize>> for $name<SIZE> {
-            type Output = [u8];
-
-            fn index(&self, range: core::ops::Range<usize>) -> &Self::Output {
-                &self.value[range]
-            }
-        }
-
-        impl<const SIZE: usize> core::ops::Index<core::ops::RangeTo<usize>> for $name<SIZE> {
-            type Output = [u8];
-
-            fn index(&self, range: core::ops::RangeTo<usize>) -> &Self::Output {
-                &self.value[range]
-            }
-        }
-
-        impl<const SIZE: usize> core::ops::Index<core::ops::RangeFrom<usize>> for $name<SIZE> {
-            type Output = [u8];
-
-            fn index(&self, range: core::ops::RangeFrom<usize>) -> &Self::Output {
-                &self.value[range]
-            }
-        }
-    };
-}
-
-impl_generic_struct!(MlKemCiphertext, "An ML-KEM Ciphertext");
-impl_generic_struct!(MlKemPrivateKey, "An ML-KEM Private key");
-impl_generic_struct!(MlKemPublicKey, "An ML-KEM Public key");
-
-// These traits are used only in `ind_cpa` for kyber cipher text.
-mod index_impls {
-    use super::*;
-    impl_index_impls_for_generic_struct!(MlKemCiphertext);
-    impl_index_impls_for_generic_struct!(MlKemPrivateKey);
-    impl_index_impls_for_generic_struct!(MlKemPublicKey);
-}
-
-/// An ML-KEM key pair
-pub struct MlKemKeyPair<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize> {
-    pub(crate) sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,
-    pub(crate) pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
-}
-
-impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
-    MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>
-{
-    /// Creates a new [`MlKemKeyPair`].
-    pub fn new(sk: [u8; PRIVATE_KEY_SIZE], pk: [u8; PUBLIC_KEY_SIZE]) -> Self {
-        Self {
-            sk: sk.into(),
-            pk: pk.into(),
-        }
-    }
-
-    /// Create a new [`MlKemKeyPair`] from the secret and public key.
-    pub fn from(
-        sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,
-        pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
-    ) -> Self {
-        Self { sk, pk }
-    }
-
-    /// Get a reference to the [`MlKemPublicKey<PUBLIC_KEY_SIZE>`].
-    pub fn public_key(&self) -> &MlKemPublicKey<PUBLIC_KEY_SIZE> {
-        &self.pk
-    }
-
-    /// Get a reference to the [`MlKemPrivateKey<PRIVATE_KEY_SIZE>`].
-    pub fn private_key(&self) -> &MlKemPrivateKey<PRIVATE_KEY_SIZE> {
-        &self.sk
-    }
-
-    /// Get a reference to the raw public key bytes.
-    pub fn pk(&self) -> &[u8; PUBLIC_KEY_SIZE] {
-        self.pk.as_slice()
-    }
-
-    /// Get a reference to the raw private key bytes.
-    pub fn sk(&self) -> &[u8; PRIVATE_KEY_SIZE] {
-        self.sk.as_slice()
-    }
-
-    /// Separate this key into the public and private key.
-    pub fn into_parts(
-        self,
-    ) -> (
-        MlKemPrivateKey<PRIVATE_KEY_SIZE>,
-        MlKemPublicKey<PUBLIC_KEY_SIZE>,
-    ) {
-        (self.sk, self.pk)
-    }
-}
diff --git a/libcrux-ml-kem/src/lib.rs b/libcrux-ml-kem/src/lib.rs
index 3c3b84610..d952e656d 100644
--- a/libcrux-ml-kem/src/lib.rs
+++ b/libcrux-ml-kem/src/lib.rs
@@ -4,18 +4,14 @@
 //! formally verified using [hax](https://cryspen.com/hax) and
 //! [F*](https://fstar-lang.org).
 //!
-#![cfg_attr(
-    feature = "pre-verification",
-    doc = r##"
-Functions in this crate use CPU feature detection to pick the most efficient version
-on each platform. To use a specific version with your own feature detection
-use e.g. one of the following
-- `mlkem768::avx2::generate_key_pair`,
-- `mlkem768::neon::generate_key_pair`,
-- `mlkem768::portable::generate_key_pair`,
-
-analogously for encapsulation and decapsulation."##
-)]
+//! Functions in this crate use CPU feature detection to pick the most efficient version
+//! on each platform. To use a specific version with your own feature detection
+//! use e.g. one of the following
+//! - `mlkem768::avx2::generate_key_pair`,
+//! - `mlkem768::neon::generate_key_pair`,
+//! - `mlkem768::portable::generate_key_pair`,
+//!
+//! analogously for encapsulation and decapsulation."
 #![cfg_attr(
     feature = "mlkem768",
     doc = r##"
@@ -62,14 +58,9 @@ analogously for encapsulation and decapsulation."##
 //! available individually under feature flags `mlkem512`, `mlkem768`,
 //! `mlkem1024`.
 //!
-//! In addition to the verified implementations of the ML-KEM variants, the
-//! feature flag `pre-verification` gives access to, as yet, unverified
-//! implementations of ML-KEM that are optimized for SIMD instruction sets.
-//!
 //! ### Kyber Round 3
-//! The `kyber` flag (in combination with `pre-verification`) also gives access
-//! to an, as yet, unverified implementation of Kyber as submitted in Round 3 of
-//! the NIST PQ competition.
+//! The `kyber` flag also gives access to an, as yet, unverified implementation
+//! of Kyber as submitted in Round 3 of the NIST PQ competition.
 //!
 
 #![no_std]
@@ -90,145 +81,89 @@ mod cfg;
 
 pub(crate) mod hax_utils;
 
-// Not-yet verified ML-KEM implementation.
-// This implementation has 3 different variant.
-// - portable
-// - neon
-// - avx2
+// This module is declared here since otherwise, hax reports the following error:
 //
-// When #221 is finished, the pre-verification feature will be removed and this
-// implementation will be promoted to the default one.
-cfg_pre_verification! {
-    // This module is declared here since otherwise, hax reports the following error:
-    //
-    // The THIR body of item
-    // DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT)
-    // was stolen.
-    //
-    // This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27
-    pub(crate) mod constants;
-
-    /// Helpers for verification and extraction
-    mod helper;
-
-    mod utils;
-    mod constant_time_ops;
-    mod hash_functions;
-    mod ind_cca;
-    mod ind_cpa;
-    mod variant;
-    mod invert_ntt;
-    mod matrix;
-    mod ntt;
-    mod polynomial;
-    mod sampling;
-    mod serialize;
-    mod types;
-    mod vector;
-
-    #[cfg(feature = "mlkem512")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem512")))]
-    pub mod mlkem512;
-
-    #[cfg(feature = "mlkem768")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem768")))]
-    pub mod mlkem768;
-
-    #[cfg(feature = "mlkem1024")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem1024")))]
-    pub mod mlkem1024;
-
-    pub use constants::SHARED_SECRET_SIZE;
-
-    pub use ind_cca::{MlKemSharedSecret, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE};
-
-    // These types all have type aliases for the different variants.
-    pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey};
-
-    cfg_kyber! {
-        #[cfg(feature = "mlkem512")]
-        #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem512"))))]
-        pub mod kyber512 {
-            //! Kyber 512 (NIST PQC Round 3)
-            cfg_no_eurydice! {
-                pub use crate::mlkem512::kyber::generate_key_pair;
-                pub use crate::mlkem512::kyber::decapsulate;
-                pub use crate::mlkem512::kyber::encapsulate;
-                pub use crate::mlkem512::validate_public_key;
-                pub use crate::mlkem512::validate_private_key;
-            }
-        }
-
-        #[cfg(feature = "mlkem768")]
-        #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem768"))))]
-        pub mod kyber768 {
-            //! Kyber 768 (NIST PQC Round 3)
-            cfg_no_eurydice! {
-                pub use crate::mlkem768::kyber::generate_key_pair;
-                pub use crate::mlkem768::kyber::decapsulate;
-                pub use crate::mlkem768::kyber::encapsulate;
-                pub use crate::mlkem768::validate_public_key;
-                pub use crate::mlkem768::validate_private_key;
-            }
-        }
-
-        #[cfg(feature = "mlkem1024")]
-        #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem1024"))))]
-        pub mod kyber1024 {
-            //! Kyber 1024 (NIST PQC Round 3)
-            cfg_no_eurydice! {
-                pub use crate::mlkem1024::kyber::generate_key_pair;
-                pub use crate::mlkem1024::kyber::decapsulate;
-                pub use crate::mlkem1024::kyber::encapsulate;
-                pub use crate::mlkem1024::validate_public_key;
-                pub use crate::mlkem1024::validate_private_key;
-            }
-        }
-    }
-}
-
-// Verified ML-KEM implementation.
-// The proofs are in
-// - correctness: ../proofs/fstar/extraction-edited
-// - secret independence: ../proofs/fstar/extraction-secret-independent
+// The THIR body of item
+// DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT)
+// was stolen.
 //
-// When #221 is completed, this code will be removed and replaced with the, then
-// verified, code above.
-cfg_verified! {
-    mod kem;
-
-    // Variants
+// This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27
+pub(crate) mod constants;
+
+/// Helpers for verification and extraction
+mod helper;
+
+mod constant_time_ops;
+mod hash_functions;
+mod ind_cca;
+mod ind_cpa;
+mod invert_ntt;
+mod matrix;
+mod ntt;
+mod polynomial;
+mod sampling;
+mod serialize;
+mod types;
+mod utils;
+mod variant;
+mod vector;
+
+#[cfg(feature = "mlkem512")]
+#[cfg_attr(docsrs, doc(cfg(feature = "mlkem512")))]
+pub mod mlkem512;
+
+#[cfg(feature = "mlkem768")]
+#[cfg_attr(docsrs, doc(cfg(feature = "mlkem768")))]
+pub mod mlkem768;
+
+#[cfg(feature = "mlkem1024")]
+#[cfg_attr(docsrs, doc(cfg(feature = "mlkem1024")))]
+pub mod mlkem1024;
+
+pub use constants::SHARED_SECRET_SIZE;
+
+pub use ind_cca::{MlKemSharedSecret, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE};
+
+// These types all have type aliases for the different variants.
+pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey};
+
+cfg_kyber! {
     #[cfg(feature = "mlkem512")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem512")))]
-    pub mod mlkem512 {
-        //! ML-KEM 512
-        pub use crate::kem::kyber::kyber512::*;
+    #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem512"))))]
+    pub mod kyber512 {
+        //! Kyber 512 (NIST PQC Round 3)
+        cfg_no_eurydice! {
+            pub use crate::mlkem512::kyber::generate_key_pair;
+            pub use crate::mlkem512::kyber::decapsulate;
+            pub use crate::mlkem512::kyber::encapsulate;
+            pub use crate::mlkem512::validate_public_key;
+            pub use crate::mlkem512::validate_private_key;
+        }
     }
 
     #[cfg(feature = "mlkem768")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem768")))]
-    pub mod mlkem768 {
-        //! ML-KEM 768
-        pub use crate::kem::kyber::kyber768::*;
+    #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem768"))))]
+    pub mod kyber768 {
+        //! Kyber 768 (NIST PQC Round 3)
+        cfg_no_eurydice! {
+            pub use crate::mlkem768::kyber::generate_key_pair;
+            pub use crate::mlkem768::kyber::decapsulate;
+            pub use crate::mlkem768::kyber::encapsulate;
+            pub use crate::mlkem768::validate_public_key;
+            pub use crate::mlkem768::validate_private_key;
+        }
     }
 
     #[cfg(feature = "mlkem1024")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "mlkem1024")))]
-    pub mod mlkem1024 {
-        //! ML-KEM 1024
-        pub use crate::kem::kyber::kyber1024::*;
+    #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem1024"))))]
+    pub mod kyber1024 {
+        //! Kyber 1024 (NIST PQC Round 3)
+        cfg_no_eurydice! {
+            pub use crate::mlkem1024::kyber::generate_key_pair;
+            pub use crate::mlkem1024::kyber::decapsulate;
+            pub use crate::mlkem1024::kyber::encapsulate;
+            pub use crate::mlkem1024::validate_public_key;
+            pub use crate::mlkem1024::validate_private_key;
+        }
     }
-
-    /// The size of an ML-KEM shared secret.
-    pub const SHARED_SECRET_SIZE: usize = kem::kyber::constants::SHARED_SECRET_SIZE;
-    /// An ML-KEM shared secret.
-    ///
-    /// A byte array of size [`SHARED_SECRET_SIZE`].
-    pub use kem::kyber::MlKemSharedSecret;
-    /// Seed size for encapsulation
-    pub const ENCAPS_SEED_SIZE: usize = kem::kyber::constants::SHARED_SECRET_SIZE;
-    /// Seed size for key generation
-    pub const KEY_GENERATION_SEED_SIZE: usize = kem::kyber::KEY_GENERATION_SEED_SIZE;
-    // These types all have type aliases for the different variants.
-    pub use kem::kyber::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey};
 }
diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs
index 651ab345b..80f232545 100644
--- a/libcrux-ml-kem/src/matrix.rs
+++ b/libcrux-ml-kem/src/matrix.rs
@@ -5,6 +5,14 @@ use crate::{
 
 #[inline(always)]
 #[allow(non_snake_case)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in
+        valid ==> (
+        if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A
+        else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)"#)
+)]
 pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K>>(
     A_transpose: &mut [[PolynomialRingElement<Vector>; K]; K],
     seed: [u8; 34],
@@ -27,7 +35,7 @@ pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K
                 }
             }
         }
-    };
+    }
     ()
 }
 
@@ -37,6 +45,17 @@ pub(crate) fn sample_matrix_A<const K: usize, Vector: Operations, Hasher: Hash<K
 
 /// Compute v − InverseNTT(sᵀ ◦ NTT(u))
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
+        let secret_spec = to_spec_vector_t $secret_as_ntt in
+        let u_spec = to_spec_vector_t $u_as_ntt in
+        let v_spec = to_spec_poly_t $v in
+        to_spec_poly_t $res ==
+            Spec.MLKEM.(poly_sub v_spec (poly_inv_ntt (vector_dot_product_ntt #$K secret_spec u_spec))) /\
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
+)]
 pub(crate) fn compute_message<const K: usize, Vector: Operations>(
     v: &PolynomialRingElement<Vector>,
     secret_as_ntt: &[PolynomialRingElement<Vector>; K],
@@ -57,6 +76,18 @@ pub(crate) fn compute_message<const K: usize, Vector: Operations>(
 
 /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
+        let tt_spec = to_spec_vector_t $t_as_ntt in
+        let r_spec = to_spec_vector_t $r_as_ntt in
+        let e2_spec = to_spec_poly_t $error_2 in
+        let m_spec = to_spec_poly_t $message in
+        let res_spec = to_spec_poly_t $res in
+        res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\
+        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res"#)
+)]
 pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
     t_as_ntt: &[PolynomialRingElement<Vector>; K],
     r_as_ntt: &[PolynomialRingElement<Vector>; K],
@@ -78,6 +109,18 @@ pub(crate) fn compute_ring_element_v<const K: usize, Vector: Operations>(
 
 /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
+        let a_spec = to_spec_matrix_t $a_as_ntt in
+        let r_spec = to_spec_vector_t $r_as_ntt in
+        let e_spec = to_spec_vector_t $error_1 in
+        let res_spec = to_spec_vector_t $res in
+        res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\
+        (forall (i:nat). i < v $K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))"#)
+)]
 pub(crate) fn compute_vector_u<const K: usize, Vector: Operations>(
     a_as_ntt: &[[PolynomialRingElement<Vector>; K]; K],
     r_as_ntt: &[PolynomialRingElement<Vector>; K],
@@ -105,6 +148,18 @@ pub(crate) fn compute_vector_u<const K: usize, Vector: Operations>(
 /// Compute  ◦ ŝ + ê
 #[inline(always)]
 #[allow(non_snake_case)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let open Libcrux_ml_kem.Polynomial in
+        to_spec_vector_t ${t_as_ntt}_future =
+             Spec.MLKEM.compute_As_plus_e_ntt
+               (to_spec_matrix_t $matrix_A) 
+               (to_spec_vector_t $s_as_ntt) 
+               (to_spec_vector_t $error_as_ntt) /\
+        (forall (i: nat). i < v $K ==>
+            Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${t_as_ntt}_future i))"#)
+)]
 pub(crate) fn compute_As_plus_e<const K: usize, Vector: Operations>(
     t_as_ntt: &mut [PolynomialRingElement<Vector>; K],
     matrix_A: &[[PolynomialRingElement<Vector>; K]; K],
diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs
index c0ddc096b..7976f095e 100644
--- a/libcrux-ml-kem/src/mlkem1024.rs
+++ b/libcrux-ml-kem/src/mlkem1024.rs
@@ -61,7 +61,7 @@ macro_rules! instantiate {
                         RANKED_BYTES_PER_RING_ELEMENT_1024,
                         CPA_PKE_PUBLIC_KEY_SIZE_1024,
                     >(&public_key.value)
-                
+
             }
 
             /// Validate a private key.
@@ -76,7 +76,7 @@ macro_rules! instantiate {
                         SECRET_KEY_SIZE_1024,
                         CPA_PKE_CIPHERTEXT_SIZE_1024,
                     >(private_key, ciphertext)
-                
+
             }
 
             /// Validate the private key only.
@@ -106,7 +106,7 @@ macro_rules! instantiate {
                         ETA1,
                         ETA1_RANDOMNESS_SIZE,
                     >(randomness)
-                
+
             }
 
             /// Generate ML-KEM 1024 Key Pair
@@ -122,7 +122,7 @@ macro_rules! instantiate {
                         ETA1,
                         ETA1_RANDOMNESS_SIZE,
                     >(randomness)
-                
+
             }
 
             /// Encapsulate ML-KEM 1024
@@ -149,7 +149,7 @@ macro_rules! instantiate {
                         ETA2,
                         ETA2_RANDOMNESS_SIZE,
                     >(public_key, randomness)
-                
+
             }
 
             /// Encapsulate Kyber 1024
@@ -178,7 +178,7 @@ macro_rules! instantiate {
                         ETA2,
                         ETA2_RANDOMNESS_SIZE,
                     >(public_key, randomness)
-                
+
             }
 
             /// Decapsulate ML-KEM 1024
@@ -207,7 +207,7 @@ macro_rules! instantiate {
                         ETA2_RANDOMNESS_SIZE,
                         IMPLICIT_REJECTION_HASH_INPUT_SIZE,
                     >(private_key, ciphertext)
-                
+
             }
 
             /// Decapsulate Kyber 1024
@@ -238,7 +238,7 @@ macro_rules! instantiate {
                         ETA2_RANDOMNESS_SIZE,
                         IMPLICIT_REJECTION_HASH_INPUT_SIZE,
                     >(private_key, ciphertext)
-                
+
             }
 
             /// Unpacked APIs that don't use serialized keys.
@@ -263,6 +263,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(
                     public_key: &MlKem1024PublicKeyUnpacked,
                     serialized: &mut MlKem1024PublicKey,
@@ -284,11 +287,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem1024KeyPairUnpacked, serialized: &mut MlKem1024PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024>(serialized);
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 4 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem1024KeyPairUnpacked) ->MlKem1024PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024>()
                 }
@@ -309,7 +318,7 @@ macro_rules! instantiate {
                             RANKED_BYTES_PER_RING_ELEMENT_1024,
                             CPA_PKE_PUBLIC_KEY_SIZE_1024,
                         >(public_key, unpacked_public_key)
-                    
+
                 }
 
                 /// Generate ML-KEM 1024 Key Pair in "unpacked" form.
@@ -335,7 +344,7 @@ macro_rules! instantiate {
                             ETA1,
                             ETA1_RANDOMNESS_SIZE,
                         >(randomness, key_pair)
-                    
+
                 }
 
                 /// Encapsulate ML-KEM 1024 (unpacked)
@@ -377,7 +386,7 @@ macro_rules! instantiate {
                             ETA2,
                             ETA2_RANDOMNESS_SIZE,
                         >(public_key, randomness)
-                    
+
                 }
 
                 /// Decapsulate ML-KEM 1024 (unpacked)
@@ -407,7 +416,7 @@ macro_rules! instantiate {
                             ETA2_RANDOMNESS_SIZE,
                             IMPLICIT_REJECTION_HASH_INPUT_SIZE,
                         >(private_key, ciphertext)
-                    
+
                 }
             }
         }
@@ -456,6 +465,11 @@ pub fn validate_private_key(
 ///
 /// This function returns an [`MlKem1024KeyPair`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
+)]
 pub fn generate_key_pair(
     randomness: [u8; KEY_GENERATION_SEED_SIZE],
 ) -> MlKemKeyPair<SECRET_KEY_SIZE_1024, CPA_PKE_PUBLIC_KEY_SIZE_1024> {
@@ -476,6 +490,12 @@ pub fn generate_key_pair(
 /// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`]
 /// bytes of `randomness`.
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in
+        let (res_ciphertext, res_shared_secret) = $res in
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
+)]
 pub fn encapsulate(
     public_key: &MlKem1024PublicKey,
     randomness: [u8; SHARED_SECRET_SIZE],
@@ -502,6 +522,11 @@ pub fn encapsulate(
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
+)]
 pub fn decapsulate(
     private_key: &MlKem1024PrivateKey,
     ciphertext: &MlKem1024Ciphertext,
diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs
index 1a0438eda..52cfa2543 100644
--- a/libcrux-ml-kem/src/mlkem512.rs
+++ b/libcrux-ml-kem/src/mlkem512.rs
@@ -7,21 +7,16 @@ const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMEN
 const T_AS_NTT_ENCODED_SIZE_512: usize =
     (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
 const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_U_COMPRESSION_FACTOR_512>()
 const C1_BLOCK_SIZE_512: usize =
     (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// serialized_len::<RANK_512, C1_BLOCK_SIZE_512>()
 const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512;
 const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4;
-// [hax]: hacspec/hacspec-v2#27 stealing error
-// block_len::<VECTOR_V_COMPRESSION_FACTOR_512>()
 const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8;
 const CPA_PKE_SECRET_KEY_SIZE_512: usize =
     (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8;
 pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32;
 const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512;
+
 pub(crate) const SECRET_KEY_SIZE_512: usize =
     CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE;
 
@@ -258,6 +253,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(
                     public_key: &MlKem512PublicKeyUnpacked,
                     serialized: &mut MlKem512PublicKey,
@@ -279,11 +277,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem512KeyPairUnpacked, serialized: &mut MlKem512PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_512, CPA_PKE_PUBLIC_KEY_SIZE_512>(serialized);
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 2 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem512KeyPairUnpacked) ->MlKem512PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_512, CPA_PKE_PUBLIC_KEY_SIZE_512>()
                 }
@@ -449,6 +453,11 @@ pub fn validate_private_key(
 ///
 /// This function returns an [`MlKem512KeyPair`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
+)]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair {
     multiplexing::generate_keypair::<
         RANK_512,
@@ -467,6 +476,12 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512
 /// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`]
 /// bytes of `randomness`.
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in
+        let (res_ciphertext, res_shared_secret) = $res in
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
+)]
 pub fn encapsulate(
     public_key: &MlKem512PublicKey,
     randomness: [u8; SHARED_SECRET_SIZE],
@@ -493,6 +508,11 @@ pub fn encapsulate(
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
+)]
 pub fn decapsulate(
     private_key: &MlKem512PrivateKey,
     ciphertext: &MlKem512Ciphertext,
diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs
index 28ffd07b8..a96c83304 100644
--- a/libcrux-ml-kem/src/mlkem768.rs
+++ b/libcrux-ml-kem/src/mlkem768.rs
@@ -254,6 +254,9 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 3 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${public_key}.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn serialized_public_key(public_key: &MlKem768PublicKeyUnpacked, serialized : &mut MlKem768PublicKey) {
                     public_key.serialized_mut::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>(serialized);
                 }
@@ -269,11 +272,17 @@ macro_rules! instantiate {
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"(forall (i:nat). i < 3 ==>
+                        Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                            ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i))"#))]
                 pub fn key_pair_serialized_public_key_mut(key_pair: &MlKem768KeyPairUnpacked, serialized: &mut MlKem768PublicKey) {
                     key_pair.serialized_public_key_mut::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>(serialized);
                 }
 
                 /// Get the serialized public key.
+                #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 3 ==>
+                    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index 
+                        ${key_pair}.f_public_key.f_ind_cpa_public_key.f_t_as_ntt i)"#))]
                 pub fn key_pair_serialized_public_key(key_pair: &MlKem768KeyPairUnpacked) ->MlKem768PublicKey {
                     key_pair.serialized_public_key::<RANKED_BYTES_PER_RING_ELEMENT_768, CPA_PKE_PUBLIC_KEY_SIZE_768>()
                 }
@@ -439,6 +448,11 @@ pub fn validate_private_key(
 ///
 /// This function returns an [`MlKem768KeyPair`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in
+        valid ==> (${res}.f_sk.f_value == secret_key /\ ${res}.f_pk.f_value == public_key)"#)
+)]
 pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair {
     multiplexing::generate_keypair::<
         RANK_768,
@@ -457,6 +471,12 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768
 /// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`]
 /// bytes of `randomness`.
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in
+        let (res_ciphertext, res_shared_secret) = $res in
+        valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)"#)
+)]
 pub fn encapsulate(
     public_key: &MlKem768PublicKey,
     randomness: [u8; SHARED_SECRET_SIZE],
@@ -483,6 +503,11 @@ pub fn encapsulate(
 /// Generates an [`MlKemSharedSecret`].
 /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
 #[cfg(not(eurydice))]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|res|
+    fstar!(r#"let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in
+        valid ==> $res == shared_secret"#)
+)]
 pub fn decapsulate(
     private_key: &MlKem768PrivateKey,
     ciphertext: &MlKem768Ciphertext,
diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs
index d33d9c077..5ea2923c3 100644
--- a/libcrux-ml-kem/src/ntt.rs
+++ b/libcrux-ml-kem/src/ntt.rs
@@ -1,71 +1,206 @@
 use crate::{
     hax_utils::hax_debug_assert,
-    polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R},
+    polynomial::{zeta, PolynomialRingElement, VECTORS_IN_RING_ELEMENT},
     vector::{montgomery_multiply_fe, Operations},
 };
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+   let ntt_re_range_2 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"#
+)]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+    let ntt_re_range_1 (#v_Vector: Type0)
+            {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+            (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+        forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
+                (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"#
+)]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 63 /\
+    ntt_re_range_2 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_1 ${re}_future /\
+    v ${*zeta_i}_future == 127"#))]
 pub(crate) fn ntt_at_layer_1<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
-    _initial_coefficient_bound: usize,
+    _initial_coefficient_bound: usize, // This can be used for specifying the range of values allowed in re
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init + v $round * 4 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i += 1;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
         re.coefficients[round] = Vector::ntt_layer_1_step(
             re.coefficients[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3],
+            zeta(*zeta_i),
+            zeta(*zeta_i + 1),
+            zeta(*zeta_i + 2),
+            zeta(*zeta_i + 3),
         );
         *zeta_i += 3;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (11207+6*3328)
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328)
+        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+   let ntt_re_range_3 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"#
+)]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 31 /\
+    ntt_re_range_3 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_2 ${re}_future /\
+    v ${*zeta_i}_future == 63"#))]
 pub(crate) fn ntt_at_layer_2<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
-    _initial_coefficient_bound: usize,
+    _initial_coefficient_bound: usize, // This can be used for specifying the range of values allowed in re
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init + v $round * 2 /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i += 1;
-        re.coefficients[round] = Vector::ntt_layer_2_step(
-            re.coefficients[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
         );
+        re.coefficients[round] =
+            Vector::ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i + 1));
         *zeta_i += 1;
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+   let ntt_re_range_4 (#v_Vector: Type0)
+         {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+         (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+       forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"#
+)]
+#[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 15 /\
+    ntt_re_range_4 $re"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_3 ${re}_future /\
+    v ${*zeta_i}_future == 31"#))]
 pub(crate) fn ntt_at_layer_3<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
-    _layer: usize,
-    _initial_coefficient_bound: usize,
+    _initial_coefficient_bound: usize, // This can be used for specifying the range of values allowed in re
 ) {
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)"#);
+    hax_lib::fstar!(r#"reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"#);
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..16 {
+        hax_lib::loop_invariant!(|round: usize| {
+            fstar!(
+                r#"v zeta_i == v $_zeta_i_init + v $round /\
+          (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==>
+            Spec.Utils.is_i16b_array_opaque (11207+3*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\
+          (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+              (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"#
+            )
+        });
         *zeta_i += 1;
-        re.coefficients[round] =
-            Vector::ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
+        hax_lib::fstar!(
+            r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+                        (Spec.Utils.is_i16b_array_opaque (11207+3*3328)
+                        (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"#
+        );
+        re.coefficients[round] = Vector::ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i));
+        hax_lib::fstar!(
+            "reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) 
+            (Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"
+        );
+        hax_lib::fstar!(
+            "assert (Spec.Utils.is_i16b_array_opaque (11207+4*3328)
+            (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"
+        );
     }
     ()
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\
+    (let t = ${montgomery_multiply_fe::<Vector>} $b $zeta_r in
+    (forall i. i < 16 ==>
+        Spec.Utils.is_intb (pow2 15 - 1)
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) -
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
+    (forall i. i < 16 ==>
+        Spec.Utils.is_intb (pow2 15 - 1)
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) +
+        v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"#))]
 fn ntt_layer_int_vec_step<Vector: Operations>(
     mut a: Vector,
     mut b: Vector,
@@ -76,16 +211,28 @@ fn ntt_layer_int_vec_step<Vector: Operations>(
     a = Vector::add(a, &t);
     (a, b)
 }
+
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"v $layer >= 4 /\ v $layer <= 7 /\
+    ((v $layer == 4 ==> v ${*zeta_i} == 7) /\
+    (v $layer == 5 ==> v ${*zeta_i} == 3) /\
+    (v $layer == 6 ==> v ${*zeta_i} == 1) /\
+    (v $layer == 7 ==> v ${*zeta_i} == 0))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"ntt_re_range_4 ${re}_future /\
+    (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\
+    (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\
+    (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\
+    (v $layer == 7 ==> v ${*zeta_i}_future == 1)"#))]
 pub(crate) fn ntt_at_layer_4_plus<Vector: Operations>(
     zeta_i: &mut usize,
     re: &mut PolynomialRingElement<Vector>,
     layer: usize,
-    _initial_coefficient_bound: usize,
+    _initial_coefficient_bound: usize, // This can be used for specifying the range of values allowed in re
 ) {
-    debug_assert!(layer >= 4);
     let step = 1 << layer;
 
+    let _zeta_i_init = *zeta_i;
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for round in 0..(128 >> layer) {
@@ -99,7 +246,7 @@ pub(crate) fn ntt_at_layer_4_plus<Vector: Operations>(
             let (x, y) = ntt_layer_int_vec_step(
                 re.coefficients[j],
                 re.coefficients[j + step_vec],
-                ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
+                zeta(*zeta_i),
             );
             re.coefficients[j] = x;
             re.coefficients[j + step_vec] = y;
@@ -109,11 +256,43 @@ pub(crate) fn ntt_at_layer_4_plus<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+//We should make the loops inside this function `opaque_to_smt` to get it work
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+   let ntt_layer_7_pre (#v_Vector: Type0)
+        {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+        (re_0 re_1: v_Vector) =
+    (forall i. i < 16 ==>
+      Spec.Utils.is_intb (pow2 15 - 1)
+      (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\
+    (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in
+    (forall i. i < 16 ==> 
+      Spec.Utils.is_intb (pow2 15 - 1) 
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - 
+          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
+    (forall i. i < 16 ==> 
+      Spec.Utils.is_intb (pow2 15 - 1) 
+        (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + 
+          v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"#
+)]
+#[hax_lib::requires(fstar!(r#"forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
+    (${re}.f_coefficients.[ sz i +! sz 8 ])"#))]
 pub(crate) fn ntt_at_layer_7<Vector: Operations>(re: &mut PolynomialRingElement<Vector>) {
     let step = VECTORS_IN_RING_ELEMENT / 2;
+    hax_lib::fstar!(r#"assert (v $step == 8)"#);
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for j in 0..step {
+        hax_lib::loop_invariant!(|j: usize| {
+            fstar!(
+                r#"(v j < 8 ==>
+          (forall (i:nat). (i >= v j /\ i < 8) ==>
+            ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))"#
+            )
+        });
+        hax_lib::fstar!(r#"reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"#);
         let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600);
         re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t);
         re.coefficients[j] = Vector::add(re.coefficients[j], &t);
@@ -122,6 +301,13 @@ pub(crate) fn ntt_at_layer_7<Vector: Operations>(re: &mut PolynomialRingElement<
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::fstar::options("--z3rlimit 200")]
+#[hax_lib::requires(fstar!(r#"forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ])
+    (${re}.f_coefficients.[ sz i +! sz 8 ])"#))]
+#[hax_lib::ensures(|_| fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
+    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re) /\
+    Libcrux_ml_kem.Serialize.coefficients_field_modulus_range #$:Vector ${re}_future"#))]
 pub(crate) fn ntt_binomially_sampled_ring_element<Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
@@ -130,17 +316,21 @@ pub(crate) fn ntt_binomially_sampled_ring_element<Vector: Operations>(
     ntt_at_layer_7(re);
 
     let mut zeta_i = 1;
-    ntt_at_layer_4_plus(&mut zeta_i, re, 6, 3);
-    ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3);
-    ntt_at_layer_4_plus(&mut zeta_i, re, 4, 3);
-    ntt_at_layer_3(&mut zeta_i, re, 3, 3);
-    ntt_at_layer_2(&mut zeta_i, re, 2, 3);
-    ntt_at_layer_1(&mut zeta_i, re, 1, 3);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 6, 11207);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 5, 11207 + 3328);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 4, 11207 + 2 * 3328);
+    ntt_at_layer_3(&mut zeta_i, re, 11207 + 3 * 3328);
+    ntt_at_layer_2(&mut zeta_i, re, 11207 + 4 * 3328);
+    ntt_at_layer_1(&mut zeta_i, re, 11207 + 5 * 3328);
 
     re.poly_barrett_reduce()
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::fstar::options("--z3rlimit 200")]
+#[hax_lib::ensures(|_| fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future ==
+    Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#))]
 pub(crate) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize, Vector: Operations>(
     re: &mut PolynomialRingElement<Vector>,
 ) {
@@ -151,12 +341,12 @@ pub(crate) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize, Vector: Ope
     let mut zeta_i = 0;
 
     ntt_at_layer_4_plus(&mut zeta_i, re, 7, 3328);
-    ntt_at_layer_4_plus(&mut zeta_i, re, 6, 3328);
-    ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3328);
-    ntt_at_layer_4_plus(&mut zeta_i, re, 4, 3328);
-    ntt_at_layer_3(&mut zeta_i, re, 3, 3328);
-    ntt_at_layer_2(&mut zeta_i, re, 2, 3328);
-    ntt_at_layer_1(&mut zeta_i, re, 1, 3328);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 6, 2 * 3328);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3 * 3328);
+    ntt_at_layer_4_plus(&mut zeta_i, re, 4, 4 * 3328);
+    ntt_at_layer_3(&mut zeta_i, re, 5 * 3328);
+    ntt_at_layer_2(&mut zeta_i, re, 6 * 3328);
+    ntt_at_layer_1(&mut zeta_i, re, 7 * 3328);
 
     re.poly_barrett_reduce()
 }
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index e5abd0045..75cfd1e49 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -1,196 +1,320 @@
 use crate::vector::{to_standard_domain, Operations, FIELD_ELEMENTS_IN_VECTOR};
 
-pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [i16; 128] = [
-    -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
-    573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,
-    1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469,
-    -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275,
-    -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246,
-    778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097,
-    603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185,
-    -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628,
-];
+pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [i16; 128] = {
+    hax_lib::fstar!(r#"assert_norm (pow2 16 == 65536)"#);
+    [
+        -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474,
+        1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411,
+        -205, -1571, 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618,
+        -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725,
+        448, -1065, 677, -1275, -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235,
+        -291, -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872,
+        349, 418, 329, -156, -75, 817, 1097, 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218,
+        -1335, -874, 220, -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108,
+        -308, 996, 991, 958, -1460, 1522, 1628,
+    ]
+};
+
+// A function to retrieve zetas so that we can add a post-condition
+#[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(i < 128)]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 1664 result"#))]
+pub fn zeta(i: usize) -> i16 {
+    ZETAS_TIMES_MONTGOMERY_R[i]
+}
 
 pub(crate) const VECTORS_IN_RING_ELEMENT: usize =
     super::constants::COEFFICIENTS_IN_RING_ELEMENT / FIELD_ELEMENTS_IN_VECTOR;
 
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r =
+    createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r =
+    createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "let to_spec_poly_t (#v_Vector: Type0)
+    {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+    (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial =
+    createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe 
+                                (Seq.index (i2._super_8706949974463268012.f_repr 
+                                    (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))"
+    )
+)]
 // XXX: We don't want to copy this. But for eurydice we have to have this.
 #[derive(Clone, Copy)]
 pub(crate) struct PolynomialRingElement<Vector: Operations> {
     pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT],
 }
 
+#[allow(non_snake_case)]
+fn ZERO<Vector: Operations>() -> PolynomialRingElement<Vector> {
+    PolynomialRingElement {
+        // https://github.com/hacspec/hax/issues/27
+        // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
+        coefficients: [Vector::ZERO(); 16],
+    }
+}
+
+#[inline(always)]
+#[hax_lib::requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())]
+fn from_i16_array<Vector: Operations>(a: &[i16]) -> PolynomialRingElement<Vector> {
+    let mut result = ZERO();
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]);
+    }
+    result
+}
+
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn add_to_ring_element<Vector: Operations, const K: usize>(
+    myself: &mut PolynomialRingElement<Vector>,
+    rhs: &PolynomialRingElement<Vector>,
+) {
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for i in 0..myself.coefficients.len() {
+        myself.coefficients[i] = Vector::add(myself.coefficients[i], &rhs.coefficients[i]);
+    }
+    ()
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn poly_barrett_reduce<Vector: Operations>(myself: &mut PolynomialRingElement<Vector>) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        myself.coefficients[i] = Vector::barrett_reduce(myself.coefficients[i]);
+    }
+    ()
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn subtract_reduce<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    mut b: PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
+        b.coefficients[i] = Vector::barrett_reduce(Vector::sub(
+            myself.coefficients[i],
+            &coefficient_normal_form,
+        ));
+    }
+    b
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn add_message_error_reduce<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    message: &PolynomialRingElement<Vector>,
+    mut result: PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441);
+
+        // FIXME: Eurydice crashes with:
+        //
+        // Warning 11: in top-level declaration libcrux_ml_kem.polynomial.{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}.add_message_error_reduce__libcrux_ml_kem_libcrux_polynomials_PortableVector: this expression is not Low*; the enclosing function cannot be translated into C*: let mutable ret(Mark.Present,(Mark.AtMost 2), ): int16_t[16size_t] = $any in
+        // libcrux_ml_kem.libcrux_polynomials.{(libcrux_ml_kem::libcrux_polynomials::libcrux_traits::Operations␣for␣libcrux_ml_kem::libcrux_polynomials::PortableVector)}.add ((@9: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:int16_t[16size_t][16size_t])[@4] &(((@8: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t])[@4]) @0;
+        // @0
+        // Warning 11 is fatal, exiting.
+        //
+        // On the following code:
+
+        // ```rust
+        // result.coefficients[i] = Vector::barrett_reduce(Vector::add(
+        //     coefficient_normal_form,
+        //     &Vector::add(myself.coefficients[i], &message.coefficients[i]),
+        // ));
+        // ```
+
+        let tmp = Vector::add(myself.coefficients[i], &message.coefficients[i]);
+        let tmp = Vector::add(coefficient_normal_form, &tmp);
+        result.coefficients[i] = Vector::barrett_reduce(tmp);
+    }
+    result
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn add_error_reduce<Vector: Operations>(
+    myself: &mut PolynomialRingElement<Vector>,
+    error: &PolynomialRingElement<Vector>,
+) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for j in 0..VECTORS_IN_RING_ELEMENT {
+        let coefficient_normal_form =
+            Vector::montgomery_multiply_by_constant(myself.coefficients[j], 1441);
+
+        myself.coefficients[j] =
+            Vector::barrett_reduce(Vector::add(coefficient_normal_form, &error.coefficients[j]));
+    }
+    ()
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn add_standard_error_reduce<Vector: Operations>(
+    myself: &mut PolynomialRingElement<Vector>,
+    error: &PolynomialRingElement<Vector>,
+) {
+    // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting
+    // The semicolon and parentheses at the end of loop are a workaround
+    // for the following bug https://github.com/hacspec/hax/issues/720
+    for j in 0..VECTORS_IN_RING_ELEMENT {
+        // The coefficients are of the form aR^{-1} mod q, which means
+        // calling to_montgomery_domain() on them should return a mod q.
+        let coefficient_normal_form = to_standard_domain::<Vector>(myself.coefficients[j]);
+
+        myself.coefficients[j] =
+            Vector::barrett_reduce(Vector::add(coefficient_normal_form, &error.coefficients[j]));
+    }
+    ()
+}
+
+/// Given two `KyberPolynomialRingElement`s in their NTT representations,
+/// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
+/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
+///
+/// ```plaintext
+/// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
+/// ```
+///
+/// This function almost implements <strong>Algorithm 10</strong> of the
+/// NIST FIPS 203 standard, which is reproduced below:
+///
+/// ```plaintext
+/// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
+/// Output: An array ĥ ∈ ℤq.
+///
+/// for(i ← 0; i < 128; i++)
+///     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1))
+/// end for
+/// return ĥ
+/// ```
+/// We say "almost" because the coefficients of the ring element output by
+/// this function are in the Montgomery domain.
+///
+/// The NIST FIPS 203 standard can be found at
+/// <https://csrc.nist.gov/pubs/fips/203/ipd>.
+// TODO: Remove or replace with something that works and is useful for the proof.
+// #[cfg_attr(hax, hax_lib::requires(
+//     hax_lib::forall(|i:usize|
+//         hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
+//             (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) &&
+//             (rhs.coefficients[i].abs() <= FIELD_MODULUS)
+
+// ))))]
+// #[cfg_attr(hax, hax_lib::ensures(|result|
+//     hax_lib::forall(|i:usize|
+//         hax_lib::implies(i < result.coefficients.len(), ||
+//                 result.coefficients[i].abs() <= FIELD_MODULUS
+// ))))]
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+fn ntt_multiply<Vector: Operations>(
+    myself: &PolynomialRingElement<Vector>,
+    rhs: &PolynomialRingElement<Vector>,
+) -> PolynomialRingElement<Vector> {
+    let mut out = ZERO();
+
+    for i in 0..VECTORS_IN_RING_ELEMENT {
+        out.coefficients[i] = Vector::ntt_multiply(
+            &myself.coefficients[i],
+            &rhs.coefficients[i],
+            zeta(64 + 4 * i),
+            zeta(64 + 4 * i + 1),
+            zeta(64 + 4 * i + 2),
+            zeta(64 + 4 * i + 3),
+        );
+    }
+
+    out
+}
+
+// FIXME: We pulled out all the items because of https://github.com/hacspec/hax/issues/1183
+// Revisit when that issue is fixed.
+#[hax_lib::attributes]
 impl<Vector: Operations> PolynomialRingElement<Vector> {
     #[allow(non_snake_case)]
     pub(crate) fn ZERO() -> Self {
         Self {
-            // FIXME:  The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen.
             coefficients: [Vector::ZERO(); 16],
         }
     }
 
     #[inline(always)]
+    #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())]
     pub(crate) fn from_i16_array(a: &[i16]) -> Self {
-        let mut result = PolynomialRingElement::ZERO();
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]);
-        }
-        result
+        from_i16_array(a)
     }
 
     /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
     /// sum of their constituent coefficients.
     #[inline(always)]
     pub(crate) fn add_to_ring_element<const K: usize>(&mut self, rhs: &Self) {
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for i in 0..self.coefficients.len() {
-            self.coefficients[i] = Vector::add(self.coefficients[i], &rhs.coefficients[i]);
-        }
-        ()
+        add_to_ring_element::<Vector, K>(self, rhs);
     }
 
     #[inline(always)]
-    pub fn poly_barrett_reduce(&mut self) {
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            self.coefficients[i] = Vector::barrett_reduce(self.coefficients[i]);
-        }
-        ()
+    pub(crate) fn poly_barrett_reduce(&mut self) {
+        poly_barrett_reduce(self);
     }
 
     #[inline(always)]
-    pub(crate) fn subtract_reduce(&self, mut b: Self) -> Self {
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441);
-            b.coefficients[i] =
-                Vector::barrett_reduce(Vector::sub(self.coefficients[i], &coefficient_normal_form));
-        }
-        b
+    pub(crate) fn subtract_reduce(&self, b: Self) -> Self {
+        subtract_reduce(self, b)
     }
 
     #[inline(always)]
-    pub(crate) fn add_message_error_reduce(&self, message: &Self, mut result: Self) -> Self {
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441);
-
-            // FIXME: Eurydice crashes with:
-            //
-            // Warning 11: in top-level declaration libcrux_ml_kem.polynomial.{libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}.add_message_error_reduce__libcrux_ml_kem_libcrux_polynomials_PortableVector: this expression is not Low*; the enclosing function cannot be translated into C*: let mutable ret(Mark.Present,(Mark.AtMost 2), ): int16_t[16size_t] = $any in
-            // libcrux_ml_kem.libcrux_polynomials.{(libcrux_ml_kem::libcrux_polynomials::libcrux_traits::Operations␣for␣libcrux_ml_kem::libcrux_polynomials::PortableVector)}.add ((@9: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:int16_t[16size_t][16size_t])[@4] &(((@8: libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t]*)[0uint32_t]:libcrux_ml_kem_libcrux_polynomials_PortableVector[16size_t])[@4]) @0;
-            // @0
-            // Warning 11 is fatal, exiting.
-            //
-            // On the following code:
-
-            // ```rust
-            // result.coefficients[i] = Vector::barrett_reduce(Vector::add(
-            //     coefficient_normal_form,
-            //     &Vector::add(self.coefficients[i], &message.coefficients[i]),
-            // ));
-            // ```
-
-            let tmp = Vector::add(self.coefficients[i], &message.coefficients[i]);
-            let tmp = Vector::add(coefficient_normal_form, &tmp);
-            result.coefficients[i] = Vector::barrett_reduce(tmp);
-        }
-        result
+    pub(crate) fn add_message_error_reduce(&self, message: &Self, result: Self) -> Self {
+        add_message_error_reduce(self, message, result)
     }
 
     #[inline(always)]
     pub(crate) fn add_error_reduce(&mut self, error: &Self) {
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for j in 0..VECTORS_IN_RING_ELEMENT {
-            let coefficient_normal_form =
-                Vector::montgomery_multiply_by_constant(self.coefficients[j], 1441);
-
-            self.coefficients[j] = Vector::barrett_reduce(Vector::add(
-                coefficient_normal_form,
-                &error.coefficients[j],
-            ));
-        }
-        ()
+        add_error_reduce(self, error);
     }
 
     #[inline(always)]
     pub(crate) fn add_standard_error_reduce(&mut self, error: &Self) {
-        // The semicolon and parentheses at the end of loop are a workaround
-        // for the following bug https://github.com/hacspec/hax/issues/720
-        for j in 0..VECTORS_IN_RING_ELEMENT {
-            // The coefficients are of the form aR^{-1} mod q, which means
-            // calling to_montgomery_domain() on them should return a mod q.
-            let coefficient_normal_form = to_standard_domain::<Vector>(self.coefficients[j]);
-
-            self.coefficients[j] = Vector::barrett_reduce(Vector::add(
-                coefficient_normal_form,
-                &error.coefficients[j],
-            ));
-        }
-        ()
-    }
-
-    /// Given two `KyberPolynomialRingElement`s in their NTT representations,
-    /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
-    /// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
-    ///
-    /// ```plaintext
-    /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1))
-    /// ```
-    ///
-    /// This function almost implements <strong>Algorithm 10</strong> of the
-    /// NIST FIPS 203 standard, which is reproduced below:
-    ///
-    /// ```plaintext
-    /// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
-    /// Output: An array ĥ ∈ ℤq.
-    ///
-    /// for(i ← 0; i < 128; i++)
-    ///     (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1))
-    /// end for
-    /// return ĥ
-    /// ```
-    /// We say "almost" because the coefficients of the ring element output by
-    /// this function are in the Montgomery domain.
-    ///
-    /// The NIST FIPS 203 standard can be found at
-    /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-    // TODO: Remove or replace with something that works and is useful for the proof.
-    // #[cfg_attr(hax, hax_lib::requires(
-    //     hax_lib::forall(|i:usize|
-    //         hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, ||
-    //             (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) &&
-    //             (rhs.coefficients[i].abs() <= FIELD_MODULUS)
-
-    // ))))]
-    // #[cfg_attr(hax, hax_lib::ensures(|result|
-    //     hax_lib::forall(|i:usize|
-    //         hax_lib::implies(i < result.coefficients.len(), ||
-    //                 result.coefficients[i].abs() <= FIELD_MODULUS
-    // ))))]
+        add_standard_error_reduce(self, error);
+    }
+
     #[inline(always)]
     pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self {
-        // hax_debug_debug_assert!(lhs
-        //     .coefficients
-        //     .into_iter()
-        //     .all(|coefficient| coefficient >= 0 && coefficient < 4096));
-
-        let mut out = PolynomialRingElement::ZERO();
-
-        for i in 0..VECTORS_IN_RING_ELEMENT {
-            out.coefficients[i] = Vector::ntt_multiply(
-                &self.coefficients[i],
-                &rhs.coefficients[i],
-                ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i],
-                ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 1],
-                ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 2],
-                ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 3],
-            );
-        }
-
-        out
+        ntt_multiply(self, rhs)
     }
 }
diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs
index d71a0f8a1..080d8e41b 100644
--- a/libcrux-ml-kem/src/sampling.rs
+++ b/libcrux-ml-kem/src/sampling.rs
@@ -1,6 +1,6 @@
 use crate::{
-    constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, hax_utils::hax_debug_assert,
-    helper::cloop, polynomial::PolynomialRingElement, vector::Operations,
+    constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, helper::cloop,
+    polynomial::PolynomialRingElement, vector::Operations,
 };
 
 /// If `bytes` contains a set of uniformly random bytes, this function
@@ -71,14 +71,15 @@ fn sample_from_uniform_distribution_next<Vector: Operations, const K: usize, con
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
 pub(super) fn sample_from_xof<const K: usize, Vector: Operations, Hasher: Hash<K>>(
     seeds: [[u8; 34]; K],
 ) -> [PolynomialRingElement<Vector>; K] {
     let mut sampled_coefficients: [usize; K] = [0; K];
     let mut out: [[i16; 272]; K] = [[0; 272]; K];
 
-    let mut xof_state = Hasher::shake128_init_absorb(seeds);
-    let randomness = xof_state.shake128_squeeze_three_blocks();
+    let mut xof_state = Hasher::shake128_init_absorb_final(seeds);
+    let randomness = xof_state.shake128_squeeze_first_three_blocks();
 
     let mut done = sample_from_uniform_distribution_next::<Vector, K, THREE_BLOCKS>(
         randomness,
@@ -92,7 +93,7 @@ pub(super) fn sample_from_xof<const K: usize, Vector: Operations, Hasher: Hash<K
     // To avoid failing here, we squeeze more blocks out of the state until
     // we have enough.
     while !done {
-        let randomness = xof_state.shake128_squeeze_block();
+        let randomness = xof_state.shake128_squeeze_next_block();
         done = sample_from_uniform_distribution_next::<Vector, K, BLOCK_SIZE>(
             randomness,
             &mut sampled_coefficients,
@@ -151,16 +152,21 @@ pub(super) fn sample_from_xof<const K: usize, Vector: Operations, Hasher: Hash<K
 ///
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
-#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))]
+#[hax_lib::requires(randomness.len() == 2 * 64)]
 // TODO: Remove or replace with something that works and is useful for the proof.
 // #[cfg_attr(hax, hax_lib::ensures(|result|
 //     hax_lib::forall(|i:usize|
 //         hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2
 // ))))]
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 800")]
 fn sample_from_binomial_distribution_2<Vector: Operations>(
     randomness: &[u8],
 ) -> PolynomialRingElement<Vector> {
+    hax_lib::fstar!(
+        "assert (v (sz 2 *! sz 64) == 128);
+        assert (Seq.length $randomness == 128)"
+    );
     let mut sampled_i16s = [0i16; 256];
 
     cloop! {
@@ -172,12 +178,21 @@ fn sample_from_binomial_distribution_2<Vector: Operations>(
 
             let even_bits = random_bits_as_u32 & 0x55555555;
             let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555;
+            hax_lib::fstar!(r#"logand_lemma $random_bits_as_u32 1431655765ul;
+                logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul"#);
             let coin_toss_outcomes = even_bits + odd_bits;
 
             cloop! {
                 for outcome_set in (0..u32::BITS).step_by(4) {
                     let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as i16;
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16;
+                    hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul;
+                        logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul;
+                        assert (v $outcome_1 >= 0 /\ v $outcome_1 <= 3);
+                        assert (v $outcome_2 >= 0 /\ v $outcome_2 <= 3);
+                        assert (v $chunk_number <= 31);
+                        assert (v (sz 8 *! $chunk_number <: usize) <= 248);
+                        assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"#);
 
                     let offset = (outcome_set >> 2) as usize;
                     sampled_i16s[8 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -188,16 +203,21 @@ fn sample_from_binomial_distribution_2<Vector: Operations>(
     PolynomialRingElement::from_i16_array(&sampled_i16s)
 }
 
-#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))]
+#[hax_lib::requires(randomness.len() == 3 * 64)]
 // TODO: Remove or replace with something that works and is useful for the proof.
 // #[cfg_attr(hax, hax_lib::ensures(|result|
 //     hax_lib::forall(|i:usize|
 //         hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3
 // ))))]
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 800")]
 fn sample_from_binomial_distribution_3<Vector: Operations>(
     randomness: &[u8],
 ) -> PolynomialRingElement<Vector> {
+    hax_lib::fstar!(
+        "assert (v (sz 3 *! sz 64) == 192);
+        assert (Seq.length $randomness == 192)"
+    );
     let mut sampled_i16s = [0i16; 256];
 
     cloop! {
@@ -208,6 +228,9 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
             let first_bits = random_bits_as_u24 & 0x00249249;
             let second_bits = (random_bits_as_u24 >> 1) & 0x00249249;
             let third_bits = (random_bits_as_u24 >> 2) & 0x00249249;
+            hax_lib::fstar!(r#"logand_lemma $random_bits_as_u24 2396745ul;
+                logand_lemma ($random_bits_as_u24 >>! 1l <: u32) 2396745ul;
+                logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul"#);
 
             let coin_toss_outcomes = first_bits + second_bits + third_bits;
 
@@ -215,6 +238,13 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
                 for outcome_set in (0..24).step_by(6) {
                     let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as i16;
                     let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16;
+                    hax_lib::fstar!(r#"logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul;
+                        logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul;
+                        assert (v $outcome_1 >= 0 /\ v $outcome_1 <= 7);
+                        assert (v $outcome_2 >= 0 /\ v $outcome_2 <= 7);
+                        assert (v $chunk_number <= 63);
+                        assert (v (sz 4 *! $chunk_number <: usize) <= 252);
+                        assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"#);
 
                     let offset = (outcome_set / 6) as usize;
                     sampled_i16s[4 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -226,11 +256,20 @@ fn sample_from_binomial_distribution_3<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires((ETA == 2 || ETA == 3) && randomness.len() == ETA * 64)]
+#[hax_lib::ensures(|result| fstar!(r#"(forall (i:nat). i < 8 ==> Libcrux_ml_kem.Ntt.ntt_layer_7_pre
+    (${result}.f_coefficients.[ sz i ]) (${result}.f_coefficients.[ sz i +! sz 8 ])) /\
+    Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
+        Spec.MLKEM.sample_poly_cbd $ETA $randomness"#))]
 pub(super) fn sample_from_binomial_distribution<const ETA: usize, Vector: Operations>(
     randomness: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(randomness.len() == ETA * 64);
-
+    hax_lib::fstar!(
+        r#"assert (
+        (v (cast $ETA <: u32) == 2) \/
+        (v (cast $ETA <: u32) == 3))"#
+    );
     match ETA as u32 {
         2 => sample_from_binomial_distribution_2(randomness),
         3 => sample_from_binomial_distribution_3(randomness),
diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs
index 44736b59d..c63bf39a4 100644
--- a/libcrux-ml-kem/src/serialize.rs
+++ b/libcrux-ml-kem/src/serialize.rs
@@ -1,18 +1,65 @@
+#[cfg(hax)]
+use crate::{constants::COEFFICIENTS_IN_RING_ELEMENT, vector::FIELD_MODULUS};
 use crate::{
     constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE},
-    hax_utils::hax_debug_assert,
     helper::cloop,
     polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT},
     vector::{decompress_1, to_unsigned_representative, Operations},
 };
 
 #[inline(always)]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+let coefficients_field_modulus_range (#v_Vector: Type0)
+      {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+      (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+    forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)"#
+)]
+#[hax_lib::fstar::before(
+    interface,
+    r#"[@@ "opaque_to_smt"]
+let field_modulus_range (#v_Vector: Type0)
+        {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+        (a: v_Vector) =
+    let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in
+    forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\
+        v (Seq.index coef i) < v $FIELD_MODULUS"#
+)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"field_modulus_range $a"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==>
+    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\
+    v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"#))]
+pub(super) fn to_unsigned_field_modulus<Vector: Operations>(a: Vector) -> Vector {
+    hax_lib::fstar!(r#"reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)"#);
+    to_unsigned_representative::<Vector>(a)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"coefficients_field_modulus_range $re"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result ==
+        Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
+)]
 pub(super) fn compress_then_serialize_message<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
 ) -> [u8; SHARED_SECRET_SIZE] {
     let mut serialized = [0u8; SHARED_SECRET_SIZE];
     for i in 0..16 {
-        let coefficient = to_unsigned_representative::<Vector>(re.coefficients[i]);
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                "v $i < 16 ==>
+            coefficients_field_modulus_range $re"
+            )
+        });
+        hax_lib::fstar!(r#"assert (2 * v $i + 2 <= 32)"#);
+        hax_lib::fstar!(
+            "reveal_opaque (`%coefficients_field_modulus_range)
+            (coefficients_field_modulus_range #$:Vector)"
+        );
+        let coefficient = to_unsigned_field_modulus(re.coefficients[i]);
         let coefficient_compressed = Vector::compress_1(coefficient);
 
         let bytes = Vector::serialize_1(coefficient_compressed);
@@ -21,7 +68,13 @@ pub(super) fn compress_then_serialize_message<Vector: Operations>(
 
     serialized
 }
+
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result ==
+        Spec.MLKEM.decode_then_decompress_message $serialized"#)
+)]
 pub(super) fn deserialize_then_decompress_message<Vector: Operations>(
     serialized: [u8; SHARED_SECRET_SIZE],
 ) -> PolynomialRingElement<Vector> {
@@ -34,12 +87,30 @@ pub(super) fn deserialize_then_decompress_message<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"coefficients_field_modulus_range $re"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result ==
+        Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
+)]
 pub(super) fn serialize_uncompressed_ring_element<Vector: Operations>(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; BYTES_PER_RING_ELEMENT] {
+    hax_lib::fstar!(r#"assert_norm (pow2 12 == 4096)"#);
     let mut serialized = [0u8; BYTES_PER_RING_ELEMENT];
     for i in 0..VECTORS_IN_RING_ELEMENT {
-        let coefficient = to_unsigned_representative::<Vector>(re.coefficients[i]);
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> coefficients_field_modulus_range $re"#
+            )
+        });
+        hax_lib::fstar!(r#"assert (24 * v $i + 24 <= 384)"#);
+        hax_lib::fstar!(
+            "reveal_opaque (`%coefficients_field_modulus_range)
+            (coefficients_field_modulus_range #$:Vector)"
+        );
+        let coefficient = to_unsigned_field_modulus(re.coefficients[i]);
 
         let bytes = Vector::serialize_12(coefficient);
         serialized[24 * i..24 * i + 24].copy_from_slice(&bytes);
@@ -48,11 +119,18 @@ pub(super) fn serialize_uncompressed_ring_element<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(
+    serialized.len() == BYTES_PER_RING_ELEMENT
+)]
+#[hax_lib::ensures(|result|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.byte_decode 12 $serialized"#)
+)]
 pub(super) fn deserialize_to_uncompressed_ring_element<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT);
-
+    hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -68,11 +146,14 @@ pub(super) fn deserialize_to_uncompressed_ring_element<Vector: Operations>(
 ///
 /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`.
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(
+    serialized.len() == BYTES_PER_RING_ELEMENT
+)]
 fn deserialize_to_reduced_ring_element<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT);
-
+    hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -89,28 +170,35 @@ fn deserialize_to_reduced_ring_element<Vector: Operations>(
 ///
 /// This function MUST NOT be used on secret inputs.
 #[inline(always)]
-pub(super) fn deserialize_ring_elements_reduced_out<
-    const PUBLIC_KEY_SIZE: usize,
-    const K: usize,
-    Vector: Operations,
->(
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(
+    fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#)
+)]
+#[hax_lib::ensures(|result|
+    fstar!(r#"forall (i:nat). i < v $K ==>
+        coefficients_field_modulus_range (Seq.index $result i)"#)
+)]
+pub(super) fn deserialize_ring_elements_reduced_out<const K: usize, Vector: Operations>(
     public_key: &[u8],
 ) -> [PolynomialRingElement<Vector>; K] {
     let mut deserialized_pk = core::array::from_fn(|_i| PolynomialRingElement::<Vector>::ZERO());
-    deserialize_ring_elements_reduced::<PUBLIC_KEY_SIZE, K, Vector>(
-        public_key,
-        &mut deserialized_pk,
-    );
+    deserialize_ring_elements_reduced::<K, Vector>(public_key, &mut deserialized_pk);
     deserialized_pk
 }
 
 /// See [deserialize_ring_elements_reduced_out].
 #[inline(always)]
-pub(super) fn deserialize_ring_elements_reduced<
-    const PUBLIC_KEY_SIZE: usize,
-    const K: usize,
-    Vector: Operations,
->(
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(
+    fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+            Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#)
+)]
+#[hax_lib::ensures(|_|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${deserialized_pk}_future == 
+        Spec.MLKEM.vector_decode_12 #$K $public_key"#)
+)]
+pub(super) fn deserialize_ring_elements_reduced<const K: usize, Vector: Operations>(
     public_key: &[u8],
     deserialized_pk: &mut [PolynomialRingElement<Vector>; K],
 ) {
@@ -126,13 +214,26 @@ pub(super) fn deserialize_ring_elements_reduced<
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"v $OUT_LEN == 320 /\ coefficients_field_modulus_range $re"#))]
 fn compress_then_serialize_10<const OUT_LEN: usize, Vector: Operations>(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; OUT_LEN] {
+    hax_lib::fstar!(r#"assert_norm (pow2 10 == 1024)"#);
     let mut serialized = [0u8; OUT_LEN];
     for i in 0..VECTORS_IN_RING_ELEMENT {
-        let coefficient =
-            Vector::compress::<10>(to_unsigned_representative::<Vector>(re.coefficients[i]));
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> coefficients_field_modulus_range $re"#
+            )
+        });
+        hax_lib::fstar!(r#"assert (20 * v $i + 20 <= 320)"#);
+        hax_lib::fstar!(
+            "reveal_opaque (`%coefficients_field_modulus_range)
+            (coefficients_field_modulus_range #$:Vector)"
+        );
+        let coefficient = Vector::compress::<10>(to_unsigned_field_modulus(re.coefficients[i]));
 
         let bytes = Vector::serialize_10(coefficient);
         serialized[20 * i..20 * i + 20].copy_from_slice(&bytes);
@@ -141,6 +242,7 @@ fn compress_then_serialize_10<const OUT_LEN: usize, Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
 fn compress_then_serialize_11<const OUT_LEN: usize, Vector: Operations>(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; OUT_LEN] {
@@ -156,6 +258,13 @@ fn compress_then_serialize_11<const OUT_LEN: usize, Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"(v $COMPRESSION_FACTOR == 10 \/ v $COMPRESSION_FACTOR == 11) /\
+    v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\ coefficients_field_modulus_range $re"#))]
+#[hax_lib::ensures(|result|
+    fstar!(r#"$result == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR)
+        (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
+)]
 pub(super) fn compress_then_serialize_ring_element_u<
     const COMPRESSION_FACTOR: usize,
     const OUT_LEN: usize,
@@ -163,8 +272,12 @@ pub(super) fn compress_then_serialize_ring_element_u<
 >(
     re: &PolynomialRingElement<Vector>,
 ) -> [u8; OUT_LEN] {
-    hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
-
+    hax_lib::fstar!(
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 11));
+        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"#
+    );
     match COMPRESSION_FACTOR as u32 {
         10 => compress_then_serialize_10(re),
         11 => compress_then_serialize_11(re),
@@ -173,15 +286,33 @@ pub(super) fn compress_then_serialize_ring_element_u<
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"Seq.length $serialized == 128 /\
+    coefficients_field_modulus_range $re"#))]
+#[hax_lib::ensures(|_|
+    fstar!(r#"${serialized_future.len()} == ${serialized.len()}"#)
+)]
 fn compress_then_serialize_4<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
     serialized: &mut [u8],
 ) {
+    hax_lib::fstar!(r#"assert_norm (pow2 4 == 16)"#);
     // The semicolon and parentheses at the end of loop are a workaround
     // for the following bug https://github.com/hacspec/hax/issues/720
     for i in 0..VECTORS_IN_RING_ELEMENT {
-        let coefficient =
-            Vector::compress::<4>(to_unsigned_representative::<Vector>(re.coefficients[i]));
+        // NOTE: Using `$serialized` in loop_invariant doesn't work here
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $i >= 0 /\ v $i <= 16 /\
+            v $i < 16 ==> (Seq.length serialized == 128 /\ coefficients_field_modulus_range $re)"#
+            )
+        });
+        hax_lib::fstar!(r#"assert (8 * v $i + 8 <= 128)"#);
+        hax_lib::fstar!(
+            "reveal_opaque (`%coefficients_field_modulus_range)
+            (coefficients_field_modulus_range #$:Vector)"
+        );
+        let coefficient = Vector::compress::<4>(to_unsigned_field_modulus(re.coefficients[i]));
 
         let bytes = Vector::serialize_4(coefficient);
         serialized[8 * i..8 * i + 8].copy_from_slice(&bytes);
@@ -190,6 +321,13 @@ fn compress_then_serialize_4<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(
+    serialized.len() == 160
+)]
+#[hax_lib::ensures(|_|
+    fstar!(r#"${serialized_future.len()} == ${serialized.len()}"#)
+)]
 fn compress_then_serialize_5<Vector: Operations>(
     re: PolynomialRingElement<Vector>,
     serialized: &mut [u8],
@@ -207,7 +345,18 @@ fn compress_then_serialize_5<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank v_K /\ 
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+    Seq.length $out == v $OUT_LEN /\ v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\
+    coefficients_field_modulus_range $re"#))]
+#[hax_lib::ensures(|_|
+    fstar!(r#"${out_future.len()} == ${out.len()} /\
+        ${out}_future == Spec.MLKEM.compress_then_encode_v #v_K
+            (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#)
+)]
 pub(super) fn compress_then_serialize_ring_element_v<
+    const K: usize,
     const COMPRESSION_FACTOR: usize,
     const OUT_LEN: usize,
     Vector: Operations,
@@ -215,8 +364,12 @@ pub(super) fn compress_then_serialize_ring_element_v<
     re: PolynomialRingElement<Vector>,
     out: &mut [u8],
 ) {
-    hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
-
+    hax_lib::fstar!(
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 5));
+        Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"#
+    );
     match COMPRESSION_FACTOR as u32 {
         4 => compress_then_serialize_4(re, out),
         5 => compress_then_serialize_5(re, out),
@@ -225,11 +378,13 @@ pub(super) fn compress_then_serialize_ring_element_v<
 }
 
 #[inline(always)]
+#[hax_lib::requires(
+    serialized.len() == 320
+)]
 fn deserialize_then_decompress_10<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8);
-
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -242,11 +397,14 @@ fn deserialize_then_decompress_10<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(
+    serialized.len() == 352
+)]
 fn deserialize_then_decompress_11<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8);
-
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -260,14 +418,26 @@ fn deserialize_then_decompress_11<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(
+    (COMPRESSION_FACTOR == 10 || COMPRESSION_FACTOR == 11) &&
+    serialized.len() == 32 * COMPRESSION_FACTOR
+)]
+#[hax_lib::ensures(|result|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.byte_decode_then_decompress (v $COMPRESSION_FACTOR) $serialized"#)
+)]
 pub(super) fn deserialize_then_decompress_ring_element_u<
     const COMPRESSION_FACTOR: usize,
     Vector: Operations,
 >(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8);
-
+    hax_lib::fstar!(
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 11))"#
+    );
     match COMPRESSION_FACTOR as u32 {
         10 => deserialize_then_decompress_10(serialized),
         11 => deserialize_then_decompress_11(serialized),
@@ -276,11 +446,15 @@ pub(super) fn deserialize_then_decompress_ring_element_u<
 }
 
 #[inline(always)]
+#[hax_lib::requires(
+    serialized.len() == 128
+)]
 fn deserialize_then_decompress_4<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8);
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
+
     cloop! {
         for (i, bytes) in serialized.chunks_exact(8).enumerate() {
             let coefficient = Vector::deserialize_4(bytes);
@@ -291,11 +465,14 @@ fn deserialize_then_decompress_4<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(
+    serialized.len() == 160
+)]
 fn deserialize_then_decompress_5<Vector: Operations>(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8);
-
+    hax_lib::fstar!(r#"assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)"#);
     let mut re = PolynomialRingElement::<Vector>::ZERO();
 
     cloop! {
@@ -308,14 +485,27 @@ fn deserialize_then_decompress_5<Vector: Operations>(
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ 
+    $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\
+    Seq.length $serialized == 32 * v $COMPRESSION_FACTOR"#)
+)]
+#[hax_lib::ensures(|result|
+    fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == 
+        Spec.MLKEM.decode_then_decompress_v #${K} $serialized"#)
+)]
 pub(super) fn deserialize_then_decompress_ring_element_v<
+    const K: usize,
     const COMPRESSION_FACTOR: usize,
     Vector: Operations,
 >(
     serialized: &[u8],
 ) -> PolynomialRingElement<Vector> {
-    hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8);
-
+    hax_lib::fstar!(
+        r#"assert (
+        (v (cast $COMPRESSION_FACTOR <: u32) == 4) \/
+        (v (cast $COMPRESSION_FACTOR <: u32) == 5))"#
+    );
     match COMPRESSION_FACTOR as u32 {
         4 => deserialize_then_decompress_4(serialized),
         5 => deserialize_then_decompress_5(serialized),
diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs
index a843f819f..f20498185 100644
--- a/libcrux-ml-kem/src/types.rs
+++ b/libcrux-ml-kem/src/types.rs
@@ -11,13 +11,17 @@ macro_rules! impl_generic_struct {
             }
         }
 
+        #[hax_lib::attributes]
         impl<const SIZE: usize> AsRef<[u8]> for $name<SIZE> {
+            #[ensures(|result| fstar!(r#"$result = self___.f_value"#))]
             fn as_ref(&self) -> &[u8] {
                 &self.value
             }
         }
 
+        #[hax_lib::attributes]
         impl<const SIZE: usize> From<[u8; SIZE]> for $name<SIZE> {
+            #[ensures(|result| fstar!(r#"${result}.f_value = $value"#))]
             fn from(value: [u8; SIZE]) -> Self {
                 Self { value }
             }
@@ -48,8 +52,10 @@ macro_rules! impl_generic_struct {
             }
         }
 
+        #[hax_lib::attributes]
         impl<const SIZE: usize> $name<SIZE> {
             /// A reference to the raw byte slice.
+            #[ensures(|result| fstar!(r#"$result == self.f_value"#))]
             pub fn as_slice(&self) -> &[u8; SIZE] {
                 &self.value
             }
@@ -146,6 +152,7 @@ pub struct MlKemKeyPair<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: us
     pub(crate) pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
 }
 
+#[hax_lib::attributes]
 impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
     MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>
 {
@@ -158,6 +165,7 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
     }
 
     /// Create a new [`MlKemKeyPair`] from the secret and public key.
+    #[ensures(|result| fstar!(r#"${result}.f_sk == $sk /\ ${result}.f_pk == $pk"#))]
     pub fn from(
         sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,
         pk: MlKemPublicKey<PUBLIC_KEY_SIZE>,
@@ -199,6 +207,26 @@ impl<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>
 /// Unpack an incoming private key into it's different parts.
 ///
 /// We have this here in types to extract into a common core for C.
+#[hax_lib::requires(fstar!(r#"Seq.length private_key >= 
+                            v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + 
+                            v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE"#))]
+#[hax_lib::ensures(|result| fstar!(r#"
+           let (ind_cpa_secret_key_s,rest) = split $private_key $CPA_SECRET_KEY_SIZE in
+           let (ind_cpa_public_key_s,rest) = split rest $PUBLIC_KEY_SIZE in
+           let (ind_cpa_public_key_hash_s,implicit_rejection_value_s) = split rest Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in
+           let (ind_cpa_secret_key,ind_cpa_public_key,ind_cpa_public_key_hash,implicit_rejection_value)
+               = result in
+           ind_cpa_secret_key_s == ind_cpa_secret_key /\
+           ind_cpa_public_key_s == ind_cpa_public_key /\
+           ind_cpa_public_key_hash_s == ind_cpa_public_key_hash /\
+           implicit_rejection_value_s == implicit_rejection_value /\
+           Seq.length ind_cpa_secret_key == v v_CPA_SECRET_KEY_SIZE /\
+           Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE /\
+           Seq.length ind_cpa_public_key_hash == v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE /\
+           Seq.length implicit_rejection_value == 
+           Seq.length private_key - 
+             (v v_CPA_SECRET_KEY_SIZE + v v_PUBLIC_KEY_SIZE + v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)
+           "#))]
 pub(crate) fn unpack_private_key<const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize>(
     private_key: &[u8], // len: SECRET_KEY_SIZE
 ) -> (&[u8], &[u8], &[u8], &[u8]) {
diff --git a/libcrux-ml-kem/src/utils.rs b/libcrux-ml-kem/src/utils.rs
index 3c3be2bcc..ece8cdabc 100644
--- a/libcrux-ml-kem/src/utils.rs
+++ b/libcrux-ml-kem/src/utils.rs
@@ -8,12 +8,58 @@
 #[cfg_attr(hax, hax_lib::requires(
     slice.len() <= LEN
 ))]
+#[cfg_attr(hax, hax_lib::ensures(|result|
+    fstar!(r#"$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)"#)))]
 pub(crate) fn into_padded_array<const LEN: usize>(slice: &[u8]) -> [u8; LEN] {
     let mut out = [0u8; LEN];
     out[0..slice.len()].copy_from_slice(slice);
+    hax_lib::fstar!(r#"assert (Seq.slice out 0 (Seq.length slice) == slice)"#);
+    hax_lib::fstar!(
+        r#"assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))"#
+    );
+    hax_lib::fstar!(
+        "assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)"
+    );
+    hax_lib::fstar!(
+        r#"assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))"#
+    );
+    hax_lib::fstar!(
+        "Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))"
+    );
     out
 }
 
+#[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200")]
+#[hax_lib::requires(fstar!(r#"range (v $domain_separator + v $K) u8_inttype"#))]
+#[hax_lib::ensures(|ds|
+    fstar!(r#"v $ds == v $domain_separator + v $K /\
+            (forall (i:nat). i < v $K ==>
+                v (Seq.index (Seq.index ${prf_inputs}_future i) 32) == v $domain_separator + i /\
+                Seq.slice (Seq.index ${prf_inputs}_future i) 0 32 == Seq.slice (Seq.index $prf_inputs i) 0 32)"#)
+)]
+pub(crate) fn prf_input_inc<const K: usize>(
+    prf_inputs: &mut [[u8; 33]; K],
+    mut domain_separator: u8,
+) -> u8 {
+    let _domain_separator_init = domain_separator;
+    let _prf_inputs_init = prf_inputs.clone();
+    for i in 0..K {
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"v $domain_separator == v $_domain_separator_init + v $i /\
+          (v $i < v $K ==> (forall (j:nat). (j >= v $i /\ j < v $K) ==>
+            prf_inputs.[ sz j ] == ${_prf_inputs_init}.[ sz j ])) /\
+          (forall (j:nat). j < v $i ==> v (Seq.index (Seq.index prf_inputs j) 32) == v $_domain_separator_init + j /\
+            Seq.slice (Seq.index prf_inputs j) 0 32 == Seq.slice (Seq.index $_prf_inputs_init j) 0 32)"#
+            )
+        });
+        prf_inputs[i][32] = domain_separator;
+        domain_separator += 1;
+    }
+    domain_separator
+}
+
 // C extraction:
 //
 // This is only enabled when extracting.
diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs
index 46f5916e2..fade344e8 100644
--- a/libcrux-ml-kem/src/variant.rs
+++ b/libcrux-ml-kem/src/variant.rs
@@ -9,12 +9,21 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash, M
 /// NIST PQ competition.
 ///
 /// cf. FIPS 203, Appendix C
+#[hax_lib::attributes]
 pub(crate) trait Variant {
+    #[requires(shared_secret.len() == 32)]
+    #[ensures(|res| fstar!(r#"$res == $shared_secret"#))] // We only have post-conditions for ML-KEM, not Kyber
     fn kdf<const K: usize, const CIPHERTEXT_SIZE: usize, Hasher: Hash<K>>(
         shared_secret: &[u8],
         ciphertext: &MlKemCiphertext<CIPHERTEXT_SIZE>,
     ) -> [u8; 32];
+    #[requires(randomness.len() == 32)]
+    #[ensures(|res| fstar!(r#"$res == $randomness"#))] // We only have post-conditions for ML-KEM, not Kyber
     fn entropy_preprocess<const K: usize, Hasher: Hash<K>>(randomness: &[u8]) -> [u8; 32];
+    #[requires(seed.len() == 32)]
+    #[ensures(|res| fstar!(r#"Seq.length $seed == 32 ==> $res == Spec.Utils.v_G
+        (Seq.append $seed (Seq.create 1 (cast $K <: u8)))"#)
+    )]
     fn cpa_keygen_seed<const K: usize, Hasher: Hash<K>>(seed: &[u8]) -> [u8; 64];
 }
 
@@ -60,8 +69,11 @@ impl Variant for Kyber {
 /// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext.
 pub(crate) struct MlKem {}
 
+#[hax_lib::attributes]
 impl Variant for MlKem {
     #[inline(always)]
+    #[requires(shared_secret.len() == 32)]
+    #[ensures(|res| fstar!(r#"$res == $shared_secret"#))]
     fn kdf<const K: usize, const CIPHERTEXT_SIZE: usize, Hasher: Hash<K>>(
         shared_secret: &[u8],
         _: &MlKemCiphertext<CIPHERTEXT_SIZE>,
@@ -72,6 +84,8 @@ impl Variant for MlKem {
     }
 
     #[inline(always)]
+    #[requires(randomness.len() == 32)]
+    #[ensures(|res| fstar!(r#"$res == $randomness"#))]
     fn entropy_preprocess<const K: usize, Hasher: Hash<K>>(randomness: &[u8]) -> [u8; 32] {
         let mut out = [0u8; 32];
         out.copy_from_slice(randomness);
@@ -79,10 +93,18 @@ impl Variant for MlKem {
     }
 
     #[inline(always)]
+    #[requires(key_generation_seed.len() == 32)]
+    #[ensures(|res| fstar!(r#"Seq.length $key_generation_seed == 32 ==> $res == Spec.Utils.v_G
+        (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))"#)
+    )]
     fn cpa_keygen_seed<const K: usize, Hasher: Hash<K>>(key_generation_seed: &[u8]) -> [u8; 64] {
         let mut seed = [0u8; CPA_PKE_KEY_GENERATION_SEED_SIZE + 1];
         seed[0..CPA_PKE_KEY_GENERATION_SEED_SIZE].copy_from_slice(key_generation_seed);
         seed[CPA_PKE_KEY_GENERATION_SEED_SIZE] = K as u8;
+        hax_lib::fstar!(
+            "Lib.Sequence.eq_intro #u8 #33 $seed
+            (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))"
+        );
         Hasher::G(&seed)
     }
 }
diff --git a/libcrux-ml-kem/src/vector.rs b/libcrux-ml-kem/src/vector.rs
index 069ab7c08..53219f3be 100644
--- a/libcrux-ml-kem/src/vector.rs
+++ b/libcrux-ml-kem/src/vector.rs
@@ -10,8 +10,6 @@
 //! FIXME: This is kyber specific for now.
 
 pub(crate) mod traits;
-use traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
-
 pub(crate) use traits::{
     decompress_1, montgomery_multiply_fe, to_standard_domain, to_unsigned_representative,
     Operations, FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS,
diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs
index c1ed75d25..730fe0e6c 100644
--- a/libcrux-ml-kem/src/vector/avx2.rs
+++ b/libcrux-ml-kem/src/vector/avx2.rs
@@ -1,5 +1,4 @@
 use super::traits::Operations;
-
 pub(crate) use libcrux_intrinsics::avx2::*;
 
 mod arithmetic;
@@ -9,19 +8,25 @@ mod sampling;
 mod serialize;
 
 #[derive(Clone, Copy)]
+#[hax_lib::fstar::before(interface, "noeq")]
+#[hax_lib::fstar::after(interface,"let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements")]
 pub struct SIMD256Vector {
     elements: Vec256,
 }
 
 #[inline(always)]
-fn zero() -> SIMD256Vector {
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!(r#"repr ${result} == Seq.create 16 0s"#))]
+fn vec_zero() -> SIMD256Vector {
     SIMD256Vector {
         elements: mm256_setzero_si256(),
     }
 }
 
 #[inline(always)]
-fn to_i16_array(v: SIMD256Vector) -> [i16; 16] {
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!(r#"${result} == repr ${v}"#))]
+fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] {
     let mut output = [0i16; 16];
     mm256_storeu_si256_i16(&mut output, v.elements);
 
@@ -29,28 +34,258 @@ fn to_i16_array(v: SIMD256Vector) -> [i16; 16] {
 }
 
 #[inline(always)]
-fn from_i16_array(array: &[i16]) -> SIMD256Vector {
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!(r#"repr ${result} == ${array}"#))]
+fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector {
     SIMD256Vector {
         elements: mm256_loadu_si256_i16(array),
     }
 }
 
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr $vector)"#))]
+fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: arithmetic::cond_subtract_3329(vector.elements),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\
+    v (Seq.index (repr $vector) i) < 3329"#))]
+#[hax_lib::ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"#))]
+fn compress_1(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: compress::compress_message_coefficient(vector.elements),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+    v $COEFFICIENT_BITS == 5 \/
+    v $COEFFICIENT_BITS == 10 \/
+    v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\
+    v (Seq.index (repr $vector) i) < 3329)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+    v $COEFFICIENT_BITS == 5 \/
+    v $COEFFICIENT_BITS == 10 \/
+    v $COEFFICIENT_BITS == 11) ==>
+        (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"#))]
+fn compress<const COEFFICIENT_BITS: i32>(vector: SIMD256Vector) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(vector.elements),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                    Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"#))]
+fn ntt_layer_1_step(
+    vector: SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                    Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"#))]
+fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                    Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"#))]
+fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_layer_3_step(vector.elements, zeta),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3  /\
+                    Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
+fn inv_ntt_layer_1_step(
+    vector: SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
+fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                    Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
+fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                    Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                    Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\
+                    Spec.Utils.is_i16b_array 3328 (repr ${rhs})"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))]
+fn ntt_multiply(
+    lhs: &SIMD256Vector,
+    rhs: &SIMD256Vector,
+    zeta0: i16,
+    zeta1: i16,
+    zeta2: i16,
+    zeta3: i16,
+) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector) ==> Spec.MLKEM.serialize_post 1 (repr $vector) $out"#))]
+fn serialize_1(vector: SIMD256Vector) -> [u8; 2] {
+    serialize::serialize_1(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 2)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr $out)"#))]
+fn deserialize_1(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_1(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector) ==> Spec.MLKEM.serialize_post 4 (repr $vector) $out"#))]
+fn serialize_4(vector: SIMD256Vector) -> [u8; 8] {
+    serialize::serialize_4(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 8)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr $out)"#))]
+fn deserialize_4(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_4(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector) ==> Spec.MLKEM.serialize_post 10 (repr $vector) $out"#))]
+fn serialize_10(vector: SIMD256Vector) -> [u8; 20] {
+    serialize::serialize_10(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 20)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (repr $out)"#))]
+fn deserialize_10(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_10(bytes),
+    }
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector) ==> Spec.MLKEM.serialize_post 12 (repr $vector) $out"#))]
+fn serialize_12(vector: SIMD256Vector) -> [u8; 24] {
+    serialize::serialize_12(vector.elements)
+}
+
+#[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(bytes.len() == 24)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr $out)"#))]
+fn deserialize_12(bytes: &[u8]) -> SIMD256Vector {
+    SIMD256Vector {
+        elements: serialize::deserialize_12(bytes),
+    }
+}
+
+impl crate::vector::traits::Repr for SIMD256Vector {
+    fn repr(x: Self) -> [i16; 16] {
+        vec_to_i16_array(x)
+    }
+}
+
+#[hax_lib::attributes]
 impl Operations for SIMD256Vector {
     #[inline(always)]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
-        zero()
+        vec_zero()
     }
 
+    #[requires(array.len() == 16)]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     #[inline(always)]
     fn from_i16_array(array: &[i16]) -> Self {
-        from_i16_array(array)
+        vec_from_i16_array(array)
     }
 
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     #[inline(always)]
     fn to_i16_array(x: Self) -> [i16; 16] {
-        to_i16_array(x)
+        vec_to_i16_array(x)
     }
 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (impl.f_repr ${result}) i) == 
+         v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))]
     #[inline(always)]
     fn add(lhs: Self, rhs: &Self) -> Self {
         Self {
@@ -58,6 +293,11 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (impl.f_repr ${result}) i) == 
+         v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))]
     #[inline(always)]
     fn sub(lhs: Self, rhs: &Self) -> Self {
         Self {
@@ -65,13 +305,19 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (impl.f_repr ${result}) i) == 
+         v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))]
     #[inline(always)]
-    fn multiply_by_constant(v: Self, c: i16) -> Self {
+    fn multiply_by_constant(vec: Self, c: i16) -> Self {
         Self {
-            elements: arithmetic::multiply_by_constant(v.elements, c),
+            elements: arithmetic::multiply_by_constant(vec.elements, c),
         }
     }
 
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> x &. $constant) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn bitwise_and_with_constant(vector: Self, constant: i16) -> Self {
         Self {
@@ -79,6 +325,8 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn shift_right<const SHIFT_BY: i32>(vector: Self) -> Self {
         Self {
@@ -86,13 +334,14 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"#))]
     #[inline(always)]
     fn cond_subtract_3329(vector: Self) -> Self {
-        Self {
-            elements: arithmetic::cond_subtract_3329(vector.elements),
-        }
+        cond_subtract_3329(vector)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"#))]
     #[inline(always)]
     fn barrett_reduce(vector: Self) -> Self {
         Self {
@@ -100,6 +349,7 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $constant"#))]
     #[inline(always)]
     fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self {
         Self {
@@ -107,22 +357,36 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
+        v (Seq.index (impl.f_repr $vector) i) < 3329"#))]
+    #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))]
     #[inline(always)]
     fn compress_1(vector: Self) -> Self {
-        Self {
-            elements: compress::compress_message_coefficient(vector.elements),
-        }
+        compress_1(vector)
     }
 
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) /\
+        (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
+            v (Seq.index (impl.f_repr $vector) i) < 3329)"#))]
+    #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) ==>
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))]
     #[inline(always)]
     fn compress<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
-        Self {
-            elements: compress::compress_ciphertext_coefficient::<COEFFICIENT_BITS>(
-                vector.elements,
-            ),
-        }
+        compress::<COEFFICIENT_BITS>(vector)
     }
 
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+        v $COEFFICIENT_BITS == 5 \/
+        v $COEFFICIENT_BITS == 10 \/
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\
+        v (Seq.index (impl.f_repr $vector) i) < pow2 (v $COEFFICIENT_BITS))"#))]
     #[inline(always)]
     fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(vector: Self) -> Self {
         Self {
@@ -132,48 +396,61 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
-        Self {
-            elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
-        Self {
-            elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1),
-        }
+        ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
-        Self {
-            elements: ntt::ntt_layer_3_step(vector.elements, zeta),
-        }
+        ntt_layer_3_step(vector, zeta)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3  /\
+                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
-        Self {
-            elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        inv_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self {
-        Self {
-            elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1),
-        }
+        inv_ntt_layer_2_step(vector, zeta0, zeta1)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self {
-        Self {
-            elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta),
-        }
+        inv_ntt_layer_3_step(vector, zeta)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     #[inline(always)]
     fn ntt_multiply(
         lhs: &Self,
@@ -183,33 +460,35 @@ impl Operations for SIMD256Vector {
         zeta2: i16,
         zeta3: i16,
     ) -> Self {
-        Self {
-            elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3),
-        }
+        ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_1(vector: Self) -> [u8; 2] {
-        serialize::serialize_1(vector.elements)
+        serialize_1(vector)
     }
 
+    #[requires(bytes.len() == 2)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_1(bytes: &[u8]) -> Self {
-        Self {
-            elements: serialize::deserialize_1(bytes),
-        }
+        deserialize_1(bytes)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_4(vector: Self) -> [u8; 8] {
-        serialize::serialize_4(vector.elements)
+        serialize_4(vector)
     }
 
+    #[requires(bytes.len() == 8)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_4(bytes: &[u8]) -> Self {
-        Self {
-            elements: serialize::deserialize_4(bytes),
-        }
+        deserialize_4(bytes)
     }
 
     #[inline(always)]
@@ -217,23 +496,27 @@ impl Operations for SIMD256Vector {
         serialize::serialize_5(vector.elements)
     }
 
+    #[requires(bytes.len() == 10)]
     #[inline(always)]
     fn deserialize_5(bytes: &[u8]) -> Self {
+        hax_lib::fstar!(r#"assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)"#);
         Self {
             elements: serialize::deserialize_5(bytes),
         }
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_10(vector: Self) -> [u8; 20] {
-        serialize::serialize_10(vector.elements)
+        serialize_10(vector)
     }
 
+    #[requires(bytes.len() == 20)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_10(bytes: &[u8]) -> Self {
-        Self {
-            elements: serialize::deserialize_10(bytes),
-        }
+        deserialize_10(bytes)
     }
 
     #[inline(always)]
@@ -241,6 +524,7 @@ impl Operations for SIMD256Vector {
         serialize::serialize_11(vector.elements)
     }
 
+    #[requires(bytes.len() == 22)]
     #[inline(always)]
     fn deserialize_11(bytes: &[u8]) -> Self {
         Self {
@@ -248,18 +532,24 @@ impl Operations for SIMD256Vector {
         }
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"#))]
     #[inline(always)]
     fn serialize_12(vector: Self) -> [u8; 24] {
-        serialize::serialize_12(vector.elements)
+        serialize_12(vector)
     }
 
+    #[requires(bytes.len() == 24)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"#))]
     #[inline(always)]
     fn deserialize_12(bytes: &[u8]) -> Self {
-        Self {
-            elements: serialize::deserialize_12(bytes),
-        }
+        deserialize_12(bytes)
     }
 
+    #[requires(input.len() == 24 && output.len() == 16)]
+    #[ensures(|result|
+        fstar!(r#"Seq.length $output_future == Seq.length $output /\ v $result <= 16"#)
+    )]
     #[inline(always)]
     fn rej_sample(input: &[u8], output: &mut [i16]) -> usize {
         sampling::rejection_sample(input, output)
diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
index a980eb75d..905c5186b 100644
--- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs
@@ -3,47 +3,142 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS};
 use super::*;
 
 #[inline(always)]
+#[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")]
+#[hax_lib::fstar::before(
+    r#"
+let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))))
+  (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) ==
+            (v (get_lane lhs i) + v (get_lane rhs i))))
+  [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()"#
+)]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"#))]
 pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 {
-    mm256_add_epi16(lhs, rhs)
+    let result = mm256_add_epi16(lhs, rhs);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i);
+                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"#
+    );
+    result
 }
 
 #[inline(always)]
+#[hax_lib::fstar::before(
+    r#"
+let lemma_sub_i (lhs rhs: t_Vec256) (i:nat):  Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
+  (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) ==
+            (v (get_lane lhs i) - v (get_lane rhs i))))
+  [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()"#
+)]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"#))]
 pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 {
-    mm256_sub_epi16(lhs, rhs)
+    let result = mm256_sub_epi16(lhs, rhs);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
+                     assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"#
+    );
+    result
 }
 
 #[inline(always)]
+#[hax_lib::fstar::before(
+    r#"
+let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16):  Lemma 
+  (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c)))
+  (ensures (v (mul_mod (get_lane lhs i) c) ==
+            (v (get_lane lhs i) * v c)))
+  [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()"#
+)]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    v (get_lane $result i) == (v (get_lane $vector i) * v constant)"#))]
 pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 {
-    mm256_mullo_epi16(vector, mm256_set1_epi16(constant))
+    let cv = mm256_set1_epi16(constant);
+    let result = mm256_mullo_epi16(vector, cv);
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro (vec256_as_i16x16 ${result})
+                        (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"#
+    );
+
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane result i == get_lane vector i *. constant);
+                     assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant);
+                     assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"#
+    );
+    result
 }
 
 #[inline(always)]
+#[hax_lib::ensures(|result| fstar!(r#"Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == 
+                           Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
 pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 {
-    mm256_and_si256(vector, mm256_set1_epi16(constant))
+    let cv = mm256_set1_epi16(constant);
+    let result = mm256_and_si256(vector, cv);
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result})
+                        (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"#
+    );
+    result
 }
 
 #[inline(always)]
+#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> 
+                            Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == 
+                            Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
 pub(crate) fn shift_right<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
-    mm256_srai_epi16::<{ SHIFT_BY }>(vector)
+    let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector);
+    hax_lib::fstar!(
+        "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result})
+                        (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) 
+                           (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"
+    );
+    result
 }
 
-// #[inline(always)]
-// pub(crate) fn shift_left<const SHIFT_BY: i32>(vector: Vec256) -> Vec256 {
-//     mm256_slli_epi16::<{ SHIFT_BY }>(vector)
-// }
-
 #[inline(always)]
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+                get_lane $result i == 
+                (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"#))]
 pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 {
     let field_modulus = mm256_set1_epi16(FIELD_MODULUS);
-
+    hax_lib::fstar!(r#"assert (forall i. get_lane $field_modulus i == 3329s)"#);
     // Compute v_i - Q and crate a mask from the sign bit of each of these
     // quantities.
     let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus);
+    hax_lib::fstar!(
+        "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)"
+    );
+
     let sign_mask = mm256_srai_epi16::<15>(v_minus_field_modulus);
+    hax_lib::fstar!(
+        "assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))"
+    );
 
     // If v_i - Q < 0 then add back Q to (v_i - Q).
     let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus);
-    mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus)
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))"#
+    );
+
+    let result = mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i));
+                     assert (forall i. get_lane $result i == Spec.Utils.cond_sub (get_lane $vector i));
+                     assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))"#
+    );
+
+    result
 }
 
 const BARRETT_MULTIPLIER: i16 = 20159;
@@ -51,57 +146,163 @@ const BARRETT_MULTIPLIER: i16 = 20159;
 /// See Section 3.2 of the implementation notes document for an explanation
 /// of this code.
 #[inline(always)]
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
+                (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
+                                      (v (get_lane $vector i) % 3329))"#)))]
 pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 {
-    let t = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER));
-    let t = mm256_add_epi16(t, mm256_set1_epi16(512));
-
-    let quotient = mm256_srai_epi16::<10>(t);
-
+    let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER));
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"#
+    );
+    let t512 = mm256_set1_epi16(512);
+    hax_lib::fstar!(r#"assert (forall i. get_lane $t512 i == 512s)"#);
+    let t1 = mm256_add_epi16(t0, t512);
+    hax_lib::fstar!(r#"assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"#);
+    let quotient = mm256_srai_epi16::<10>(t1);
+    hax_lib::fstar!(
+        "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))"
+    );
     let quotient_times_field_modulus = mm256_mullo_epi16(quotient, mm256_set1_epi16(FIELD_MODULUS));
-
-    mm256_sub_epi16(vector, quotient_times_field_modulus)
+    hax_lib::fstar!(
+        "assert (forall i. get_lane $quotient_times_field_modulus i ==
+                     get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)"
+    );
+    let result = mm256_sub_epi16(vector, quotient_times_field_modulus);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $result i ==
+                                       get_lane $vector i -.  get_lane $quotient_times_field_modulus i);
+                    assert (forall i. get_lane $result i == Spec.Utils.barrett_red (get_lane $vector i));
+                    assert (forall i. v (get_lane $result i) % 3329 == v (get_lane $vector i) % 3329);
+                    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"#
+    );
+    result
 }
 
 #[inline(always)]
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100 --ext context_pruning"))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 constant"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
+                (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
+                                      ((v (get_lane $vector i) * v constant * 169) % 3329))"#)))]
 pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 {
-    let constant = mm256_set1_epi16(constant);
-    let value_low = mm256_mullo_epi16(vector, constant);
-
+    let vec_constant = mm256_set1_epi16(constant);
+    hax_lib::fstar!(r#"assert (forall i. get_lane $vec_constant i == $constant)"#);
+    let value_low = mm256_mullo_epi16(vector, vec_constant);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"#
+    );
     let k = mm256_mullo_epi16(
         value_low,
         mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16),
     );
-    let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS));
+    hax_lib::fstar!(r#"assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"#);
+    let modulus = mm256_set1_epi16(FIELD_MODULUS);
+    hax_lib::fstar!(r#"assert (forall i. get_lane $modulus i == 3329s)"#);
+    let k_times_modulus = mm256_mulhi_epi16(k, modulus);
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
+                        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+                                (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k)
+                                (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus));
+                     assert (forall i. get_lane $k_times_modulus i == 
+                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
 
-    let value_high = mm256_mulhi_epi16(vector, constant);
+    let value_high = mm256_mulhi_epi16(vector, vec_constant);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_high i == 
+        (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))"#
+    );
 
-    mm256_sub_epi16(value_high, k_times_modulus)
+    let result = mm256_sub_epi16(value_high, k_times_modulus);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+                    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+                    assert (v (cast 3329s <: i32) == 3329);
+                    assert ((cast 3329s <: i32) == 3329l);
+                    assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i));
+                    assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vector i) $constant);
+                    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result));
+                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"#
+    );
+    result
 }
 
 #[inline(always)]
-pub(crate) fn montgomery_multiply_by_constants(v: Vec256, c: Vec256) -> Vec256 {
-    let value_low = mm256_mullo_epi16(v, c);
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
+                (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
+                                      ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"#)))]
+pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 {
+    let value_low = mm256_mullo_epi16(vec, constants);
+    hax_lib::fstar!(
+        "assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)"
+    );
 
     let k = mm256_mullo_epi16(
         value_low,
         mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16),
     );
-    let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS));
+    hax_lib::fstar!(r#"assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"#);
+
+    let modulus = mm256_set1_epi16(FIELD_MODULUS);
+    hax_lib::fstar!(r#"assert (forall i. get_lane $modulus i == 3329s)"#);
+
+    let k_times_modulus = mm256_mulhi_epi16(k, modulus);
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == 
+                        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+                                (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k)
+                                (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus));
+                    assert (forall i. get_lane $k_times_modulus i == 
+                        (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
 
-    let value_high = mm256_mulhi_epi16(v, c);
+    let value_high = mm256_mulhi_epi16(vec, constants);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane $value_high i == 
+            (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"#
+    );
 
-    mm256_sub_epi16(value_high, k_times_modulus)
+    let result = mm256_sub_epi16(value_high, k_times_modulus);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+                    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+                    assert (v (cast 3329s <: i32) == 3329);
+                    assert ((cast 3329s <: i32) == 3329l);
+                    assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i));
+                    assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vec i) (get_lane $constants i));
+                    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i));
+                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result));
+                    assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"#
+    );
+    result
 }
 
 #[inline(always)]
-pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 {
+#[hax_lib::fstar::verification_status(panic_free)]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\
+                (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==>
+                 Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\
+                (forall i. i < 16 ==> v (get_lane $result i) % 3329 == 
+                                      ((v (get_lane $vec i) * 169) % 3329))"#)))]
+pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 {
     let k = mm256_mullo_epi16(
-        v,
+        vec,
         mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32),
     );
     let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi32(FIELD_MODULUS as i32));
 
-    let value_high = mm256_srli_epi32::<16>(v);
+    let value_high = mm256_srli_epi32::<16>(vec);
 
     let result = mm256_sub_epi16(value_high, k_times_modulus);
 
@@ -111,16 +312,57 @@ pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
-pub(crate) fn montgomery_multiply_m128i_by_constants(v: Vec128, c: Vec128) -> Vec128 {
-    let value_low = mm_mullo_epi16(v, c);
+#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\
+                (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == 
+                                      ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"#)))]
+pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 {
+    let value_low = mm_mullo_epi16(vec, constants);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"#
+    );
 
     let k = mm_mullo_epi16(
         value_low,
         mm_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16),
     );
-    let k_times_modulus = mm_mulhi_epi16(k, mm_set1_epi16(FIELD_MODULUS));
+    hax_lib::fstar!(
+        "assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))"
+    );
 
-    let value_high = mm_mulhi_epi16(v, c);
+    let modulus = mm_set1_epi16(FIELD_MODULUS);
+    hax_lib::fstar!(r#"assert (forall i. get_lane128 $modulus i == 3329s)"#);
+
+    let k_times_modulus = mm_mulhi_epi16(k, modulus);
+    hax_lib::fstar!(
+        r#"assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == 
+                        Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+                                (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k)
+                                (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus));
+                    assert (forall i. get_lane128 $k_times_modulus i == 
+                        (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"#
+    );
+
+    let value_high = mm_mulhi_epi16(vec, constants);
+    hax_lib::fstar!(
+        r#"assert (forall i. get_lane128 $value_high i == 
+                        (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"#
+    );
+
+    let result = mm_sub_epi16(value_high, k_times_modulus);
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_range_at_percent 3329 (pow2 32);
+                    assert (v (cast 3329s <: i32) == (3329 @% pow2 32));
+                    assert (v (cast 3329s <: i32) == 3329);
+                    assert ((cast 3329s <: i32) == 3329l);
+                    assert (forall i. get_lane128 $result i == (get_lane128 $value_high i) -. (get_lane128 $k_times_modulus i));
+                    assert (forall i. get_lane128 $result i == Spec.Utils.mont_mul_red_i16 (get_lane128 $vec i) (get_lane128 $constants i));
+                    assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i));
+                    assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i));
+                    assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result));
+                    assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"#
+    );
 
-    mm_sub_epi16(value_high, k_times_modulus)
+    result
 }
diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs
index fc5464957..1761915b7 100644
--- a/libcrux-ml-kem/src/vector/avx2/compress.rs
+++ b/libcrux-ml-kem/src/vector/avx2/compress.rs
@@ -38,6 +38,8 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype /\
+    range (v (1l <<! $COEFFICIENT_BITS) - 1) i32_inttype"#))]
 pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
 ) -> Vec256 {
@@ -103,6 +105,7 @@ pub(crate) fn compress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype"#))]
 pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
     vector: Vec256,
 ) -> Vec256 {
diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs
index b571b0ee7..518548b6b 100644
--- a/libcrux-ml-kem/src/vector/avx2/ntt.rs
+++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs
@@ -1,6 +1,7 @@
 use super::*;
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -22,6 +23,7 @@ pub(crate) fn ntt_layer_1_step(
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let zetas = mm256_set_epi16(
         -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0,
@@ -37,6 +39,7 @@ pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))]
 pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
     let rhs = mm256_extracti128_si256::<1>(vector);
     let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta));
@@ -53,6 +56,8 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn inv_ntt_layer_1_step(
     vector: Vec256,
     zeta0: i16,
@@ -82,6 +87,7 @@ pub(crate) fn inv_ntt_layer_1_step(
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))]
 pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 {
     let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector);
 
@@ -103,6 +109,7 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))]
 pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
     let lhs = mm256_extracti128_si256::<1>(vector);
     let rhs = mm256_castsi256_si128(vector);
@@ -120,6 +127,8 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))]
 pub(crate) fn ntt_multiply(
     lhs: Vec256,
     rhs: Vec256,
diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs
index 9ce5c20f8..f8320e1d0 100644
--- a/libcrux-ml-kem/src/vector/avx2/sampling.rs
+++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs
@@ -5,6 +5,11 @@ use super::{
 };
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(input.len() == 24 && output.len() == 16)]
+#[hax_lib::ensures(|res|
+        fstar!(r#"Seq.length $output_future == Seq.length $output /\ v $res <= 16"#)
+    )]
 pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize {
     let field_modulus = mm256_set1_epi16(FIELD_MODULUS);
 
@@ -26,6 +31,16 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize {
     // each lane in the register to tell us what coefficients to keep and what
     // to throw-away. Combine all the bits (there are 16) into two bytes.
     let good = serialize_1(compare_with_field_modulus);
+    hax_lib::fstar!(
+        r#"assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256);
+        assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256);
+        // We need to provide a definition or post-condition for Core.Num.impl__u8__count_ones
+        assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) <= 8);
+        assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 1 ]) <: usize) <= 8);
+        assume (Core.Ops.Index.f_index_pre output ({
+                    Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize;
+                    Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))"#
+    );
 
     // Each bit (and its corresponding position) represents an element we
     // want to sample. We'd like all such elements to be next to each other starting
diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs
index 5b2a4fae5..d4451fdad 100644
--- a/libcrux-ml-kem/src/vector/avx2/serialize.rs
+++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs
@@ -2,6 +2,9 @@ use super::*;
 use crate::vector::portable::PortableVector;
 
 #[inline(always)]
+#[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")]
+#[hax_lib::requires(fstar!(r#"forall i. i % 16 >= 1 ==> vector i == 0"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"#))]
 pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] {
     // Suppose |vector| is laid out as follows (superscript number indicates the
     // corresponding bit is duplicated that many times):
@@ -43,79 +46,140 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] {
     // 0xFF 0x00 0x00 0x00 | 0xFF 0x00 0x00 0x00 | 0x00 0x00 0x00 0x00 | 0x00 0x00 0x00 0xFF
     let msbs = mm_packs_epi16(low_msbs, high_msbs);
 
+    hax_lib::fstar!(
+        r#"
+let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in
+  assert (forall (i: nat{i < 16}). bits_packed' i = $vector ((i / 1) * 16 + i % 1))
+      by (
+         Tactics.Utils.prove_forall_nat_pointwise (fun _ -> 
+           Tactics.compute ();
+           Tactics.smt_sync ()
+         )
+      )
+"#
+    );
+
     // Now that every element is either 0xFF or 0x00, we just extract the most
     // significant bit from each element and collate them into two bytes.
     let bits_packed = mm_movemask_epi8(msbs);
 
-    let mut serialized = [0u8; 2];
-    serialized[0] = bits_packed as u8;
-    serialized[1] = (bits_packed >> 8) as u8;
+    let result = [bits_packed as u8, (bits_packed >> 8) as u8];
 
-    serialized
+    hax_lib::fstar!(
+        r#"
+assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! 8l <: i32) (sz i) == get_bit $bits_packed (sz (i + 8)))
+"#
+    );
+
+    result
 }
 
 #[inline(always)]
+#[hax_lib::requires(bytes.len() == 2)]
+#[hax_lib::ensures(|coefficients| fstar!(
+        r#"forall (i:nat{i < 256}).
+      $coefficients i
+    = ( if i % 16 >= 1 then 0
+        else let j = (i / 16) * 1 + i % 16 in
+             bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j))
+"#
+))]
+#[hax_lib::fstar::before("#restart-solver")]
 pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 {
-    // We need to take each bit from the 2 bytes of input and put them
-    // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector,
-    // duplicate them, and right-shift the 0th element by 0 bits,
-    // the first element by 1 bit, the second by 2 bits and so on before AND-ing
-    // with 0x1 to leave only the least signifinicant bit.
-    // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a
-    // workaround.
-    //
-    // Rather than shifting each element by a different amount, we'll multiply
-    // each element by a value such that the bit we're interested in becomes the most
-    // significant bit.
-
-    // The coefficients are loaded as follows:
-    let coefficients = mm256_set_epi16(
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-    );
-
-    // And this vector, when multiplied with the previous one, ensures that the
-    // bit we'd like to keep in each lane becomes the most significant bit upon
-    // multiplication.
-    let shift_lsb_to_msb = mm256_set_epi16(
-        1 << 8,
-        1 << 9,
-        1 << 10,
-        1 << 11,
-        1 << 12,
-        1 << 13,
-        1 << 14,
-        -32768,
-        1 << 8,
-        1 << 9,
-        1 << 10,
-        1 << 11,
-        1 << 12,
-        1 << 13,
-        1 << 14,
-        -32768,
-    );
-    let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsb_to_msb);
+    #[hax_lib::ensures(|coefficients| fstar!(
+        r#"forall (i:nat{i < 256}).
+      $coefficients i
+    = ( if i % 16 >= 1 then 0
+        else let j = (i / 16) * 1 + i % 16 in
+             if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8)))
+"#
+    ))]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    #[inline(always)]
+    pub(crate) fn deserialize_1_u8s(a: u8, b: u8) -> Vec256 {
+        deserialize_1_i16s(a as i16, b as i16)
+    }
+
+    #[hax_lib::ensures(|coefficients| fstar!(
+        r#"forall (i:nat{i < 256}).
+      $coefficients i
+    = ( if i % 16 >= 1 then 0
+        else let j = (i / 16) * 1 + i % 16 in
+             if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8)))
+"#
+    ))]
+    #[inline(always)]
+    #[hax_lib::fstar::options("--ext context_pruning")]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 {
+        // We need to take each bit from the 2 bytes of input and put them
+        // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector,
+        // duplicate them, and right-shift the 0th element by 0 bits,
+        // the first element by 1 bit, the second by 2 bits and so on before AND-ing
+        // with 0x1 to leave only the least signifinicant bit.
+        // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a
+        // workaround.
+        //
+        // Rather than shifting each element by a different amount, we'll multiply
+        // each element by a value such that the bit we're interested in becomes the most
+        // significant bit.
+        // The coefficients are loaded as follows:
+        let coefficients = mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a);
+
+        // And this vector, when multiplied with the previous one, ensures that the
+        // bit we'd like to keep in each lane becomes the most significant bit upon
+        // multiplication.
+        let coefficients_in_msb = mm256_mullo_epi16(
+            coefficients,
+            mm256_set_epi16(
+                1 << 8,
+                1 << 9,
+                1 << 10,
+                1 << 11,
+                1 << 12,
+                1 << 13,
+                1 << 14,
+                -32768,
+                1 << 8,
+                1 << 9,
+                1 << 10,
+                1 << 11,
+                1 << 12,
+                1 << 13,
+                1 << 14,
+                -32768,
+            ),
+        );
+
+        // Now that they're all in the most significant bit position, shift them
+        // down to the least significant bit.
+        mm256_srli_epi16::<15>(coefficients_in_msb)
+    }
+
+    deserialize_1_u8s(bytes[0], bytes[1])
+}
 
-    // Now that they're all in the most significant bit position, shift them
-    // down to the least significant bit.
-    mm256_srli_epi16::<15>(coefficients_in_msb)
+/// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets
+/// of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of
+/// 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last
+/// `n` bits are non-zero).
+#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_concat_pairs_n}")]
+#[inline(always)]
+fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 {
+    let n = 1 << n;
+    mm256_madd_epi16(
+        x,
+        mm256_set_epi16(n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1),
+    )
 }
 
+#[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
+#[hax_lib::requires(
+    fstar!(
+        r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"#
+    )
+)]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"#))]
 #[inline(always)]
 pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] {
     let mut serialized = [0u8; 16];
@@ -128,27 +192,7 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] {
     // as follows:
     //
     // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ...
-    let adjacent_2_combined = mm256_madd_epi16(
-        vector,
-        mm256_set_epi16(
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-            1 << 4,
-            1,
-        ),
-    );
+    let adjacent_2_combined = mm256_concat_pairs_n(4, vector);
 
     // Recall that |adjacent_2_combined| goes as follows:
     //
@@ -176,71 +220,131 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] {
     // ... so that we can read them out in one go.
     mm_storeu_bytes_si128(&mut serialized, combined);
 
+    hax_lib::fstar!(
+        r#"
+assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialized 8 i);
+  introduce forall (i: nat {i < 64}). $combined i = vector ((i / 4) * 16 + i % 4)
+  with assert_norm (BitVec.Utils.forall64 (fun i -> $combined i = $vector ((i / 4) * 16 + i % 4)));
+  assert (forall (i: nat{i < 64}). bit_vec_of_int_t_array serialized 8 i == $vector ((i / 4) * 16 + i % 4))
+"#
+    );
+
     serialized[0..8].try_into().unwrap()
 }
 
 #[inline(always)]
+#[hax_lib::requires(bytes.len() == 8)]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}).
+  $result i = (if i % 16 >= 4 then 0
+               else let j = (i / 16) * 4 + i % 16 in
+                     bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))]
+#[hax_lib::fstar::before("#restart-solver")]
 pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 {
-    // Every 4 bits from each byte of input should be put into its own 16-bit lane.
-    // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround.
-    //
-    // Rather than shifting each element by a different amount, we'll multiply
-    // each element by a value such that the bits we're interested in become the most
-    // significant bits (of an 8-bit value).
-    let coefficients = mm256_set_epi16(
-        // In this lane, the 4 bits we need to put are already the most
-        // significant bits of |bytes[7]|.
-        bytes[7] as i16,
-        // In this lane, the 4 bits we need to put are the least significant bits,
-        // so we need to shift the 4 least-significant bits of |bytes[7]| to the
-        // most significant bits (of an 8-bit value).
-        bytes[7] as i16,
-        // and so on ...
-        bytes[6] as i16,
-        bytes[6] as i16,
-        bytes[5] as i16,
-        bytes[5] as i16,
-        bytes[4] as i16,
-        bytes[4] as i16,
-        bytes[3] as i16,
-        bytes[3] as i16,
-        bytes[2] as i16,
-        bytes[2] as i16,
-        bytes[1] as i16,
-        bytes[1] as i16,
-        bytes[0] as i16,
-        bytes[0] as i16,
-    );
-
-    let shift_lsbs_to_msbs = mm256_set_epi16(
-        // These constants are chosen to shift the bits of the values
-        // that we loaded into |coefficients|.
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-    );
-
-    let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs);
-
-    // Once the 4-bit coefficients are in the most significant positions (of
-    // an 8-bit value), shift them all down by 4.
-    let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb);
-
-    // Zero the remaining bits.
-    mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1))
+    #[hax_lib::ensures(|coefficients| fstar!(
+        r#"forall (i:nat{i < 256}).
+      $coefficients i
+    = ( if i % 16 < 4
+        then let j = (i / 16) * 4 + i % 16 in
+             (match i / 32 with
+             | 0 -> get_bit $b0 (sz j)
+             | 1 -> get_bit $b1 (sz (j - 8))
+             | 2 -> get_bit $b2 (sz (j - 16))
+             | 3 -> get_bit $b3 (sz (j - 24))
+             | 4 -> get_bit $b4 (sz (j - 32))
+             | 5 -> get_bit $b5 (sz (j - 40))
+             | 6 -> get_bit $b6 (sz (j - 48))
+             | 7 -> get_bit $b7 (sz (j - 56)))
+        else 0)
+"#
+    ))]
+    #[inline(always)]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 {
+        deserialize_4_i16s(
+            b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16,
+        )
+    }
+
+    #[hax_lib::ensures(|coefficients| fstar!(
+        r#"forall (i:nat{i < 256}).
+      $coefficients i
+    = ( if i % 16 < 4
+        then let j = (i / 16) * 4 + i % 16 in
+             (match i / 32 with
+             | 0 -> get_bit $b0 (sz j)
+             | 1 -> get_bit $b1 (sz (j - 8))
+             | 2 -> get_bit $b2 (sz (j - 16))
+             | 3 -> get_bit $b3 (sz (j - 24))
+             | 4 -> get_bit $b4 (sz (j - 32))
+             | 5 -> get_bit $b5 (sz (j - 40))
+             | 6 -> get_bit $b6 (sz (j - 48))
+             | 7 -> get_bit $b7 (sz (j - 56)))
+        else 0)
+"#
+    ))]
+    #[inline(always)]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    fn deserialize_4_i16s(
+        b0: i16,
+        b1: i16,
+        b2: i16,
+        b3: i16,
+        b4: i16,
+        b5: i16,
+        b6: i16,
+        b7: i16,
+    ) -> Vec256 {
+        // Every 4 bits from each byte of input should be put into its own 16-bit lane.
+        // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround.
+        //
+        // Rather than shifting each element by a different amount, we'll multiply
+        // each element by a value such that the bits we're interested in become the most
+        // significant bits (of an 8-bit value).
+        let coefficients = mm256_set_epi16(
+            // In this lane, the 4 bits we need to put are already the most
+            // significant bits of |bytes[7]| (that is, b7).
+            b7,
+            // In this lane, the 4 bits we need to put are the least significant bits,
+            // so we need to shift the 4 least-significant bits of |b7| to the
+            // most significant bits (of an 8-bit value).
+            b7, // and so on ...
+            b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0,
+        );
+        let coefficients_in_msb = mm256_mullo_epi16(
+            coefficients,
+            mm256_set_epi16(
+                // These constants are chosen to shift the bits of the values
+                // that we loaded into |coefficients|.
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+            ),
+        );
+
+        // Once the 4-bit coefficients are in the most significant positions (of
+        // an 8-bit value), shift them all down by 4.
+        let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb);
+
+        // Zero the remaining bits.
+        mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1))
+    }
+
+    deserialize_4_u8s(
+        bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7],
+    )
 }
 
 #[inline(always)]
@@ -340,15 +444,31 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] {
     serialized[0..10].try_into().unwrap()
 }
 
+/// We cannot model `mm256_inserti128_si256` on its own: it produces a
+/// Vec256 where the upper 128 bits are undefined. Thus
+/// `mm256_inserti128_si256` is not pure.
+///
+/// Luckily, we always call `mm256_castsi128_si256` right after
+/// `mm256_inserti128_si256`: this composition sets the upper bits,
+/// making the whole computation pure again.
+#[inline(always)]
+#[hax_lib::fstar::replace(
+    interface,
+    "include BitVec.Intrinsics {mm256_si256_from_two_si128 as ${mm256_si256_from_two_si128}}"
+)]
+fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 {
+    mm256_inserti128_si256::<1>(mm256_castsi128_si256(lower), upper)
+}
+
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))]
 pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 {
     let coefficients = mm_set_epi8(
         bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4],
         bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0],
     );
 
-    let coefficients_loaded = mm256_castsi128_si256(coefficients);
-    let coefficients_loaded = mm256_inserti128_si256::<1>(coefficients_loaded, coefficients);
+    let coefficients_loaded = mm256_si256_from_two_si128(coefficients, coefficients);
 
     let coefficients = mm256_shuffle_epi8(
         coefficients_loaded,
@@ -383,137 +503,172 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
+#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"#))]
 pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] {
-    let mut serialized = [0u8; 32];
-
-    // If |vector| is laid out as follows (superscript number indicates the
-    // corresponding bit is duplicated that many times):
-    //
-    // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩
-    // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩
-    // ...
-    //
-    // |adjacent_2_combined| will be laid out as a series of 32-bit integers,
-    // as follows:
-    //
-    // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩
-    // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩
-    // ....
-    let adjacent_2_combined = mm256_madd_epi16(
-        vector,
-        mm256_set_epi16(
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-            1 << 10,
-            1,
-        ),
-    );
+    #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
+    #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))]
+    #[hax_lib::ensures(|(lower_8, upper_8)| fstar!(
+        r#"
+         forall (i: nat{i < 160}).
+           vector ((i/10) * 16 + i%10) == (if i < 80 then $lower_8 i else $upper_8 (i - 80))
+      )
+    "#
+    ))]
+    fn serialize_10_vec(vector: Vec256) -> (Vec128, Vec128) {
+        // If |vector| is laid out as follows (superscript number indicates the
+        // corresponding bit is duplicated that many times):
+        //
+        // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩
+        // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩
+        // ...
+        //
+        // |adjacent_2_combined| will be laid out as a series of 32-bit integers,
+        // as follows:
+        //
+        // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩
+        // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩
+        // ....
+        let adjacent_2_combined = mm256_concat_pairs_n(10, vector);
+
+        // Shifting up the values at the even indices by 12, we get:
+        //
+        // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩
+        // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩
+        // ...
+        let adjacent_4_combined = mm256_sllv_epi32(
+            adjacent_2_combined,
+            mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12),
+        );
+
+        // Viewing this as a set of 64-bit integers we get:
+        //
+        // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹²  | ↩
+        // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹²  | ↩
+        // ...
+        //
+        // Shifting down by 12 gives us:
+        //
+        // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩
+        // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩
+        // ...
+        let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined);
+
+        // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped
+        // into bytes, looks like:
+        //
+        // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩
+        // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩
+        //
+        // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after
+        // bytes 0, 1, 2, 3 to allow for sequential reading.
+        let adjacent_8_combined = mm256_shuffle_epi8(
+            adjacent_4_combined,
+            mm256_set_epi8(
+                -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1,
+                12, 11, 10, 9, 8, 4, 3, 2, 1, 0,
+            ),
+        );
+        // We now have 64 bits starting at position 0 in the lower 128-bit lane, ...
+        let lower_8 = mm256_castsi256_si128(adjacent_8_combined);
+        // and 64 bits starting at position 0 in the upper 128-bit lane.
+        let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined);
+        hax_lib::fstar!(
+            r#"
+    introduce forall (i:nat{i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10)
+    with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10)));
+    introduce forall (i:nat{i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)
+    with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)))
+    "#
+        );
+        (lower_8, upper_8)
+    }
+
+    let (lower_8, upper_8) = serialize_10_vec(vector);
 
-    // Shifting up the values at the even indices by 12, we get:
-    //
-    // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩
-    // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩
-    // ...
-    let adjacent_4_combined = mm256_sllv_epi32(
-        adjacent_2_combined,
-        mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12),
-    );
-
-    // Viewing this as a set of 64-bit integers we get:
-    //
-    // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹²  | ↩
-    // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹²  | ↩
-    // ...
-    //
-    // Shifting down by 12 gives us:
-    //
-    // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩
-    // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩
-    // ...
-    let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined);
-
-    // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped
-    // into bytes, looks like:
-    //
-    // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩
-    // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩
-    //
-    // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after
-    // bytes 0, 1, 2, 3 to allow for sequential reading.
-    let adjacent_8_combined = mm256_shuffle_epi8(
-        adjacent_4_combined,
-        mm256_set_epi8(
-            -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12,
-            11, 10, 9, 8, 4, 3, 2, 1, 0,
-        ),
-    );
-
-    // We now have 64 bits starting at position 0 in the lower 128-bit lane, ...
-    let lower_8 = mm256_castsi256_si128(adjacent_8_combined);
+    let mut serialized = [0u8; 32];
     mm_storeu_bytes_si128(&mut serialized[0..16], lower_8);
-
-    // and 64 bits starting at position 0 in the upper 128-bit lane.
-    let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined);
     mm_storeu_bytes_si128(&mut serialized[10..26], upper_8);
 
     serialized[0..20].try_into().unwrap()
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}).
+  $result i = (if i % 16 >= 10 then 0
+               else let j = (i / 16) * 10 + i % 16 in
+                     bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))]
 pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 {
-    let shift_lsbs_to_msbs = mm256_set_epi16(
-        1 << 0,
-        1 << 2,
-        1 << 4,
-        1 << 6,
-        1 << 0,
-        1 << 2,
-        1 << 4,
-        1 << 6,
-        1 << 0,
-        1 << 2,
-        1 << 4,
-        1 << 6,
-        1 << 0,
-        1 << 2,
-        1 << 4,
-        1 << 6,
-    );
-
-    let lower_coefficients = mm_loadu_si128(&bytes[0..16]);
-    let lower_coefficients = mm_shuffle_epi8(
-        lower_coefficients,
-        mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0),
-    );
-    let upper_coefficients = mm_loadu_si128(&bytes[4..20]);
-    let upper_coefficients = mm_shuffle_epi8(
-        upper_coefficients,
-        mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6),
-    );
-
-    let coefficients = mm256_castsi128_si256(lower_coefficients);
-    let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients);
-
-    let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs);
-    let coefficients = mm256_srli_epi16::<6>(coefficients);
-    let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1));
-
-    coefficients
+    #[inline(always)]
+    #[hax_lib::ensures(|coefficients| fstar!(r#"
+forall (i: nat {i < 256}).
+      $coefficients i
+    = ( if i % 16 >= 10 then 0
+        else let j = (i / 16) * 10 + i % 16 in
+             if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32)))
+"#))]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    fn deserialize_10_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 {
+        let lower_coefficients = mm_shuffle_epi8(
+            lower_coefficients0,
+            mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0),
+        );
+        let upper_coefficients = mm_shuffle_epi8(
+            upper_coefficients0,
+            mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6),
+        );
+
+        let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients);
+
+        let coefficients = mm256_mullo_epi16(
+            coefficients,
+            mm256_set_epi16(
+                1 << 0,
+                1 << 2,
+                1 << 4,
+                1 << 6,
+                1 << 0,
+                1 << 2,
+                1 << 4,
+                1 << 6,
+                1 << 0,
+                1 << 2,
+                1 << 4,
+                1 << 6,
+                1 << 0,
+                1 << 2,
+                1 << 4,
+                1 << 6,
+            ),
+        );
+        let coefficients = mm256_srli_epi16::<6>(coefficients);
+        // Here I can prove this `and` is not useful
+        let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1));
+        hax_lib::fstar!(
+            r#"
+assert_norm(BitVec.Utils.forall256 (fun i -> 
+      $coefficients i
+    = ( if i % 16 < 10
+        then let j = (i / 16) * 10 + i % 16 in
+             if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32)
+        else 0)))
+"#
+        );
+        coefficients
+    }
+
+    let lower_coefficients = &bytes[0..16];
+    let upper_coefficients = &bytes[4..20];
+    deserialize_10_vec(
+        mm_loadu_si128(lower_coefficients),
+        mm_loadu_si128(upper_coefficients),
+    )
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
 pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] {
     let mut array = [0i16; 16];
     mm256_storeu_si256_i16(&mut array, vector);
@@ -522,6 +677,7 @@ pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
 pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 {
     let output = PortableVector::deserialize_11(bytes);
     let array = PortableVector::to_i16_array(output);
@@ -529,46 +685,49 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
+#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))]
+#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"#))]
 pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] {
-    let mut serialized = [0u8; 32];
-
-    let adjacent_2_combined = mm256_madd_epi16(
-        vector,
-        mm256_set_epi16(
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-            1 << 12,
-            1,
-        ),
-    );
-
-    let adjacent_4_combined =
-        mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8));
-    let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined);
-
-    let adjacent_8_combined = mm256_shuffle_epi8(
-        adjacent_4_combined,
-        mm256_set_epi8(
-            -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, 10,
-            9, 8, 5, 4, 3, 2, 1, 0,
-        ),
-    );
-
-    let lower_8 = mm256_castsi256_si128(adjacent_8_combined);
-    let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined);
+    #[inline(always)]
+    #[hax_lib::fstar::options("--ext context_pruning --split_queries always")]
+    #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))]
+    #[hax_lib::ensures(|(lower_8, upper_8)| fstar!(
+        r#"
+         forall (i: nat{i < 192}).
+           vector ((i/12) * 16 + i%12) == (if i < 96 then $lower_8 i else $upper_8 (i - 96))
+      )
+    "#
+    ))]
+    fn serialize_12_vec(vector: Vec256) -> (Vec128, Vec128) {
+        let adjacent_2_combined = mm256_concat_pairs_n(12, vector);
+        let adjacent_4_combined =
+            mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8));
+        let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined);
+
+        let adjacent_8_combined = mm256_shuffle_epi8(
+            adjacent_4_combined,
+            mm256_set_epi8(
+                -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11,
+                10, 9, 8, 5, 4, 3, 2, 1, 0,
+            ),
+        );
+
+        let lower_8 = mm256_castsi256_si128(adjacent_8_combined);
+        let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined);
+        hax_lib::fstar!(
+            r#"
+    introduce forall (i:nat{i < 96}). lower_8_ i = vector ((i / 12) * 16 + i % 12)
+    with assert_norm (BitVec.Utils.forall_n 96 (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12)));
+    introduce forall (i:nat{i < 96}). upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)
+    with assert_norm (BitVec.Utils.forall_n 96 (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)))
+    "#
+        );
+        (lower_8, upper_8)
+    }
 
+    let mut serialized = [0u8; 32];
+    let (lower_8, upper_8) = serialize_12_vec(vector);
     mm_storeu_bytes_si128(&mut serialized[0..16], lower_8);
     mm_storeu_bytes_si128(&mut serialized[12..28], upper_8);
 
@@ -576,43 +735,69 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] {
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}).
+  $result i = (if i % 16 >= 12 then 0
+               else let j = (i / 16) * 12 + i % 16 in
+                     bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))]
 pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 {
-    let shift_lsbs_to_msbs = mm256_set_epi16(
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-        1 << 0,
-        1 << 4,
-    );
-
+    #[inline(always)]
+    #[hax_lib::ensures(|coefficients| fstar!(r#"
+forall (i: nat {i < 256}).
+      $coefficients i
+    = ( if i % 16 >= 12 then 0
+        else let j = (i / 16) * 12 + i % 16 in
+             if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64)))
+"#))]
+    #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)]
+    fn deserialize_12_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 {
+        let lower_coefficients = mm_shuffle_epi8(
+            lower_coefficients0,
+            mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0),
+        );
+        let upper_coefficients = mm_shuffle_epi8(
+            upper_coefficients0,
+            mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4),
+        );
+
+        let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients);
+
+        let coefficients = mm256_mullo_epi16(
+            coefficients,
+            mm256_set_epi16(
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+                1 << 0,
+                1 << 4,
+            ),
+        );
+        let coefficients = mm256_srli_epi16::<4>(coefficients);
+        let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1));
+        hax_lib::fstar!(
+            r#"
+assert_norm(BitVec.Utils.forall256 (fun i -> 
+      $coefficients i
+    = ( if i % 16 < 12
+        then let j = (i / 16) * 12 + i % 16 in
+             if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64)
+        else 0)))
+"#
+        );
+        coefficients
+    }
     let lower_coefficients = mm_loadu_si128(&bytes[0..16]);
-    let lower_coefficients = mm_shuffle_epi8(
-        lower_coefficients,
-        mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0),
-    );
     let upper_coefficients = mm_loadu_si128(&bytes[8..24]);
-    let upper_coefficients = mm_shuffle_epi8(
-        upper_coefficients,
-        mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4),
-    );
-
-    let coefficients = mm256_castsi128_si256(lower_coefficients);
-    let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients);
-
-    let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs);
-    let coefficients = mm256_srli_epi16::<4>(coefficients);
-    let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1));
-
-    coefficients
+    deserialize_12_vec(lower_coefficients, upper_coefficients)
 }
diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs
index 68539971e..bd582f6bb 100644
--- a/libcrux-ml-kem/src/vector/neon.rs
+++ b/libcrux-ml-kem/src/vector/neon.rs
@@ -16,16 +16,27 @@ use serialize::*;
 pub(crate) use vector_type::SIMD128Vector;
 use vector_type::*;
 
+impl crate::vector::traits::Repr for SIMD128Vector {
+    fn repr(x: Self) -> [i16; 16] {
+        to_i16_array(x)
+    }
+}
+
+#[hax_lib::attributes]
 impl Operations for SIMD128Vector {
     #[inline(always)]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
         ZERO()
     }
 
+    #[requires(array.len() == 16)]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self {
         from_i16_array(array)
     }
 
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     fn to_i16_array(x: Self) -> [i16; 16] {
         to_i16_array(x)
     }
diff --git a/libcrux-ml-kem/src/vector/neon/arithmetic.rs b/libcrux-ml-kem/src/vector/neon/arithmetic.rs
index a01daba08..ff3416fe3 100644
--- a/libcrux-ml-kem/src/vector/neon/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/neon/arithmetic.rs
@@ -1,5 +1,5 @@
 use super::vector_type::*;
-use crate::vector::{FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R};
+use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS};
 use libcrux_intrinsics::arm64::*;
 
 #[inline(always)]
diff --git a/libcrux-ml-kem/src/vector/neon/vector_type.rs b/libcrux-ml-kem/src/vector/neon/vector_type.rs
index 61b4d319d..8ae2fd018 100644
--- a/libcrux-ml-kem/src/vector/neon/vector_type.rs
+++ b/libcrux-ml-kem/src/vector/neon/vector_type.rs
@@ -1,20 +1,15 @@
 use libcrux_intrinsics::arm64::*;
 #[derive(Clone, Copy)]
+#[hax_lib::fstar::after(interface, "val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)")]
+#[hax_lib::fstar::after("let repr (x:t_SIMD128Vector) = admit()")]
 pub struct SIMD128Vector {
     pub low: _int16x8_t,
     pub high: _int16x8_t,
 }
 
-#[allow(non_snake_case)]
-#[inline(always)]
-pub(crate) fn ZERO() -> SIMD128Vector {
-    SIMD128Vector {
-        low: _vdupq_n_s16(0),
-        high: _vdupq_n_s16(0),
-    }
-}
-
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))]
 pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] {
     let mut out = [0i16; 16];
     _vst1q_s16(&mut out[0..8], v.low);
@@ -23,9 +18,22 @@ pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] {
 }
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!("repr ${result} == $array"))]
 pub(crate) fn from_i16_array(array: &[i16]) -> SIMD128Vector {
     SIMD128Vector {
         low: _vld1q_s16(&array[0..8]),
         high: _vld1q_s16(&array[8..16]),
     }
 }
+
+#[allow(non_snake_case)]
+#[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::ensures(|result| fstar!("repr result == Seq.create 16 0s"))]
+pub(crate) fn ZERO() -> SIMD128Vector {
+    SIMD128Vector {
+        low: _vdupq_n_s16(0),
+        high: _vdupq_n_s16(0),
+    }
+}
diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs
index 2ed759d54..58ccdf1e0 100644
--- a/libcrux-ml-kem/src/vector/portable.rs
+++ b/libcrux-ml-kem/src/vector/portable.rs
@@ -1,5 +1,4 @@
 use super::Operations;
-
 mod arithmetic;
 mod compress;
 mod ntt;
@@ -11,92 +10,256 @@ use arithmetic::*;
 use compress::*;
 use ntt::*;
 use sampling::*;
-use serialize::*;
 use vector_type::*;
 
 pub(crate) use vector_type::PortableVector;
 
+impl crate::vector::traits::Repr for PortableVector {
+    fn repr(x: Self) -> [i16; 16] {
+        to_i16_array(x)
+    }
+}
+
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> 
+                                 Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))]
+fn serialize_1(a: PortableVector) -> [u8; 2] {
+    hax_lib::fstar!(
+        r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"#
+    );
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"#);
+    serialize::serialize_1(a)
+}
+
+#[hax_lib::requires(a.len() == 2)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))]
+fn deserialize_1(a: &[u8]) -> PortableVector {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a"#);
+    serialize::deserialize_1(a)
+}
+
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))]
+fn serialize_4(a: PortableVector) -> [u8; 8] {
+    hax_lib::fstar!(
+        r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"#
+    );
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"#);
+    serialize::serialize_4(a)
+}
+
+#[hax_lib::requires(a.len() == 8)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))]
+fn deserialize_4(a: &[u8]) -> PortableVector {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a"#);
+    serialize::deserialize_4(a)
+}
+
+fn serialize_5(a: PortableVector) -> [u8; 10] {
+    serialize::serialize_5(a)
+}
+
+#[hax_lib::requires(a.len() == 10)]
+fn deserialize_5(a: &[u8]) -> PortableVector {
+    serialize::deserialize_5(a)
+}
+
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))]
+fn serialize_10(a: PortableVector) -> [u8; 20] {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"#);
+    serialize::serialize_10(a)
+}
+
+#[hax_lib::requires(a.len() == 20)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))]
+fn deserialize_10(a: &[u8]) -> PortableVector {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a"#);
+    serialize::deserialize_10(a)
+}
+
+fn serialize_11(a: PortableVector) -> [u8; 22] {
+    serialize::serialize_11(a)
+}
+
+#[hax_lib::requires(a.len() == 22)]
+fn deserialize_11(a: &[u8]) -> PortableVector {
+    serialize::deserialize_11(a)
+}
+
+#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))]
+#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))]
+fn serialize_12(a: PortableVector) -> [u8; 24] {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"#);
+    serialize::serialize_12(a)
+}
+
+#[hax_lib::requires(a.len() == 24)]
+#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))]
+fn deserialize_12(a: &[u8]) -> PortableVector {
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"#);
+    hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a"#);
+    serialize::deserialize_12(a)
+}
+
+#[hax_lib::fstar::before(r#"#push-options "--z3rlimit 400 --split_queries always""#)]
+#[hax_lib::fstar::after(r#"#pop-options"#)]
+#[hax_lib::attributes]
 impl Operations for PortableVector {
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 0s"#))]
     fn ZERO() -> Self {
         zero()
     }
 
+    #[requires(array.len() == 16)]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self {
         from_i16_array(array)
     }
 
+    #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))]
     fn to_i16_array(x: Self) -> [i16; 16] {
         to_i16_array(x)
     }
 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index ${result}.f_elements i) == 
+         v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
     fn add(lhs: Self, rhs: &Self) -> Self {
         add(lhs, rhs)
     }
 
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index ${result}.f_elements i) == 
+         v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
     fn sub(lhs: Self, rhs: &Self) -> Self {
         sub(lhs, rhs)
     }
 
-    fn multiply_by_constant(v: Self, c: i16) -> Self {
-        multiply_by_constant(v, c)
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index ${result}.f_elements i) == 
+        v (Seq.index ${vec}.f_elements i) * v c)"#))]
+    fn multiply_by_constant(vec: Self, c: i16) -> Self {
+        multiply_by_constant(vec, c)
     }
 
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"#))]
     fn bitwise_and_with_constant(v: Self, c: i16) -> Self {
         bitwise_and_with_constant(v, c)
     }
 
+    #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+    #[ensures(|out| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"#))]
     fn shift_right<const SHIFT_BY: i32>(v: Self) -> Self {
         shift_right::<{ SHIFT_BY }>(v)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"#))]
+    #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"#))]
     fn cond_subtract_3329(v: Self) -> Self {
         cond_subtract_3329(v)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"#))]
     fn barrett_reduce(v: Self) -> Self {
         barrett_reduce(v)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $r"#))]
     fn montgomery_multiply_by_constant(v: Self, r: i16) -> Self {
         montgomery_multiply_by_constant(v, r)
     }
 
-    fn compress_1(v: Self) -> Self {
-        compress_1(v)
-    }
-
-    fn compress<const COEFFICIENT_BITS: i32>(v: Self) -> Self {
-        compress::<COEFFICIENT_BITS>(v)
-    }
-
-    fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(v: Self) -> Self {
-        decompress_ciphertext_coefficient::<COEFFICIENT_BITS>(v)
-    }
-
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\
+        v (Seq.index (impl.f_repr $a) i) < 3329"#))]
+    #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))]
+    fn compress_1(a: Self) -> Self {
+        compress_1(a)
+    }
+
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) /\
+        (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\
+            v (Seq.index (impl.f_repr $a) i) < 3329)"#))]
+    #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) ==>
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))]
+    fn compress<const COEFFICIENT_BITS: i32>(a: Self) -> Self {
+        compress::<COEFFICIENT_BITS>(a)
+    }
+
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+        v $COEFFICIENT_BITS == 5 \/
+        v $COEFFICIENT_BITS == 10 \/
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\
+        v (Seq.index (impl.f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))]
+    fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(a: Self) -> Self {
+        decompress_ciphertext_coefficient::<COEFFICIENT_BITS>(a)
+    }
+
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3  /\
+                       Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self {
         ntt_layer_2_step(a, zeta0, zeta1)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))]
     fn ntt_layer_3_step(a: Self, zeta: i16) -> Self {
         ntt_layer_3_step(a, zeta)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self {
         inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self {
         inv_ntt_layer_2_step(a, zeta0, zeta1)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self {
         inv_ntt_layer_3_step(a, zeta)
     }
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\
+                       Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))]
     fn ntt_multiply(
         lhs: &Self,
         rhs: &Self,
@@ -108,18 +271,26 @@ impl Operations for PortableVector {
         ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))]
     fn serialize_1(a: Self) -> [u8; 2] {
         serialize_1(a)
     }
 
+    #[requires(a.len() == 2)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))]
     fn deserialize_1(a: &[u8]) -> Self {
         deserialize_1(a)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))]
     fn serialize_4(a: Self) -> [u8; 8] {
         serialize_4(a)
     }
 
+    #[requires(a.len() == 8)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))]
     fn deserialize_4(a: &[u8]) -> Self {
         deserialize_4(a)
     }
@@ -128,14 +299,19 @@ impl Operations for PortableVector {
         serialize_5(a)
     }
 
+    #[requires(a.len() == 10)]
     fn deserialize_5(a: &[u8]) -> Self {
         deserialize_5(a)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))]
     fn serialize_10(a: Self) -> [u8; 20] {
         serialize_10(a)
     }
 
+    #[requires(a.len() == 20)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))]
     fn deserialize_10(a: &[u8]) -> Self {
         deserialize_10(a)
     }
@@ -144,18 +320,27 @@ impl Operations for PortableVector {
         serialize_11(a)
     }
 
+    #[requires(a.len() == 22)]
     fn deserialize_11(a: &[u8]) -> Self {
         deserialize_11(a)
     }
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))]
+    #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))]
     fn serialize_12(a: Self) -> [u8; 24] {
         serialize_12(a)
     }
 
+    #[requires(a.len() == 24)]
+    #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))]
     fn deserialize_12(a: &[u8]) -> Self {
         deserialize_12(a)
     }
 
+    #[requires(a.len() == 24 && out.len() == 16)]
+    #[ensures(|result|
+        fstar!(r#"Seq.length $out_future == Seq.length $out /\ v $result <= 16"#)
+    )]
     fn rej_sample(a: &[u8], out: &mut [i16]) -> usize {
         rej_sample(a, out)
     }
diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
index ec2a1cbe7..dabef94f6 100644
--- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs
+++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs
@@ -1,6 +1,7 @@
 use super::vector_type::*;
-use crate::vector::{
-    traits::FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R,
+use crate::vector::traits::{
+    BARRETT_R, BARRETT_SHIFT, FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS,
+    INVERSE_OF_MODULUS_MOD_MONTGOMERY_R,
 };
 
 /// If 'x' denotes a value of type `fe`, values having this type hold a
@@ -16,83 +17,184 @@ pub type FieldElementTimesMontgomeryR = i16;
 pub(crate) const MONTGOMERY_SHIFT: u8 = 16;
 pub(crate) const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT;
 
-pub(crate) const BARRETT_SHIFT: i32 = 26;
-pub(crate) const BARRETT_R: i32 = 1 << BARRETT_SHIFT;
 /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋
 pub(crate) const BARRETT_MULTIPLIER: i32 = 20159;
 
-#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))]
+#[hax_lib::fstar::options("--z3rlimit 150 --split_queries always")]
+#[cfg_attr(hax, hax_lib::requires(n <= 16))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"v result == v value % pow2(v n)"#)))]
 #[inline(always)]
 pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
-    // hax_debug_assert!(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT);
-
-    value & ((1 << n) - 1)
+    let res = value & ((1 << n) - 1);
+    hax_lib::fstar!(
+        "calc (==) {
+    v res;
+    (==) { }
+    v (logand value ((1ul <<! n) -! 1ul));
+    (==) {mk_int_equiv_lemma #u32_inttype 1} 
+    v (logand value (((mk_int 1) <<! n) -! (mk_int 1)));
+    (==) { }
+    v (logand value (mk_int ((1 * pow2 (v n)) % pow2 32) -! (mk_int 1)));
+    (==) {Math.Lemmas.small_mod (pow2 (v n)) (pow2 32); Math.Lemmas.pow2_lt_compat 32 (v n)}
+    v (logand value ((mk_int (pow2 (v n))) -! (mk_int 1)));
+    (==) {Math.Lemmas.pow2_lt_compat 32 (v n); logand_mask_lemma value (v n)}
+    v value % (pow2 (v n));
+    }"
+    );
+    res
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 150")]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    (v (Seq.index ${result}.f_elements i) == 
+     v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))]
 pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
+    let _lhs0 = lhs;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == 
+                                     (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\
+              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"#
+            )
+        });
         lhs.elements[i] += rhs.elements[i];
     }
-
+    hax_lib::fstar!(
+        "assert (forall i. v (Seq.index ${lhs}.f_elements i) ==
+    			          v (Seq.index ${_lhs0}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"
+    );
     lhs
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    (v (Seq.index ${result}.f_elements i) == 
+     v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))]
 pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector {
+    let _lhs0 = lhs;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == 
+                                     (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\
+              (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"#
+            )
+        });
         lhs.elements[i] -= rhs.elements[i];
     }
-
+    hax_lib::fstar!(
+        "assert (forall i. v (Seq.index ${lhs}.f_elements i) ==
+    			          v (Seq.index ${_lhs0}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"
+    );
     lhs
 }
 
 #[inline(always)]
-pub fn multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector {
+#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> 
+    Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+    (v (Seq.index ${result}.f_elements i) == 
+     v (Seq.index ${vec}.f_elements i) * v c)"#))]
+pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] *= c;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == 
+                                     (Seq.index ${_vec0}.f_elements j) *! c) /\
+              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))"#
+            )
+        });
+        vec.elements[i] *= c;
     }
-
-    v
+    hax_lib::fstar!(
+        "assert (forall i. v (Seq.index ${vec}.f_elements i) ==
+    			          v (Seq.index ${_vec0}.f_elements i) * v c)"
+    );
+    vec
 }
 
 #[inline(always)]
-pub fn bitwise_and_with_constant(mut v: PortableVector, c: i16) -> PortableVector {
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"#))]
+pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] &= c;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
+                                     (Seq.index ${_vec0}.f_elements j &. c)) /\
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
+        });
+        vec.elements[i] &= c;
     }
-
-    v
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"#
+    );
+    vec
 }
 
 #[inline(always)]
-pub fn shift_right<const SHIFT_BY: i32>(mut v: PortableVector) -> PortableVector {
+#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> 
+        ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"#))]
+pub fn shift_right<const SHIFT_BY: i32>(mut vec: PortableVector) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] = v.elements[i] >> SHIFT_BY;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
+                                     (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
+        });
+        vec.elements[i] = vec.elements[i] >> SHIFT_BY;
     }
-
-    v
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"#
+    );
+    vec
 }
 
-// #[inline(always)]
-// pub fn shift_left<const SHIFT_BY: i32>(mut lhs: PortableVector) -> PortableVector {
-//     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-//         lhs.elements[i] = lhs.elements[i] << SHIFT_BY;
-//     }
-
-//     lhs
-// }
-
+/// Note: This function is not secret independent
+/// Only use with public values.
 #[inline(always)]
-pub fn cond_subtract_3329(mut v: PortableVector) -> PortableVector {
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array 
+                (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"#))]
+pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        debug_assert!(v.elements[i] >= 0 && v.elements[i] < 4096);
-        if v.elements[i] >= 3329 {
-            v.elements[i] -= 3329
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==> Seq.index ${vec}.f_elements j == 
+                                     (let x = Seq.index ${_vec0}.f_elements j in
+                                      if x >=. 3329s then x -! 3329s else x)) /\
+              (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"#
+            )
+        });
+        if vec.elements[i] >= 3329 {
+            vec.elements[i] -= 3329
         }
     }
-    v
+    hax_lib::fstar!(
+        r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array 
+                            (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"#
+    );
+    vec
 }
 
 /// Signed Barrett Reduction
@@ -105,35 +207,69 @@ pub fn cond_subtract_3329(mut v: PortableVector) -> PortableVector {
 ///
 /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
 ///
-/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
-#[cfg_attr(hax, hax_lib::requires((i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R)))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))]
+/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS
+///
+#[hax_lib::fstar::options("--z3rlimit 150 --ext context_pruning")]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 28296 value"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 3328 result /\
+                v result % 3329 == v value % 3329"#)))]
 pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement {
-    // hax_debug_assert!(
-    //     i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R,
-    //     "value is {value}"
-    // );
-
     let t = (i32::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1);
+    hax_lib::fstar!(
+        "assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329));
+                     assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)"
+    );
+    hax_lib::fstar!(r#"assert (v t / pow2 26 < 9)"#);
+    hax_lib::fstar!(r#"assert (v t / pow2 26 > - 9)"#);
     let quotient = (t >> BARRETT_SHIFT) as i16;
-
+    hax_lib::fstar!(r#"assert (v quotient = v t / pow2 26)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 9 quotient)"#);
     let result = value - (quotient * FIELD_MODULUS);
-
-    // hax_debug_assert!(
-    //     result > -FIELD_MODULUS && result < FIELD_MODULUS,
-    //     "value is {value}"
-    // );
-
+    hax_lib::fstar!(
+        "calc (==) {
+    v result % 3329;
+    (==) { }
+    (v value - (v quotient * 3329)) % 3329;
+    (==) {Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329}
+    (v value - (v quotient * 3329) % 3329) % 3329;
+    (==) {Math.Lemmas.cancel_mul_mod (v quotient) 3329}
+    (v value - 0) % 3329;    
+    (==) {}
+    (v value) % 3329;    
+    }"
+    );
     result
 }
 
 #[inline(always)]
-pub(crate) fn barrett_reduce(mut v: PortableVector) -> PortableVector {
+#[hax_lib::fstar::options("--z3rlimit 150")]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 ${vec}.f_elements"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\
+                (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == 
+                           (v (Seq.index ${vec}.f_elements i) % 3329))"#)))]
+pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] = barrett_reduce_element(v.elements[i]);
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+                (forall j. j < v i ==> (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements j) /\
+                                        v (Seq.index ${vec}.f_elements j) % 3329 == (v (Seq.index ${_vec0}.f_elements j) % 3329))) /\
+                (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j /\
+                                         Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))"#
+            )
+        });
+        let vi = barrett_reduce_element(vec.elements[i]);
+        vec.elements[i] = vi;
+        hax_lib::fstar!(
+            r#"assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
+                         assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j));
+                         assert(Spec.Utils.is_i16b 3328 vi);
+                         assert(Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i)));
+                         assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"#
+        );
     }
-
-    v
+    vec
 }
 
 /// Signed Montgomery Reduction
@@ -144,29 +280,98 @@ pub(crate) fn barrett_reduce(mut v: PortableVector) -> PortableVector {
 /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
 /// - the absolute value of `o` is bound as follows:
 ///
-/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
+/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665
 ///
-/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`.
-#[cfg_attr(hax, hax_lib::requires(value >= -(FIELD_MODULUS as i32) * MONTGOMERY_R && value <= (FIELD_MODULUS as i32) * MONTGOMERY_R))]
-#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))]
+/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`.
+/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664
+///
+#[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i32b (3328 * pow2 16) value "#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b (3328 + 1665) result /\
+                (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\
+                v result % 3329 == (v value * 169) % 3329"#)))]
 pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
     // This forces hax to extract code for MONTGOMERY_R before it extracts code
     // for this function. The removal of this line is being tracked in:
     // https://github.com/cryspen/libcrux/issues/134
     let _ = MONTGOMERY_R;
 
-    //hax_debug_assert!(
-    //    value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R,
-    //    "value is {value}"
-    //);
-
     let k = (value as i16) as i32 * (INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32);
+    hax_lib::fstar!(
+        r#"assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
+                     assert(v k == (v value @% pow2 16) * 62209);
+                     assert(v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16);
+                     assert(v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15);
+                     assert(v (cast (cast (k <: i32) <: i16) <: i32) >= -pow2 15);
+                     assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)"#
+    );
     let k_times_modulus = (k as i16 as i32) * (FIELD_MODULUS as i32);
-
+    hax_lib::fstar!(
+        r#"Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
+                     assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)"#
+    );
     let c = (k_times_modulus >> MONTGOMERY_SHIFT) as i16;
+    hax_lib::fstar!(
+        "assert (v k_times_modulus < pow2 31);
+                     assert (v k_times_modulus / pow2 16 < pow2 15);
+                     assert (v c == (v k_times_modulus / pow2 16) @% pow2 16);
+                     assert(v c == v k_times_modulus / pow2 16); 
+                     assert(Spec.Utils.is_i16b 1665 c)"
+    );
     let value_high = (value >> MONTGOMERY_SHIFT) as i16;
-
-    value_high - c
+    hax_lib::fstar!(
+        r#"assert (v value < pow2 31);
+                     assert (v value / pow2 16 < pow2 15);
+                     assert (v value_high == (v value / pow2 16) @% pow2 16);
+                     Spec.Utils.lemma_div_at_percent (v value) (pow2 16);
+                     assert (v value_high == (v value / pow2 16)); 
+                     assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high);
+                     assert(Spec.Utils.is_i16b 3328 value_high)"#
+    );
+    let res = value_high - c;
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i16b (3328 + 1665) res)"#);
+    hax_lib::fstar!(
+        "assert(Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)"
+    );
+    hax_lib::fstar!(
+        r#"calc ( == ) {
+        v k_times_modulus % pow2 16;
+          ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+        ((v k @% pow2 16) * 3329) % pow2 16;
+          ( == ) { assert (v k = (v value @% pow2 16) * 62209) }
+        ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16;
+          ( == ) {  Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) (pow2 16) 3329 }
+        ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16;
+          ( == ) {  Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) }
+        ((((v value @% pow2 16) * 62209) * 3329) % pow2 16);
+          ( == ) {  Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) }
+        ((v value @% pow2 16) % pow2 16);
+          ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 }
+        (v value) % pow2 16;
+        };
+      Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus);
+      assert ((v value - v k_times_modulus) % pow2 16 == 0)"#
+    );
+    hax_lib::fstar!(
+        r#"calc ( == ) {
+        v res % 3329;
+            ( == ) { assert (v res == v value_high - v c) }
+        (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329 ;
+            ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
+        ((v value - v k_times_modulus) / pow2 16) % 3329;
+            ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
+        (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
+            ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) (pow2 16 * 169) 3329}
+        (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329;
+            ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16)}
+        ((v value - v k_times_modulus) * 169) % 3329;
+            ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+        ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; 
+            ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)}
+        (v value * 169) % 3329;  
+        }"#
+    );
+    res
 }
 
 /// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to
@@ -178,17 +383,41 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement {
 /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative
 /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`.
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 300")]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 fer"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b 3328 result /\
+                v result % 3329 == (v fe * v fer * 169) % 3329"#)))]
 pub(crate) fn montgomery_multiply_fe_by_fer(
     fe: FieldElement,
     fer: FieldElementTimesMontgomeryR,
 ) -> FieldElement {
-    montgomery_reduce_element((fe as i32) * (fer as i32))
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer"#);
+    let product = (fe as i32) * (fer as i32);
+    montgomery_reduce_element(product)
 }
 
 #[inline(always)]
-pub(crate) fn montgomery_multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector {
+#[hax_lib::fstar::options("--z3rlimit 150")]
+#[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 c"#)))]
+#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"
+Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\
+(forall i. i < 16 ==> 
+    (v (Seq.index ${result}.f_elements i) % 3329 == 
+       (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))"#)))]
+pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector {
+    let _vec0 = vec;
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] = montgomery_multiply_fe_by_fer(v.elements[i], c)
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"
+              (forall j. j < v i ==>
+	      	  (let vecj = Seq.index ${vec}.f_elements j in
+		       (Spec.Utils.is_i16b 3328 vecj /\
+                v vecj % 3329 == (v (Seq.index ${_vec0}.f_elements j) * v c * 169) % 3329))) /\
+              (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))"#
+            )
+        });
+        vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c)
     }
-    v
+    vec
 }
diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs
index dab3e8190..7fb2bf672 100644
--- a/libcrux-ml-kem/src/vector/portable/compress.rs
+++ b/libcrux-ml-kem/src/vector/portable/compress.rs
@@ -23,10 +23,11 @@ use crate::vector::FIELD_MODULUS;
 ///
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
 #[cfg_attr(hax, hax_lib::requires(fe < (FIELD_MODULUS as u16)))]
 #[cfg_attr(hax, hax_lib::ensures(|result|
-        hax_lib::implies(833 <= fe && fe <= 2596, || result == 1) &&
-        hax_lib::implies(!(833 <= fe && fe <= 2596), || result == 0)
+        hax_lib::implies(833 <= fe && fe <= 2496, || result == 1) &&
+        hax_lib::implies(!(833 <= fe && fe <= 2496), || result == 0)
 ))]
 pub(crate) fn compress_message_coefficient(fe: u16) -> u8 {
     // The approach used here is inspired by:
@@ -35,6 +36,7 @@ pub(crate) fn compress_message_coefficient(fe: u16) -> u8 {
     // If 833 <= fe <= 2496,
     // then -832 <= shifted <= 831
     let shifted: i16 = 1664 - (fe as i16);
+    hax_lib::fstar!(r#"assert (v $shifted == 1664 - v $fe)"#);
 
     // If shifted < 0, then
     // (shifted >> 15) ^ shifted = flip_bits(shifted) = -shifted - 1, and so
@@ -44,15 +46,48 @@ pub(crate) fn compress_message_coefficient(fe: u16) -> u8 {
     // (shifted >> 15) ^ shifted = shifted, and so
     // if 0 <= shifted <= 831 then 0 <= shifted_positive <= 831
     let mask = shifted >> 15;
+    hax_lib::fstar!(
+        "assert (v $mask = v $shifted / pow2 15);
+        assert (if v $shifted < 0 then $mask = ones else $mask = zero)"
+    );
     let shifted_to_positive = mask ^ shifted;
+    hax_lib::fstar!(
+        "logxor_lemma $shifted $mask;
+        assert (v $shifted < 0 ==> v $shifted_to_positive = v (lognot $shifted));
+        neg_equiv_lemma $shifted;
+        assert (v (lognot $shifted) = -(v $shifted) -1);
+        assert (v $shifted >= 0 ==> v $shifted_to_positive = v ($mask `logxor` $shifted));
+        assert (v $shifted >= 0 ==> $mask = zero);
+        assert (v $shifted >= 0 ==> $mask ^. $shifted = $shifted);
+        assert (v $shifted >= 0 ==> v $shifted_to_positive = v $shifted);
+        assert ($shifted_to_positive >=. mk_i16 0)"
+    );
 
     let shifted_positive_in_range = shifted_to_positive - 832;
+    hax_lib::fstar!(
+        "assert (1664 - v $fe >= 0 ==> v $shifted_positive_in_range == 832 - v $fe);
+        assert (1664 - v $fe < 0 ==> v $shifted_positive_in_range == -2497 + v $fe)"
+    );
 
     // If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which means
     // the most significant bit of shifted_positive_in_range will be 1.
-    ((shifted_positive_in_range >> 15) & 1) as u8
+    let r0 = shifted_positive_in_range >> 15;
+    let r1: i16 = r0 & 1;
+    let res = r1 as u8;
+    hax_lib::fstar!(
+        r#"assert (v $r0 = v $shifted_positive_in_range / pow2 15);
+        assert (if v $shifted_positive_in_range < 0 then $r0 = ones else $r0 = zero);
+        logand_lemma (mk_i16 1) $r0; 
+        assert (if v $shifted_positive_in_range < 0 then $r1 = mk_i16 1 else $r1 = mk_i16 0);
+        assert ((v $fe >= 833 && v $fe <= 2496) ==> $r1 = mk_i16 1);
+        assert (v $fe < 833 ==> $r1 = mk_i16 0);
+        assert (v $fe > 2496 ==> $r1 = mk_i16 0);
+        assert (v $res = v $r1)"#
+    );
+    res
 }
 
+#[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")]
 #[cfg_attr(hax,
     hax_lib::requires(
         (coefficient_bits == 4 ||
@@ -84,41 +119,158 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) ->
 }
 
 #[inline(always)]
-pub(crate) fn compress_1(mut v: PortableVector) -> PortableVector {
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::before(
+        r#"
+let compress_message_coefficient_range_helper (fe: u16) : Lemma
+  (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
+  (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+    v (cast (compress_message_coefficient fe) <: i16) < 2) =
+  assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+    v (cast (compress_message_coefficient fe) <: i16) < 2)
+"#
+    )
+)]
+#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")]
+#[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+    v (Seq.index ${a}.f_elements i) < 3329"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\
+    v (${result}.f_elements.[ sz i ] <: i16) < 2"#))]
+pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector {
+    hax_lib::fstar!(
+        "assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <.
+        (cast ($FIELD_MODULUS) <: u16))"
+    );
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] = compress_message_coefficient(v.elements[i] as u16) as i16;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\
+            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\
+                v (${a}.f_elements.[ sz j ] <: i16) < 2)"#
+            )
+        });
+        hax_lib::fstar!(
+            "compress_message_coefficient_range_helper (cast (${a}.f_elements.[ $i ]) <: u16)"
+        );
+        a.elements[i] = compress_message_coefficient(a.elements[i] as u16) as i16;
+        hax_lib::fstar!(
+            r#"assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\
+            v (${a}.f_elements.[ $i ] <: i16) < 2)"#
+        );
     }
 
-    v
+    hax_lib::fstar!(
+        r#"assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\
+        v (${a}.f_elements.[ sz i ] <: i16) < 2)"#
+    );
+    a
 }
 
 #[inline(always)]
-pub(crate) fn compress<const COEFFICIENT_BITS: i32>(mut v: PortableVector) -> PortableVector {
+#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")]
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+        v $COEFFICIENT_BITS == 5 \/
+        v $COEFFICIENT_BITS == 10 \/
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+        v (Seq.index ${a}.f_elements i) < 3329)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\
+    v (${result}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"#))]
+pub(crate) fn compress<const COEFFICIENT_BITS: i32>(mut a: PortableVector) -> PortableVector {
+    hax_lib::fstar!(
+        "assert (v (cast ($COEFFICIENT_BITS) <: u8) == v $COEFFICIENT_BITS);
+        assert (v (cast ($COEFFICIENT_BITS) <: u32) == v $COEFFICIENT_BITS);
+        assert (v (cast ($FIELD_MODULUS) <: u16) == 3329)"
+    );
+    hax_lib::fstar!(
+        "assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <.
+        (cast ($FIELD_MODULUS) <: u16))"
+    );
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        v.elements[i] =
-            compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, v.elements[i] as u16) as i16;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\
+            (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\
+                v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"#
+            )
+        });
+        a.elements[i] =
+            compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, a.elements[i] as u16) as i16;
+        hax_lib::fstar!(
+            r#"assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\
+            v (${a}.f_elements.[ $i ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"#
+        );
     }
-    v
+    hax_lib::fstar!(
+        r#"assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\
+        v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"#
+    );
+    a
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 300 --ext context_pruning")]
+#[hax_lib::requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+        v $COEFFICIENT_BITS == 5 \/
+        v $COEFFICIENT_BITS == 10 \/
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\
+        v (Seq.index ${a}.f_elements i) < pow2 (v $COEFFICIENT_BITS))"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index ${result}.f_elements i) < v $FIELD_MODULUS"#))]
 pub(crate) fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(
-    mut v: PortableVector,
+    mut a: PortableVector,
 ) -> PortableVector {
-    // debug_assert!(to_i16_array(v)
-    //     .into_iter()
-    //     .all(|coefficient| coefficient.abs() < 1 << COEFFICIENT_BITS));
+    hax_lib::fstar!(
+        "assert_norm (pow2 1 == 2);
+        assert_norm (pow2 4 == 16);
+        assert_norm (pow2 5 == 32);
+        assert_norm (pow2 10 == 1024);
+        assert_norm (pow2 11 == 2048)"
+    );
 
     for i in 0..FIELD_ELEMENTS_IN_VECTOR {
-        let mut decompressed = v.elements[i] as i32 * FIELD_MODULUS as i32;
+        hax_lib::loop_invariant!(|i: usize| {
+            fstar!(
+                r#"(v $i < 16 ==> (forall (j:nat). (j >= v $i /\ j < 16) ==>
+            v (Seq.index ${a}.f_elements j) >= 0 /\  v (Seq.index ${a}.f_elements j) < pow2 (v $COEFFICIENT_BITS))) /\
+            (forall (j:nat). j < v $i ==>
+                v (Seq.index ${a}.f_elements j) < v $FIELD_MODULUS)"#
+            )
+        });
+        hax_lib::fstar!(
+            "assert (v (${a}.f_elements.[ $i ] <: i16) < pow2 11);
+          assert (v (${a}.f_elements.[ $i ] <: i16) ==
+            v (cast (${a}.f_elements.[ $i ] <: i16) <: i32));
+          assert (v ($FIELD_MODULUS <: i16) ==
+            v (cast ($FIELD_MODULUS <: i16) <: i32));
+          assert (v ((cast (${a}.f_elements.[ $i ] <: i16) <: i32) *!
+            (cast ($FIELD_MODULUS <: i16) <: i32)) ==
+              v (cast (${a}.f_elements.[ $i ] <: i16) <: i32) *
+                v (cast ($FIELD_MODULUS <: i16) <: i32))"
+        );
+        let mut decompressed = a.elements[i] as i32 * FIELD_MODULUS as i32;
+        hax_lib::fstar!(
+            "assert (v ($decompressed <<! mk_i32 1) == v $decompressed * 2);
+          assert (v (mk_i32 1 <<! $COEFFICIENT_BITS) == pow2 (v $COEFFICIENT_BITS));
+          assert (v (($decompressed <<! mk_i32 1) +! (mk_i32 1 <<! $COEFFICIENT_BITS)) ==
+            v ($decompressed <<! mk_i32 1) + v (mk_i32 1 <<! $COEFFICIENT_BITS))"
+        );
         decompressed = (decompressed << 1) + (1i32 << COEFFICIENT_BITS);
+        hax_lib::fstar!(
+            "assert (v ($COEFFICIENT_BITS +! mk_i32 1) == v $COEFFICIENT_BITS + 1);
+          assert (v ($decompressed >>! ($COEFFICIENT_BITS +! mk_i32 1 <: i32)) ==
+            v $decompressed / pow2 (v $COEFFICIENT_BITS + 1))"
+        );
         decompressed = decompressed >> (COEFFICIENT_BITS + 1);
-        v.elements[i] = decompressed as i16;
+        hax_lib::fstar!(
+            "assert (v $decompressed < v $FIELD_MODULUS);
+          assert (v (cast $decompressed <: i16) < v $FIELD_MODULUS)"
+        );
+        a.elements[i] = decompressed as i16;
     }
 
-    // debug_assert!(to_i16_array(v)
-    //     .into_iter()
-    //     .all(|coefficient| coefficient.abs() as u16 <= 1 << 12));
-
-    v
+    a
 }
diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs
index d6eb66396..85d053afc 100644
--- a/libcrux-ml-kem/src/vector/portable/ntt.rs
+++ b/libcrux-ml-kem/src/vector/portable/ntt.rs
@@ -2,111 +2,244 @@ use super::arithmetic::*;
 use super::vector_type::*;
 
 #[inline(always)]
-pub(crate) fn ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) {
-    let t = montgomery_multiply_fe_by_fer(v.elements[j], zeta);
-    v.elements[j] = v.elements[i] - t;
-    v.elements[i] = v.elements[i] + t;
+#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
+#[hax_lib::requires(fstar!(r#"v i < 16 /\ v j < 16 /\ v i <> v j /\ 
+                            Spec.Utils.is_i16b 1664 $zeta  /\
+                            Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\
+                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\
+                            Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"#))]
+#[hax_lib::ensures(|result| fstar!(r#"(forall k. (k <> v i /\ k <> v j) ==>
+                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\
+                                    (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\
+                                               Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==>
+                                              (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\
+                                               Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\
+                                    Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"#))]
+pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) {
+    let t = montgomery_multiply_fe_by_fer(vec.elements[j], zeta);
+    hax_lib::fstar!(
+        "assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))"
+    );
+    let a_minus_t = vec.elements[i] - t;
+    hax_lib::fstar!(
+        r#"
+    calc (==) {
+        v $a_minus_t % 3329;
+        (==) {}
+        (v (Seq.index vec.f_elements (v i)) - v ${t}) % 3329;
+        (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329}
+        (v (Seq.index vec.f_elements (v $i)) - (v $t % 3329)) % 3329;
+        (==) {}
+        (v (Seq.index vec.f_elements (v i)) - ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329;
+        (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329}
+        (v (Seq.index vec.f_elements (v $i)) - (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329;
+        }"#
+    );
+    let a_plus_t = vec.elements[i] + t;
+    hax_lib::fstar!(
+        r#"
+    calc (==) {
+        v a_plus_t % 3329;
+        (==) {}
+        (v (Seq.index vec.f_elements (v $i)) + v $t) % 3329;
+        (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329}
+        (v (Seq.index vec.f_elements (v $i)) + (v $t % 3329)) % 3329;
+        (==) {}
+        (v (Seq.index vec.f_elements (v $i)) + ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329;
+        (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329}
+        (v (Seq.index vec.f_elements (v $i)) + (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329;
+    }"#
+    );
+    vec.elements[j] = a_minus_t;
+    vec.elements[i] = a_plus_t;
+    hax_lib::fstar!(
+        "assert (Seq.index vec.f_elements (v i) == a_plus_t);
+                     assert (Seq.index vec.f_elements (v j) == a_minus_t)"
+    );
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                            Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"#))]
 pub(crate) fn ntt_layer_1_step(
-    mut v: PortableVector,
+    mut vec: PortableVector,
     zeta0: i16,
     zeta1: i16,
     zeta2: i16,
     zeta3: i16,
 ) -> PortableVector {
-    ntt_step(&mut v, zeta0, 0, 2);
-    ntt_step(&mut v, zeta0, 1, 3);
-    ntt_step(&mut v, zeta1, 4, 6);
-    ntt_step(&mut v, zeta1, 5, 7);
-    ntt_step(&mut v, zeta2, 8, 10);
-    ntt_step(&mut v, zeta2, 9, 11);
-    ntt_step(&mut v, zeta3, 12, 14);
-    ntt_step(&mut v, zeta3, 13, 15);
-    v
+    ntt_step(&mut vec, zeta0, 0, 2);
+    ntt_step(&mut vec, zeta0, 1, 3);
+    ntt_step(&mut vec, zeta1, 4, 6);
+    ntt_step(&mut vec, zeta1, 5, 7);
+    ntt_step(&mut vec, zeta2, 8, 10);
+    ntt_step(&mut vec, zeta2, 9, 11);
+    ntt_step(&mut vec, zeta3, 12, 14);
+    ntt_step(&mut vec, zeta3, 13, 15);
+    vec
 }
 
 #[inline(always)]
-pub(crate) fn ntt_layer_2_step(mut v: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector {
-    ntt_step(&mut v, zeta0, 0, 4);
-    ntt_step(&mut v, zeta0, 1, 5);
-    ntt_step(&mut v, zeta0, 2, 6);
-    ntt_step(&mut v, zeta0, 3, 7);
-    ntt_step(&mut v, zeta1, 8, 12);
-    ntt_step(&mut v, zeta1, 9, 13);
-    ntt_step(&mut v, zeta1, 10, 14);
-    ntt_step(&mut v, zeta1, 11, 15);
-    v
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"#))]
+pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector {
+    ntt_step(&mut vec, zeta0, 0, 4);
+    ntt_step(&mut vec, zeta0, 1, 5);
+    ntt_step(&mut vec, zeta0, 2, 6);
+    ntt_step(&mut vec, zeta0, 3, 7);
+    ntt_step(&mut vec, zeta1, 8, 12);
+    ntt_step(&mut vec, zeta1, 9, 13);
+    ntt_step(&mut vec, zeta1, 10, 14);
+    ntt_step(&mut vec, zeta1, 11, 15);
+    vec
 }
 
 #[inline(always)]
-pub(crate) fn ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector {
-    ntt_step(&mut v, zeta, 0, 8);
-    ntt_step(&mut v, zeta, 1, 9);
-    ntt_step(&mut v, zeta, 2, 10);
-    ntt_step(&mut v, zeta, 3, 11);
-    ntt_step(&mut v, zeta, 4, 12);
-    ntt_step(&mut v, zeta, 5, 13);
-    ntt_step(&mut v, zeta, 6, 14);
-    ntt_step(&mut v, zeta, 7, 15);
-    v
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                            Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"#))]
+pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector {
+    ntt_step(&mut vec, zeta, 0, 8);
+    ntt_step(&mut vec, zeta, 1, 9);
+    ntt_step(&mut vec, zeta, 2, 10);
+    ntt_step(&mut vec, zeta, 3, 11);
+    ntt_step(&mut vec, zeta, 4, 12);
+    ntt_step(&mut vec, zeta, 5, 13);
+    ntt_step(&mut vec, zeta, 6, 14);
+    ntt_step(&mut vec, zeta, 7, 15);
+    vec
 }
 
 #[inline(always)]
-pub(crate) fn inv_ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) {
-    let a_minus_b = v.elements[j] - v.elements[i];
-    v.elements[i] = barrett_reduce_element(v.elements[i] + v.elements[j]);
-    v.elements[j] = montgomery_multiply_fe_by_fer(a_minus_b, zeta);
+#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
+#[hax_lib::requires(fstar!(r#"v i < 16 /\ v j < 16 /\  v i <> v j /\ 
+                        Spec.Utils.is_i16b 1664 $zeta /\
+                        Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\
+                                    (forall k. (k <> v i /\ k <> v j) ==>
+                                         Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\
+                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\
+                                    Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\
+                                    Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"#))]
+pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) {
+    let a_minus_b = vec.elements[j] - vec.elements[i];
+    let a_plus_b = vec.elements[j] + vec.elements[i];
+    hax_lib::fstar!(
+        r#"assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i)));
+                     assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))"#
+    );
+    let o0 = barrett_reduce_element(a_plus_b);
+    let o1 = montgomery_multiply_fe_by_fer(a_minus_b, zeta);
+    hax_lib::fstar!(
+        r#"
+    calc (==) {
+        v o0 % 3329;
+        (==) { }
+        v a_plus_b % 3329;
+        (==) { }
+        (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329;
+    };
+    calc (==) {
+        v o1 % 3329;
+        (==) { }
+        (v a_minus_b * v zeta * 169) % 3329;
+        (==) { }
+        ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % 3329;
+    }"#
+    );
+    vec.elements[i] = o0;
+    vec.elements[j] = o1;
+    hax_lib::fstar!(
+        r#"assert (Seq.index vec.f_elements (v i) == o0);
+                     assert (Seq.index vec.f_elements (v j) == o1)"#
+    );
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 200")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                            Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
 pub(crate) fn inv_ntt_layer_1_step(
-    mut v: PortableVector,
+    mut vec: PortableVector,
     zeta0: i16,
     zeta1: i16,
     zeta2: i16,
     zeta3: i16,
 ) -> PortableVector {
-    inv_ntt_step(&mut v, zeta0, 0, 2);
-    inv_ntt_step(&mut v, zeta0, 1, 3);
-    inv_ntt_step(&mut v, zeta1, 4, 6);
-    inv_ntt_step(&mut v, zeta1, 5, 7);
-    inv_ntt_step(&mut v, zeta2, 8, 10);
-    inv_ntt_step(&mut v, zeta2, 9, 11);
-    inv_ntt_step(&mut v, zeta3, 12, 14);
-    inv_ntt_step(&mut v, zeta3, 13, 15);
-    v
+    inv_ntt_step(&mut vec, zeta0, 0, 2);
+    inv_ntt_step(&mut vec, zeta0, 1, 3);
+    inv_ntt_step(&mut vec, zeta1, 4, 6);
+    inv_ntt_step(&mut vec, zeta1, 5, 7);
+    inv_ntt_step(&mut vec, zeta2, 8, 10);
+    inv_ntt_step(&mut vec, zeta2, 9, 11);
+    inv_ntt_step(&mut vec, zeta3, 12, 14);
+    inv_ntt_step(&mut vec, zeta3, 13, 15);
+    hax_lib::fstar!(
+        r#"assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 13));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 15));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 12));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 14));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 9));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 11));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 8));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 10));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 5));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 7));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 4));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 6));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 1));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 3));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 0));
+        assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2));
+        assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"#
+    );
+    vec
 }
 
 #[inline(always)]
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
 pub(crate) fn inv_ntt_layer_2_step(
-    mut v: PortableVector,
+    mut vec: PortableVector,
     zeta0: i16,
     zeta1: i16,
 ) -> PortableVector {
-    inv_ntt_step(&mut v, zeta0, 0, 4);
-    inv_ntt_step(&mut v, zeta0, 1, 5);
-    inv_ntt_step(&mut v, zeta0, 2, 6);
-    inv_ntt_step(&mut v, zeta0, 3, 7);
-    inv_ntt_step(&mut v, zeta1, 8, 12);
-    inv_ntt_step(&mut v, zeta1, 9, 13);
-    inv_ntt_step(&mut v, zeta1, 10, 14);
-    inv_ntt_step(&mut v, zeta1, 11, 15);
-    v
+    inv_ntt_step(&mut vec, zeta0, 0, 4);
+    inv_ntt_step(&mut vec, zeta0, 1, 5);
+    inv_ntt_step(&mut vec, zeta0, 2, 6);
+    inv_ntt_step(&mut vec, zeta0, 3, 7);
+    inv_ntt_step(&mut vec, zeta1, 8, 12);
+    inv_ntt_step(&mut vec, zeta1, 9, 13);
+    inv_ntt_step(&mut vec, zeta1, 10, 14);
+    inv_ntt_step(&mut vec, zeta1, 11, 15);
+    vec
 }
 
 #[inline(always)]
-pub(crate) fn inv_ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector {
-    inv_ntt_step(&mut v, zeta, 0, 8);
-    inv_ntt_step(&mut v, zeta, 1, 9);
-    inv_ntt_step(&mut v, zeta, 2, 10);
-    inv_ntt_step(&mut v, zeta, 3, 11);
-    inv_ntt_step(&mut v, zeta, 4, 12);
-    inv_ntt_step(&mut v, zeta, 5, 13);
-    inv_ntt_step(&mut v, zeta, 6, 14);
-    inv_ntt_step(&mut v, zeta, 7, 15);
-    v
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                            Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))]
+pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector {
+    inv_ntt_step(&mut vec, zeta, 0, 8);
+    inv_ntt_step(&mut vec, zeta, 1, 9);
+    inv_ntt_step(&mut vec, zeta, 2, 10);
+    inv_ntt_step(&mut vec, zeta, 3, 11);
+    inv_ntt_step(&mut vec, zeta, 4, 12);
+    inv_ntt_step(&mut vec, zeta, 5, 13);
+    inv_ntt_step(&mut vec, zeta, 6, 14);
+    inv_ntt_step(&mut vec, zeta, 7, 15);
+    vec
 }
 
 /// Compute the product of two Kyber binomials with respect to the
@@ -130,43 +263,141 @@ pub(crate) fn inv_ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> Portable
 /// The NIST FIPS 203 standard can be found at
 /// <https://csrc.nist.gov/pubs/fips/203/ipd>.
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::fstar::options(
+    "--z3rlimit 250 --split_queries always --query_stats --ext context_prune"
+)]
+#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")]
+#[hax_lib::requires(fstar!(r#"v i < 8 /\ Spec.Utils.is_i16b 1664 $zeta /\
+        Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${out}.f_elements "#))]
+#[hax_lib::ensures(|()| fstar!(r#"
+        Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\
+        (forall k. (k <> 2 * v $i /\ k <> 2 * v $i + 1) ==> 
+                    Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\                 
+        (let ai = Seq.index ${a}.f_elements (2 * v $i) in
+         let aj = Seq.index ${a}.f_elements (2 * v $i + 1) in
+         let bi = Seq.index ${b}.f_elements (2 * v $i) in
+         let bj = Seq.index ${b}.f_elements (2 * v $i + 1) in
+         let oi = Seq.index out_future.f_elements (2 * v $i) in
+         let oj = Seq.index out_future.f_elements (2 * v $i + 1) in
+         ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\
+         ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"#))]
 pub(crate) fn ntt_multiply_binomials(
     a: &PortableVector,
     b: &PortableVector,
     zeta: FieldElementTimesMontgomeryR,
     i: usize,
-    j: usize,
     out: &mut PortableVector,
 ) {
-    let o0 = montgomery_reduce_element(
-        (a.elements[i] as i32) * (b.elements[i] as i32)
-            + (montgomery_reduce_element((a.elements[j] as i32) * (b.elements[j] as i32)) as i32)
-                * (zeta as i32),
+    let ai = a.elements[2 * i];
+    let bi = b.elements[2 * i];
+    let aj = a.elements[2 * i + 1];
+    let bj = b.elements[2 * i + 1];
+    hax_lib::fstar!(
+        "assert(Spec.Utils.is_i16b 3328 $ai);
+                     assert(Spec.Utils.is_i16b 3328 $bi);
+                     assert(Spec.Utils.is_i16b 3328 $aj);
+                     assert(Spec.Utils.is_i16b 3328 $bj);
+                     assert_norm (3328 * 3328 < pow2 31)"
+    );
+
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi"#);
+    let ai_bi = (ai as i32) * (bi as i32);
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj"#);
+    let aj_bj_ = (aj as i32) * (bj as i32);
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 <= 3328 * pow2 15)"#);
+    let aj_bj = montgomery_reduce_element(aj_bj_);
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta"#);
+    let aj_bj_zeta = (aj_bj as i32) * (zeta as i32);
+    let ai_bi_aj_bj = ai_bi + aj_bj_zeta;
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)"#);
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)"#);
+    let o0 = montgomery_reduce_element(ai_bi_aj_bj);
+    hax_lib::fstar!(
+        r#"calc  ( == ) {
+        v $o0 % 3329;
+        ( == ) { () }
+        (v $ai_bi_aj_bj * 169) % 3329;
+        ( == ) { assert(v $ai_bi_aj_bj == v $ai_bi + v $aj_bj_zeta) }
+        ((v $ai_bi + v $aj_bj_zeta) * 169) % 3329;
+        ( == ) { assert (v $ai_bi == v $ai * v $bi) }
+        (((v $ai * v $bi) + v $aj_bj_zeta) * 169) % 3329;
+        ( == ) { assert (v $aj_bj_zeta == v $aj_bj * v $zeta) }
+        (((v $ai * v $bi) + (v $aj_bj * v $zeta)) * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 }
+        ((((v $ai * v $bi) + (v $aj_bj * v $zeta)) % 3329) * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 }
+        (((v $ai * v $bi) + ((v $aj_bj * v $zeta) % 3329)) % 3329 * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 }
+        (((v $ai * v $bi) + ((v $aj_bj % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329;
+        ( == ) { assert(v aj_bj % 3329 == (v $aj_bj_ * 169) % 3329) }
+        (((v $ai * v $bi) + (((v $aj_bj_ * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329;
+        ( == ) { assert(v $aj_bj_ == v $aj * v $bj) }
+        (((v $ai * v $bi) + (((v $aj * v $bj * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v $aj * v $bj * 169) (v $zeta) 3329 }
+        (((v $ai * v $bi) + (((v $aj * v $bj * 169 * v $zeta) % 3329))) % 3329 * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_add_distr (v $ai * v $bi) (v $aj * v $bj * 169 * v $zeta) 3329 }
+        (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) % 3329 * 169) % 3329;
+        ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) 169 3329 }
+        (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) * 169) % 3329;
+        }"#
+    );
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj"#);
+    let ai_bj = (ai as i32) * (bj as i32);
+    hax_lib::fstar!(r#"Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi"#);
+    let aj_bi = (aj as i32) * (bi as i32);
+    let ai_bj_aj_bi = ai_bj + aj_bi;
+    hax_lib::fstar!(r#"assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) "#);
+    hax_lib::fstar!(r#"assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)"#);
+    let o1 = montgomery_reduce_element(ai_bj_aj_bi);
+    hax_lib::fstar!(
+        "calc  ( == ) {
+        v $o1 % 3329;
+        ( == ) { () }
+        (v $ai_bj_aj_bi * 169) % 3329;
+        ( == ) { assert(v $ai_bj_aj_bi == v $ai_bj + v $aj_bi) }
+        ((v $ai_bj + v $aj_bi) * 169) % 3329;
+        ( == ) { assert (v ai_bj == v ai * v bj) }
+        ((v ai * v bj + v aj_bi) * 169) % 3329;
+        ( == ) { assert (v aj_bi == v aj * v bi) }
+        ((v ai * v bj + v aj * v bi) * 169) % 3329;
+    }"
     );
-    let o1 = montgomery_reduce_element(
-        (a.elements[i] as i32) * (b.elements[j] as i32)
-            + (a.elements[j] as i32) * (b.elements[i] as i32),
+    let _out0 = out.elements;
+    out.elements[2 * i] = o0;
+    out.elements[2 * i + 1] = o1;
+    hax_lib::fstar!(
+        r#"assert (Seq.index out.f_elements (2 * v i) == o0);
+                     assert (Seq.index out.f_elements (2 * v i + 1) == o1);
+                     assert (Spec.Utils.is_i16b_array 3328 out.f_elements);
+                     assert (forall k. (k <> 2 * v i /\ k <> 2 * v i + 1) ==>
+                                        Seq.index out.f_elements k ==
+                                        Seq.index ${_out0} k)"#
     );
-    out.elements[i] = o0;
-    out.elements[j] = o1;
 }
 
-// #[inline(always)]
-// pub(crate) fn ntt_multiply_binomials(
-//     (a0, a1): (FieldElement, FieldElement),
-//     (b0, b1): (FieldElement, FieldElement),
-//     zeta: FieldElementTimesMontgomeryR,
-// ) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
-//     (
-//         montgomery_reduce_element(
-//             (a0 as i32) * (b0 as i32)
-//                 + (montgomery_reduce_element((a1 as i32) * (b1 as i32)) as i32) * (zeta as i32),
-//         ),
-//         montgomery_reduce_element((a0 as i32) * (b1 as i32) + (a1 as i32) * (b0 as i32)),
-//     )
-// }
-
 #[inline(always)]
+#[hax_lib::fstar::verification_status(panic_free)]
+#[hax_lib::fstar::options("--z3rlimit 100")]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta0 /\
+        Spec.Utils.is_i16b 1664 $zeta1 /\
+        Spec.Utils.is_i16b 1664 $zeta2 /\
+        Spec.Utils.is_i16b 1664 $zeta3 /\
+        Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\
+        Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "#))]
+#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\
+          (let zetas = Seq.seq_of_list [v zeta0; - v zeta0; v zeta1; - v zeta1; v zeta2; - v zeta2; v zeta3; - v zeta3] in
+          (forall (i:nat). i < 8 ==>
+           (let ai = Seq.index lhs.f_elements (2 * i) in
+            let aj = Seq.index lhs.f_elements (2 * i + 1) in
+            let bi = Seq.index rhs.f_elements (2 * i) in
+            let bj = Seq.index rhs.f_elements (2 * i + 1) in
+            let oi = Seq.index result.f_elements (2 * i) in
+            let oj = Seq.index result.f_elements (2 * i + 1) in
+            ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\
+            ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"#))]
 pub(crate) fn ntt_multiply(
     lhs: &PortableVector,
     rhs: &PortableVector,
@@ -175,14 +406,31 @@ pub(crate) fn ntt_multiply(
     zeta2: i16,
     zeta3: i16,
 ) -> PortableVector {
+    let nzeta0 = -zeta0;
+    let nzeta1 = -zeta1;
+    let nzeta2 = -zeta2;
+    let nzeta3 = -zeta3;
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta0)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta1)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta2)"#);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta3)"#);
     let mut out = zero();
-    ntt_multiply_binomials(lhs, rhs, zeta0, 0, 1, &mut out);
-    ntt_multiply_binomials(lhs, rhs, -zeta0, 2, 3, &mut out);
-    ntt_multiply_binomials(lhs, rhs, zeta1, 4, 5, &mut out);
-    ntt_multiply_binomials(lhs, rhs, -zeta1, 6, 7, &mut out);
-    ntt_multiply_binomials(lhs, rhs, zeta2, 8, 9, &mut out);
-    ntt_multiply_binomials(lhs, rhs, -zeta2, 10, 11, &mut out);
-    ntt_multiply_binomials(lhs, rhs, zeta3, 12, 13, &mut out);
-    ntt_multiply_binomials(lhs, rhs, -zeta3, 14, 15, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, zeta0, 0, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, nzeta0, 1, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, zeta1, 2, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, nzeta1, 3, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, zeta2, 4, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, nzeta2, 5, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, zeta3, 6, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
+    ntt_multiply_binomials(lhs, rhs, nzeta3, 7, &mut out);
+    hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#);
     out
 }
diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs
index 87dacce97..b2f4b4110 100644
--- a/libcrux-ml-kem/src/vector/portable/sampling.rs
+++ b/libcrux-ml-kem/src/vector/portable/sampling.rs
@@ -1,6 +1,11 @@
 use crate::vector::FIELD_MODULUS;
 
 #[inline(always)]
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(a.len() == 24 && result.len() == 16)]
+#[hax_lib::ensures(|res|
+        fstar!(r#"Seq.length $result_future == Seq.length $result /\ v $res <= 16"#)
+    )]
 pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize {
     let mut sampled = 0;
     for i in 0..a.len() / 3 {
diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs
index e0818dc28..9a6522847 100644
--- a/libcrux-ml-kem/src/vector/portable/serialize.rs
+++ b/libcrux-ml-kem/src/vector/portable/serialize.rs
@@ -13,33 +13,159 @@
 // and code that updates arrays (in the outer functions).
 
 use super::vector_type::*;
-use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR;
 
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) 
+  (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let serialize_1_lemma inputs =
+  serialize_1_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1))
+
+#pop-options
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 1 in
+     let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 16}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
 #[inline(always)]
 pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] {
-    let mut result = [0u8; 2];
-    for i in 0..8 {
-        result[0] |= (v.elements[i] as u8) << i;
-    }
-    for i in 8..16 {
-        result[1] |= (v.elements[i] as u8) << (i - 8);
-    }
-    result
+    let result0 = (v.elements[0] as u8)
+        | ((v.elements[1] as u8) << 1)
+        | ((v.elements[2] as u8) << 2)
+        | ((v.elements[3] as u8) << 3)
+        | ((v.elements[4] as u8) << 4)
+        | ((v.elements[5] as u8) << 5)
+        | ((v.elements[6] as u8) << 6)
+        | ((v.elements[7] as u8) << 7);
+    let result1 = (v.elements[8] as u8)
+        | ((v.elements[9] as u8) << 1)
+        | ((v.elements[10] as u8) << 2)
+        | ((v.elements[11] as u8) << 3)
+        | ((v.elements[12] as u8) << 4)
+        | ((v.elements[13] as u8) << 5)
+        | ((v.elements[14] as u8) << 6)
+        | ((v.elements[15] as u8) << 7);
+    [result0, result1]
 }
 
+//deserialize_1_bounded_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "
+val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1)
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+let deserialize_1_bounded_lemma inputs =
+  admit()
+"
+    )
+)]
+//deserialize_1_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma
+  (ensures bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let deserialize_1_lemma inputs =
+  deserialize_1_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+"
+    )
+)]
+//deserialize_1_bit_vec_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in
+     (forall (i: nat {i < 16}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 2}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_1(v: &[u8]) -> PortableVector {
-    let mut result = zero();
-    for i in 0..8 {
-        result.elements[i] = ((v[0] >> i) & 0x1) as i16;
+    let result0 = (v[0] & 0x1) as i16;
+    let result1 = ((v[0] >> 1) & 0x1) as i16;
+    let result2 = ((v[0] >> 2) & 0x1) as i16;
+    let result3 = ((v[0] >> 3) & 0x1) as i16;
+    let result4 = ((v[0] >> 4) & 0x1) as i16;
+    let result5 = ((v[0] >> 5) & 0x1) as i16;
+    let result6 = ((v[0] >> 6) & 0x1) as i16;
+    let result7 = ((v[0] >> 7) & 0x1) as i16;
+    let result8 = (v[1] & 0x1) as i16;
+    let result9 = ((v[1] >> 1) & 0x1) as i16;
+    let result10 = ((v[1] >> 2) & 0x1) as i16;
+    let result11 = ((v[1] >> 3) & 0x1) as i16;
+    let result12 = ((v[1] >> 4) & 0x1) as i16;
+    let result13 = ((v[1] >> 5) & 0x1) as i16;
+    let result14 = ((v[1] >> 6) & 0x1) as i16;
+    let result15 = ((v[1] >> 7) & 0x1) as i16;
+    PortableVector {
+        elements: [
+            result0, result1, result2, result3, result4, result5, result6, result7, result8,
+            result9, result10, result11, result12, result13, result14, result15,
+        ],
     }
-    for i in 8..FIELD_ELEMENTS_IN_VECTOR {
-        result.elements[i] = ((v[1] >> (i - 8)) & 0x1) as i16;
-    }
-    result
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 8}
+"#))]
 pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) {
     let result0 = ((v[1] as u8) << 4) | (v[0] as u8);
     let result1 = ((v[3] as u8) << 4) | (v[2] as u8);
@@ -48,23 +174,65 @@ pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) {
     (result0, result1, result2, result3)
 }
 
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) 
+  (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let serialize_4_lemma inputs =
+  serialize_4_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4))
+
+#pop-options
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 4 in
+     let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 64}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
 #[inline(always)]
 pub(crate) fn serialize_4(v: PortableVector) -> [u8; 8] {
     let result0_3 = serialize_4_int(&v.elements[0..8]);
     let result4_7 = serialize_4_int(&v.elements[8..16]);
-    let mut result = [0u8; 8];
-    result[0] = result0_3.0;
-    result[1] = result0_3.1;
-    result[2] = result0_3.2;
-    result[3] = result0_3.3;
-    result[4] = result4_7.0;
-    result[5] = result4_7.1;
-    result[6] = result4_7.2;
-    result[7] = result4_7.3;
-    result
+    [
+        result0_3.0,
+        result0_3.1,
+        result0_3.2,
+        result0_3.3,
+        result4_7.0,
+        result4_7.1,
+        result4_7.2,
+        result4_7.3,
+    ]
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 4}
+"#))]
 pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) {
     let v0 = (bytes[0] & 0x0F) as i16;
     let v1 = ((bytes[0] >> 4) & 0x0F) as i16;
@@ -77,31 +245,84 @@ pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16,
     (v0, v1, v2, v3, v4, v5, v6, v7)
 }
 
+//deserialize_4_bounded_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "
+val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_4} inputs).f_elements i) 4)
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+let deserialize_4_bounded_lemma inputs =
+  admit()
+"
+    )
+)]
+//deserialize_4_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+  (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let deserialize_4_lemma inputs =
+  deserialize_4_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+"
+    )
+)]
+//deserialize_4_bit_vec_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in
+     (forall (i: nat {i < 64}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 8}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_4(bytes: &[u8]) -> PortableVector {
     let v0_7 = deserialize_4_int(&bytes[0..4]);
     let v8_15 = deserialize_4_int(&bytes[4..8]);
-    let mut v = zero();
-    v.elements[0] = v0_7.0;
-    v.elements[1] = v0_7.1;
-    v.elements[2] = v0_7.2;
-    v.elements[3] = v0_7.3;
-    v.elements[4] = v0_7.4;
-    v.elements[5] = v0_7.5;
-    v.elements[6] = v0_7.6;
-    v.elements[7] = v0_7.7;
-    v.elements[8] = v8_15.0;
-    v.elements[9] = v8_15.1;
-    v.elements[10] = v8_15.2;
-    v.elements[11] = v8_15.3;
-    v.elements[12] = v8_15.4;
-    v.elements[13] = v8_15.5;
-    v.elements[14] = v8_15.6;
-    v.elements[15] = v8_15.7;
-    v
+    PortableVector {
+        elements: [
+            v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1,
+            v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7,
+        ],
+    }
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 8}
+"#))]
 pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) {
     let r0 = (v[0] | v[1] << 5) as u8;
     let r1 = (v[1] >> 3 | v[2] << 2 | v[3] << 7) as u8;
@@ -115,21 +336,15 @@ pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) {
 pub(crate) fn serialize_5(v: PortableVector) -> [u8; 10] {
     let r0_4 = serialize_5_int(&v.elements[0..8]);
     let r5_9 = serialize_5_int(&v.elements[8..16]);
-    let mut result = [0u8; 10];
-    result[0] = r0_4.0;
-    result[1] = r0_4.1;
-    result[2] = r0_4.2;
-    result[3] = r0_4.3;
-    result[4] = r0_4.4;
-    result[5] = r5_9.0;
-    result[6] = r5_9.1;
-    result[7] = r5_9.2;
-    result[8] = r5_9.3;
-    result[9] = r5_9.4;
-    result
+    [
+        r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4,
+    ]
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 5}
+"#))]
 pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) {
     let v0 = (bytes[0] & 0x1F) as i16;
     let v1 = ((bytes[1] & 0x3) << 3 | (bytes[0] >> 5)) as i16;
@@ -142,31 +357,25 @@ pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16,
     (v0, v1, v2, v3, v4, v5, v6, v7)
 }
 
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 10}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_5(bytes: &[u8]) -> PortableVector {
     let v0_7 = deserialize_5_int(&bytes[0..5]);
     let v8_15 = deserialize_5_int(&bytes[5..10]);
-    let mut v = zero();
-    v.elements[0] = v0_7.0;
-    v.elements[1] = v0_7.1;
-    v.elements[2] = v0_7.2;
-    v.elements[3] = v0_7.3;
-    v.elements[4] = v0_7.4;
-    v.elements[5] = v0_7.5;
-    v.elements[6] = v0_7.6;
-    v.elements[7] = v0_7.7;
-    v.elements[8] = v8_15.0;
-    v.elements[9] = v8_15.1;
-    v.elements[10] = v8_15.2;
-    v.elements[11] = v8_15.3;
-    v.elements[12] = v8_15.4;
-    v.elements[13] = v8_15.5;
-    v.elements[14] = v8_15.6;
-    v.elements[15] = v8_15.7;
-    v
+    PortableVector {
+        elements: [
+            v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1,
+            v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7,
+        ],
+    }
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 4}
+"#))]
 pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) {
     let r0 = (v[0] & 0xFF) as u8;
     let r1 = ((v[1] & 0x3F) as u8) << 2 | ((v[0] >> 8) & 0x03) as u8;
@@ -176,43 +385,61 @@ pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) {
     (r0, r1, r2, r3, r4)
 }
 
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) 
+  (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let serialize_10_lemma inputs =
+  serialize_10_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10))
+
+#pop-options
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 10 in
+     let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 160}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
 #[inline(always)]
 pub(crate) fn serialize_10(v: PortableVector) -> [u8; 20] {
     let r0_4 = serialize_10_int(&v.elements[0..4]);
     let r5_9 = serialize_10_int(&v.elements[4..8]);
     let r10_14 = serialize_10_int(&v.elements[8..12]);
     let r15_19 = serialize_10_int(&v.elements[12..16]);
-    // Here we could also do, the following, but it slows F* down:
-    // [r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4,
-    //  r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4,
-    //  r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4,
-    //  r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4 ]
-    // If we can fix the F* for this, the code would be more compact.
-    let mut result = [0u8; 20];
-    result[0] = r0_4.0;
-    result[1] = r0_4.1;
-    result[2] = r0_4.2;
-    result[3] = r0_4.3;
-    result[4] = r0_4.4;
-    result[5] = r5_9.0;
-    result[6] = r5_9.1;
-    result[7] = r5_9.2;
-    result[8] = r5_9.3;
-    result[9] = r5_9.4;
-    result[10] = r10_14.0;
-    result[11] = r10_14.1;
-    result[12] = r10_14.2;
-    result[13] = r10_14.3;
-    result[14] = r10_14.4;
-    result[15] = r15_19.0;
-    result[16] = r15_19.1;
-    result[17] = r15_19.2;
-    result[18] = r15_19.3;
-    result[19] = r15_19.4;
-    result
+    [
+        r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, r10_14.0,
+        r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4,
+    ]
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 10}
+"#))]
 pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) {
     let r0 = ((bytes[1] as i16 & 0x03) << 8 | (bytes[0] as i16 & 0xFF)) as i16;
     let r1 = ((bytes[2] as i16 & 0x0F) << 6 | (bytes[1] as i16 >> 2)) as i16;
@@ -225,31 +452,84 @@ pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16,
     (r0, r1, r2, r3, r4, r5, r6, r7)
 }
 
+//deserialize_10_bounded_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "
+val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10)
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+let deserialize_10_bounded_lemma inputs =
+  admit()
+"
+    )
+)]
+//deserialize_10_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+  (ensures bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let deserialize_10_lemma inputs =
+  deserialize_10_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+"
+    )
+)]
+//deserialize_10_bit_vec_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in
+     (forall (i: nat {i < 160}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 20}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_10(bytes: &[u8]) -> PortableVector {
     let v0_7 = deserialize_10_int(&bytes[0..10]);
     let v8_15 = deserialize_10_int(&bytes[10..20]);
-    let mut v = zero();
-    v.elements[0] = v0_7.0;
-    v.elements[1] = v0_7.1;
-    v.elements[2] = v0_7.2;
-    v.elements[3] = v0_7.3;
-    v.elements[4] = v0_7.4;
-    v.elements[5] = v0_7.5;
-    v.elements[6] = v0_7.6;
-    v.elements[7] = v0_7.7;
-    v.elements[8] = v8_15.0;
-    v.elements[9] = v8_15.1;
-    v.elements[10] = v8_15.2;
-    v.elements[11] = v8_15.3;
-    v.elements[12] = v8_15.4;
-    v.elements[13] = v8_15.5;
-    v.elements[14] = v8_15.6;
-    v.elements[15] = v8_15.7;
-    v
+    PortableVector {
+        elements: [
+            v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1,
+            v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7,
+        ],
+    }
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 8}
+"#))]
 pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) {
     let r0 = v[0] as u8;
     let r1 = ((v[1] & 0x1F) as u8) << 3 | ((v[0] >> 8) as u8);
@@ -269,72 +549,48 @@ pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8
 pub(crate) fn serialize_11(v: PortableVector) -> [u8; 22] {
     let r0_10 = serialize_11_int(&v.elements[0..8]);
     let r11_21 = serialize_11_int(&v.elements[8..16]);
-    let mut result = [0u8; 22];
-    result[0] = r0_10.0;
-    result[1] = r0_10.1;
-    result[2] = r0_10.2;
-    result[3] = r0_10.3;
-    result[4] = r0_10.4;
-    result[5] = r0_10.5;
-    result[6] = r0_10.6;
-    result[7] = r0_10.7;
-    result[8] = r0_10.8;
-    result[9] = r0_10.9;
-    result[10] = r0_10.10;
-    result[11] = r11_21.0;
-    result[12] = r11_21.1;
-    result[13] = r11_21.2;
-    result[14] = r11_21.3;
-    result[15] = r11_21.4;
-    result[16] = r11_21.5;
-    result[17] = r11_21.6;
-    result[18] = r11_21.7;
-    result[19] = r11_21.8;
-    result[20] = r11_21.9;
-    result[21] = r11_21.10;
-    result
+    [
+        r0_10.0, r0_10.1, r0_10.2, r0_10.3, r0_10.4, r0_10.5, r0_10.6, r0_10.7, r0_10.8, r0_10.9,
+        r0_10.10, r11_21.0, r11_21.1, r11_21.2, r11_21.3, r11_21.4, r11_21.5, r11_21.6, r11_21.7,
+        r11_21.8, r11_21.9, r11_21.10,
+    ]
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 11}
+"#))]
 pub(crate) fn deserialize_11_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) {
-    let r0 = ((bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16) as i16;
-    let r1 = ((bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3)) as i16;
-    let r2 = ((bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6))
-        as i16;
-    let r3 = ((bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1)) as i16;
-    let r4 = ((bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4)) as i16;
-    let r5 =
-        ((bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7)) as i16;
-    let r6 = ((bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2)) as i16;
-    let r7 = (((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5)) as i16;
+    let r0 = (bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16;
+    let r1 = (bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3);
+    let r2 = (bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6);
+    let r3 = (bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1);
+    let r4 = (bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4);
+    let r5 = (bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7);
+    let r6 = (bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2);
+    let r7 = ((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5);
     (r0, r1, r2, r3, r4, r5, r6, r7)
 }
 
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 22}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_11(bytes: &[u8]) -> PortableVector {
     let v0_7 = deserialize_11_int(&bytes[0..11]);
     let v8_15 = deserialize_11_int(&bytes[11..22]);
-    let mut v = zero();
-    v.elements[0] = v0_7.0;
-    v.elements[1] = v0_7.1;
-    v.elements[2] = v0_7.2;
-    v.elements[3] = v0_7.3;
-    v.elements[4] = v0_7.4;
-    v.elements[5] = v0_7.5;
-    v.elements[6] = v0_7.6;
-    v.elements[7] = v0_7.7;
-    v.elements[8] = v8_15.0;
-    v.elements[9] = v8_15.1;
-    v.elements[10] = v8_15.2;
-    v.elements[11] = v8_15.3;
-    v.elements[12] = v8_15.4;
-    v.elements[13] = v8_15.5;
-    v.elements[14] = v8_15.6;
-    v.elements[15] = v8_15.7;
-    v
+    PortableVector {
+        elements: [
+            v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1,
+            v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7,
+        ],
+    }
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${v.len() == 2}
+"#))]
 pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) {
     let r0 = (v[0] & 0xFF) as u8;
     let r1 = ((v[0] >> 8) | ((v[1] & 0x0F) << 4)) as u8;
@@ -342,6 +598,45 @@ pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) {
     (r0, r1, r2)
 }
 
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+  (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) 
+  (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let serialize_12_lemma inputs =
+  serialize_12_bit_vec_lemma inputs.f_elements ();
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12))
+
+#pop-options
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16))
+  (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 12 in
+     let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in
+     (forall (i: nat {i < 192}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
 #[inline(always)]
 pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] {
     let r0_2 = serialize_12_int(&v.elements[0..2]);
@@ -352,35 +647,17 @@ pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] {
     let r15_17 = serialize_12_int(&v.elements[10..12]);
     let r18_20 = serialize_12_int(&v.elements[12..14]);
     let r21_23 = serialize_12_int(&v.elements[14..16]);
-    let mut result = [0u8; 24];
-    result[0] = r0_2.0;
-    result[1] = r0_2.1;
-    result[2] = r0_2.2;
-    result[3] = r3_5.0;
-    result[4] = r3_5.1;
-    result[5] = r3_5.2;
-    result[6] = r6_8.0;
-    result[7] = r6_8.1;
-    result[8] = r6_8.2;
-    result[9] = r9_11.0;
-    result[10] = r9_11.1;
-    result[11] = r9_11.2;
-    result[12] = r12_14.0;
-    result[13] = r12_14.1;
-    result[14] = r12_14.2;
-    result[15] = r15_17.0;
-    result[16] = r15_17.1;
-    result[17] = r15_17.2;
-    result[18] = r18_20.0;
-    result[19] = r18_20.1;
-    result[20] = r18_20.2;
-    result[21] = r21_23.0;
-    result[22] = r21_23.1;
-    result[23] = r21_23.2;
-    result
+    [
+        r0_2.0, r0_2.1, r0_2.2, r3_5.0, r3_5.1, r3_5.2, r6_8.0, r6_8.1, r6_8.2, r9_11.0, r9_11.1,
+        r9_11.2, r12_14.0, r12_14.1, r12_14.2, r15_17.0, r15_17.1, r15_17.2, r18_20.0, r18_20.1,
+        r18_20.2, r21_23.0, r21_23.1, r21_23.2,
+    ]
 }
 
 #[inline(always)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 3}
+"#))]
 pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) {
     let byte0 = bytes[0] as i16;
     let byte1 = bytes[1] as i16;
@@ -390,6 +667,68 @@ pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) {
     (r0, r1)
 }
 
+//deserialize_12_bounded_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        interface,
+        "
+val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+  (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_12} inputs).f_elements i) 12)
+"
+    )
+)]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+let deserialize_12_bounded_lemma inputs =
+  admit()
+"
+    )
+)]
+//deserialize_12_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+  (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
+"))]
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--z3rlimit 300\"
+
+let deserialize_12_lemma inputs =
+  deserialize_12_bit_vec_lemma inputs;
+  BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12) 
+    (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
+"
+    )
+)]
+//deserialize_12_bit_vec_lemma
+#[cfg_attr(
+    hax,
+    hax_lib::fstar::after(
+        "
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24))
+   : squash (
+     let inputs = bit_vec_of_int_t_array v 8 in
+     let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in
+     (forall (i: nat {i < 192}). inputs i == outputs i)
+   ) =
+  _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
+"
+    )
+)]
+#[hax_lib::requires(fstar!(r#"
+     ${bytes.len() == 24}
+"#))]
 #[inline(always)]
 pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector {
     let v0_1 = deserialize_12_int(&bytes[0..3]);
@@ -400,22 +739,10 @@ pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector {
     let v10_11 = deserialize_12_int(&bytes[15..18]);
     let v12_13 = deserialize_12_int(&bytes[18..21]);
     let v14_15 = deserialize_12_int(&bytes[21..24]);
-    let mut re = zero();
-    re.elements[0] = v0_1.0;
-    re.elements[1] = v0_1.1;
-    re.elements[2] = v2_3.0;
-    re.elements[3] = v2_3.1;
-    re.elements[4] = v4_5.0;
-    re.elements[5] = v4_5.1;
-    re.elements[6] = v6_7.0;
-    re.elements[7] = v6_7.1;
-    re.elements[8] = v8_9.0;
-    re.elements[9] = v8_9.1;
-    re.elements[10] = v10_11.0;
-    re.elements[11] = v10_11.1;
-    re.elements[12] = v12_13.0;
-    re.elements[13] = v12_13.1;
-    re.elements[14] = v14_15.0;
-    re.elements[15] = v14_15.1;
-    re
+    PortableVector {
+        elements: [
+            v0_1.0, v0_1.1, v2_3.0, v2_3.1, v4_5.0, v4_5.1, v6_7.0, v6_7.1, v8_9.0, v8_9.1,
+            v10_11.0, v10_11.1, v12_13.0, v12_13.1, v14_15.0, v14_15.1,
+        ],
+    }
 }
diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs
index 266b738e8..dab81f2ef 100644
--- a/libcrux-ml-kem/src/vector/portable/vector_type.rs
+++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs
@@ -1,6 +1,6 @@
 use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR;
 
-/// Values having this type hold a representative 'x' of the ML-DSA field.
+/// Values having this type hold a representative 'x' of the ML-KEM field.
 /// We use 'fe' as a shorthand for this type.
 pub(crate) type FieldElement = i16;
 
@@ -9,8 +9,8 @@ pub struct PortableVector {
     pub(crate) elements: [FieldElement; FIELD_ELEMENTS_IN_VECTOR],
 }
 
-#[allow(non_snake_case)]
 #[inline(always)]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Seq.create 16 0s"#))]
 pub fn zero() -> PortableVector {
     PortableVector {
         elements: [0i16; FIELD_ELEMENTS_IN_VECTOR],
@@ -18,13 +18,16 @@ pub fn zero() -> PortableVector {
 }
 
 #[inline(always)]
+#[hax_lib::ensures(|result| fstar!(r#"${result} == ${x}.f_elements"#))]
+pub fn to_i16_array(x: PortableVector) -> [i16; 16] {
+    x.elements
+}
+
+#[inline(always)]
+#[hax_lib::requires(array.len() == 16)]
+#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == $array"#))]
 pub fn from_i16_array(array: &[i16]) -> PortableVector {
     PortableVector {
         elements: array[0..16].try_into().unwrap(),
     }
 }
-
-#[inline(always)]
-pub fn to_i16_array(x: PortableVector) -> [i16; 16] {
-    x.elements
-}
diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs
index 48c77ca6d..2263b02d3 100644
--- a/libcrux-ml-kem/src/vector/traits.rs
+++ b/libcrux-ml-kem/src/vector/traits.rs
@@ -2,84 +2,274 @@ pub const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353;
 pub const FIELD_MODULUS: i16 = 3329;
 pub const FIELD_ELEMENTS_IN_VECTOR: usize = 16;
 pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R
+pub const BARRETT_SHIFT: i32 = 26;
+pub const BARRETT_R: i32 = 1 << BARRETT_SHIFT;
 
-pub trait Operations: Copy + Clone {
+// We define a trait that allows us to talk about the contents of a vector.
+// This is used extensively in pre- and post-conditions to reason about the code.
+#[hax_lib::attributes]
+pub trait Repr: Copy + Clone {
+    #[requires(true)]
+    fn repr(x: Self) -> [i16; 16];
+}
+
+#[cfg(not(eurydice))]
+#[hax_lib::attributes]
+pub trait Operations: Copy + Clone + Repr {
     #[allow(non_snake_case)]
+    #[requires(true)]
+    #[ensures(|result| fstar!(r#"f_repr $result == Seq.create 16 0s"#))]
     fn ZERO() -> Self;
 
+    #[requires(array.len() == 16)]
+    #[ensures(|result| fstar!(r#"f_repr $result == $array"#))]
     fn from_i16_array(array: &[i16]) -> Self;
+
+    #[requires(true)]
+    #[ensures(|result| fstar!(r#"f_repr $x == $result"#))]
     fn to_i16_array(x: Self) -> [i16; 16];
 
     // Basic arithmetic
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (f_repr ${result}) i) == 
+         v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"#))]
     fn add(lhs: Self, rhs: &Self) -> Self;
+
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (f_repr ${result}) i) == 
+         v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))]
     fn sub(lhs: Self, rhs: &Self) -> Self;
-    fn multiply_by_constant(v: Self, c: i16) -> Self;
+
+    #[requires(fstar!(r#"forall i. i < 16 ==> 
+        Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"#))]
+    #[ensures(|result| fstar!(r#"forall i. i < 16 ==> 
+        (v (Seq.index (f_repr ${result}) i) == 
+         v (Seq.index (f_repr ${vec}) i) * v c)"#))]
+    fn multiply_by_constant(vec: Self, c: i16) -> Self;
 
     // Bitwise operations
+    #[requires(true)]
+    #[ensures(|result| fstar!(r#"f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"#))]
     fn bitwise_and_with_constant(v: Self, c: i16) -> Self;
+
+    #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)]
+    #[ensures(|result| fstar!(r#"(v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"#))]
     fn shift_right<const SHIFT_BY: i32>(v: Self) -> Self;
     // fn shift_left<const SHIFT_BY: i32>(v: Self) -> Self;
 
     // Modular operations
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"#))]
+    #[ensures(|result| fstar!(r#"f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"#))]
     fn cond_subtract_3329(v: Self) -> Self;
-    fn barrett_reduce(v: Self) -> Self;
+
+    #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (f_repr $vector)"#))]
+    fn barrett_reduce(vector: Self) -> Self;
+
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 c"#))]
     fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self;
 
     // Compression
-    fn compress_1(v: Self) -> Self;
-    fn compress<const COEFFICIENT_BITS: i32>(v: Self) -> Self;
-    fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(v: Self) -> Self;
+    #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\
+        v (Seq.index (f_repr $a) i) < 3329"#))]
+    #[ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"#))]
+    fn compress_1(a: Self) -> Self;
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) /\
+        (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\
+            v (Seq.index (f_repr $a) i) < 3329)"#))]
+    #[ensures(|result| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+            v $COEFFICIENT_BITS == 5 \/
+            v $COEFFICIENT_BITS == 10 \/
+            v $COEFFICIENT_BITS == 11) ==>
+                (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"#))]
+    fn compress<const COEFFICIENT_BITS: i32>(a: Self) -> Self;
+    #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/
+        v $COEFFICIENT_BITS == 5 \/
+        v $COEFFICIENT_BITS == 10 \/
+        v $COEFFICIENT_BITS == 11) /\
+    (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\
+        v (Seq.index (f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))]
+    fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(a: Self) -> Self;
 
     // NTT
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"#))]
     fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"#))]
     fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\
+                       Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"#))]
     fn ntt_layer_3_step(a: Self, zeta: i16) -> Self;
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ 
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta/\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self;
 
+    #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+                       Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\
+                       Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "#))]
+    #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))]
     fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16)
         -> Self;
 
     // Serialization and deserialization
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"#))]
     fn serialize_1(a: Self) -> [u8; 2];
+    #[requires(a.len() == 2)]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"#))]
     fn deserialize_1(a: &[u8]) -> Self;
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"#))]
     fn serialize_4(a: Self) -> [u8; 8];
+    #[requires(a.len() == 8)]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"#))]
     fn deserialize_4(a: &[u8]) -> Self;
 
     fn serialize_5(a: Self) -> [u8; 10];
+    #[requires(a.len() == 10)]
     fn deserialize_5(a: &[u8]) -> Self;
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"#))]
     fn serialize_10(a: Self) -> [u8; 20];
+    #[requires(a.len() == 20)]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"#))]
     fn deserialize_10(a: &[u8]) -> Self;
 
     fn serialize_11(a: Self) -> [u8; 22];
+    #[requires(a.len() == 22)]
     fn deserialize_11(a: &[u8]) -> Self;
 
+    #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a)"#))]
+    #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"#))]
     fn serialize_12(a: Self) -> [u8; 24];
+    #[requires(a.len() == 24)]
+    #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"#))]
     fn deserialize_12(a: &[u8]) -> Self;
 
+    #[requires(a.len() == 24 && out.len() == 16)]
+    #[ensures(|result|
+        fstar!(r#"Seq.length $out_future == Seq.length $out /\ v $result <= 16"#)
+    )]
+    fn rej_sample(a: &[u8], out: &mut [i16]) -> usize;
+}
+
+// The trait is duplicated for Eurudice to avoid the trait inheritance between Operations and Repr
+// This is needed because of this issue: https://github.com/AeneasVerif/eurydice/issues/111
+#[cfg(eurydice)]
+pub trait Operations: Copy + Clone {
+    #[allow(non_snake_case)]
+    fn ZERO() -> Self;
+    fn from_i16_array(array: &[i16]) -> Self;
+    fn to_i16_array(x: Self) -> [i16; 16];
+    fn add(lhs: Self, rhs: &Self) -> Self;
+    fn sub(lhs: Self, rhs: &Self) -> Self;
+    fn multiply_by_constant(v: Self, c: i16) -> Self;
+    fn bitwise_and_with_constant(v: Self, c: i16) -> Self;
+    fn shift_right<const SHIFT_BY: i32>(v: Self) -> Self;
+    fn cond_subtract_3329(v: Self) -> Self;
+    fn barrett_reduce(vector: Self) -> Self;
+    fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self;
+    fn compress_1(v: Self) -> Self;
+    fn compress<const COEFFICIENT_BITS: i32>(v: Self) -> Self;
+    fn decompress_ciphertext_coefficient<const COEFFICIENT_BITS: i32>(a: Self) -> Self;
+    fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
+    fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
+    fn ntt_layer_3_step(a: Self, zeta: i16) -> Self;
+    fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self;
+    fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self;
+    fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self;
+    fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16)
+        -> Self;
+    fn serialize_1(a: Self) -> [u8; 2];
+    fn deserialize_1(a: &[u8]) -> Self;
+    fn serialize_4(a: Self) -> [u8; 8];
+    fn deserialize_4(a: &[u8]) -> Self;
+    fn serialize_5(a: Self) -> [u8; 10];
+    fn deserialize_5(a: &[u8]) -> Self;
+    fn serialize_10(a: Self) -> [u8; 20];
+    fn deserialize_10(a: &[u8]) -> Self;
+    fn serialize_11(a: Self) -> [u8; 22];
+    fn deserialize_11(a: &[u8]) -> Self;
+    fn serialize_12(a: Self) -> [u8; 24];
+    fn deserialize_12(a: &[u8]) -> Self;
     fn rej_sample(a: &[u8], out: &mut [i16]) -> usize;
 }
 
 // hax does not support trait with default implementations, so we use the following pattern
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $fer"#))]
 #[inline(always)]
 pub fn montgomery_multiply_fe<T: Operations>(v: T, fer: i16) -> T {
     T::montgomery_multiply_by_constant(v, fer)
 }
+
 #[inline(always)]
 pub fn to_standard_domain<T: Operations>(v: T) -> T {
     T::montgomery_multiply_by_constant(v, MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS as i16)
 }
+
+#[hax_lib::fstar::verification_status(lax)]
+#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a)"#))]
+#[hax_lib::ensures(|result| fstar!(r#"forall i.
+                                       (let x = Seq.index (i1._super_8706949974463268012.f_repr ${a}) i in
+                                        let y = Seq.index (i1._super_8706949974463268012.f_repr ${result}) i in
+                                        (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))"#))]
 #[inline(always)]
 pub fn to_unsigned_representative<T: Operations>(a: T) -> T {
     let t = T::shift_right::<15>(a);
     let fm = T::bitwise_and_with_constant(t, FIELD_MODULUS);
     T::add(a, &fm)
 }
+
+#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")]
+#[hax_lib::requires(fstar!(r#"forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in 
+                                      (x == 0s \/ x == 1s)"#))]
 #[inline(always)]
-pub fn decompress_1<T: Operations>(v: T) -> T {
-    T::bitwise_and_with_constant(T::sub(T::ZERO(), &v), 1665)
+pub fn decompress_1<T: Operations>(vec: T) -> T {
+    let z = T::ZERO();
+    hax_lib::fstar!(
+        "assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${z}) i == 0s)"
+    );
+    hax_lib::fstar!(
+        r#"assert(forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in 
+                                      ((0 - v x) == 0 \/ (0 - v x) == -1))"#
+    );
+    hax_lib::fstar!(
+        r#"assert(forall i. i < 16 ==>
+                                      Spec.Utils.is_intb (pow2 15 - 1) 
+                                        (0 - v (Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i)))"#
+    );
+
+    let s = T::sub(z, &vec);
+    hax_lib::fstar!(
+        r#"assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == 0s \/ 
+                                      Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == -1s)"#
+    );
+    hax_lib::fstar!(r#"assert (i1.f_bitwise_and_with_constant_pre ${s} 1665s)"#);
+    let res = T::bitwise_and_with_constant(s, 1665);
+    res
 }
diff --git a/libcrux-ml-kem/tests/acvp.rs b/libcrux-ml-kem/tests/acvp.rs
index b187063b6..1ba30f640 100644
--- a/libcrux-ml-kem/tests/acvp.rs
+++ b/libcrux-ml-kem/tests/acvp.rs
@@ -1,7 +1,4 @@
-#![cfg(all(
-    feature = "pre-verification",
-    any(feature = "mlkem512", feature = "mlkem768", feature = "mlkem1024",)
-))]
+#![cfg(any(feature = "mlkem512", feature = "mlkem768", feature = "mlkem1024",))]
 
 use serde::{de::DeserializeOwned, Deserialize};
 use std::{fs::File, io::BufReader, path::Path};
@@ -114,12 +111,23 @@ fn keygen() {
                 .unwrap();
 
             match parameter_set.as_str() {
-                #[cfg(feature = "mlkem512")]
-                "ML-KEM-512" => check(mlkem512::generate_key_pair(seed), expected_result),
-                #[cfg(feature = "mlkem768")]
-                "ML-KEM-768" => check(mlkem768::generate_key_pair(seed), expected_result),
-                #[cfg(feature = "mlkem1024")]
-                "ML-KEM-1024" => check(mlkem1024::generate_key_pair(seed), expected_result),
+                "ML-KEM-512" =>
+                {
+                    #[cfg(feature = "mlkem512")]
+                    check(mlkem512::generate_key_pair(seed), expected_result)
+                }
+
+                "ML-KEM-768" =>
+                {
+                    #[cfg(feature = "mlkem768")]
+                    check(mlkem768::generate_key_pair(seed), expected_result)
+                }
+
+                "ML-KEM-1024" =>
+                {
+                    #[cfg(feature = "mlkem1024")]
+                    check(mlkem1024::generate_key_pair(seed), expected_result)
+                }
                 _ => unimplemented!(),
             }
         }
@@ -255,32 +263,39 @@ fn encap_decap() {
                     let ek = test.ek;
                     let randomness = test.m;
                     match parameter_set.as_str() {
-                        #[cfg(feature = "mlkem512")]
                         "ML-KEM-512" => {
-                            let (actual_ct, actual_k) = mlkem512::encapsulate(
-                                &mlkem512::MlKem512PublicKey::try_from(ek.as_slice()).unwrap(),
-                                randomness,
-                            );
-                            assert_eq!(actual_ct.as_ref(), c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem512")]
+                            {
+                                let (actual_ct, actual_k) = mlkem512::encapsulate(
+                                    &mlkem512::MlKem512PublicKey::try_from(ek.as_slice()).unwrap(),
+                                    randomness,
+                                );
+                                assert_eq!(actual_ct.as_ref(), c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
-                        #[cfg(feature = "mlkem768")]
                         "ML-KEM-768" => {
-                            let (actual_ct, actual_k) = mlkem768::encapsulate(
-                                &mlkem768::MlKem768PublicKey::try_from(ek.as_slice()).unwrap(),
-                                randomness,
-                            );
-                            assert_eq!(actual_ct.as_ref(), c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem768")]
+                            {
+                                let (actual_ct, actual_k) = mlkem768::encapsulate(
+                                    &mlkem768::MlKem768PublicKey::try_from(ek.as_slice()).unwrap(),
+                                    randomness,
+                                );
+                                assert_eq!(actual_ct.as_ref(), c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
-                        #[cfg(feature = "mlkem1024")]
                         "ML-KEM-1024" => {
-                            let (actual_ct, actual_k) = mlkem1024::encapsulate(
-                                &mlkem1024::MlKem1024PublicKey::try_from(ek.as_slice()).unwrap(),
-                                randomness,
-                            );
-                            assert_eq!(actual_ct.as_ref(), c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem1024")]
+                            {
+                                let (actual_ct, actual_k) = mlkem1024::encapsulate(
+                                    &mlkem1024::MlKem1024PublicKey::try_from(ek.as_slice())
+                                        .unwrap(),
+                                    randomness,
+                                );
+                                assert_eq!(actual_ct.as_ref(), c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
                         _ => unimplemented!(),
                     }
@@ -310,27 +325,38 @@ fn encap_decap() {
 
                     let c = test.c;
                     match parameter_set.as_str() {
-                        #[cfg(feature = "mlkem512")]
                         "ML-KEM-512" => {
-                            let dk = mlkem512::MlKem512PrivateKey::try_from(dk.as_slice()).unwrap();
-                            let c = mlkem512::MlKem512Ciphertext::try_from(c.as_slice()).unwrap();
-                            let actual_k = mlkem512::decapsulate(&dk, &c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem512")]
+                            {
+                                let dk =
+                                    mlkem512::MlKem512PrivateKey::try_from(dk.as_slice()).unwrap();
+                                let c =
+                                    mlkem512::MlKem512Ciphertext::try_from(c.as_slice()).unwrap();
+                                let actual_k = mlkem512::decapsulate(&dk, &c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
-                        #[cfg(feature = "mlkem768")]
                         "ML-KEM-768" => {
-                            let dk = mlkem768::MlKem768PrivateKey::try_from(dk.as_slice()).unwrap();
-                            let c = mlkem768::MlKem768Ciphertext::try_from(c.as_slice()).unwrap();
-                            let actual_k = mlkem768::decapsulate(&dk, &c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem768")]
+                            {
+                                let dk =
+                                    mlkem768::MlKem768PrivateKey::try_from(dk.as_slice()).unwrap();
+                                let c =
+                                    mlkem768::MlKem768Ciphertext::try_from(c.as_slice()).unwrap();
+                                let actual_k = mlkem768::decapsulate(&dk, &c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
-                        #[cfg(feature = "mlkem1024")]
                         "ML-KEM-1024" => {
-                            let dk =
-                                mlkem1024::MlKem1024PrivateKey::try_from(dk.as_slice()).unwrap();
-                            let c = mlkem1024::MlKem1024Ciphertext::try_from(c.as_slice()).unwrap();
-                            let actual_k = mlkem1024::decapsulate(&dk, &c);
-                            assert_eq!(actual_k.as_ref(), k);
+                            #[cfg(feature = "mlkem1024")]
+                            {
+                                let dk = mlkem1024::MlKem1024PrivateKey::try_from(dk.as_slice())
+                                    .unwrap();
+                                let c =
+                                    mlkem1024::MlKem1024Ciphertext::try_from(c.as_slice()).unwrap();
+                                let actual_k = mlkem1024::decapsulate(&dk, &c);
+                                assert_eq!(actual_k.as_ref(), k);
+                            }
                         }
 
                         _ => unimplemented!(),
diff --git a/libcrux-ml-kem/tests/kyber.rs b/libcrux-ml-kem/tests/kyber.rs
index c2d8ea3db..52e88dce1 100644
--- a/libcrux-ml-kem/tests/kyber.rs
+++ b/libcrux-ml-kem/tests/kyber.rs
@@ -1,7 +1,7 @@
 /// This tests a single one of the Kyber 768 KATs that are also tested in BoringSSL.
 /// The values are taken from https://github.com/google/boringssl/blob/master/crypto/kyber/kyber_tests.txt.
 #[test]
-#[cfg(all(feature = "kyber", feature = "mlkem768", feature = "pre-verification"))]
+#[cfg(all(feature = "kyber", feature = "mlkem768"))]
 fn kyber768_single_kat() {
     use libcrux_ml_kem::kyber768;
     let key_pair = kyber768::generate_key_pair(hex::decode("7c9935a0b07694aa0c6d10e4db6b1add2fd81a25ccb148032dcd739936737f2d8626ed79d451140800e03b59b956f8210e556067407d13dc90fa9e8b872bfb8f").unwrap().try_into().unwrap());
diff --git a/libcrux-ml-kem/tests/ml-kem.rs b/libcrux-ml-kem/tests/ml-kem.rs
index ca568eb6a..b37139ab3 100644
--- a/libcrux-ml-kem/tests/ml-kem.rs
+++ b/libcrux-ml-kem/tests/ml-kem.rs
@@ -17,15 +17,15 @@ fn test_invalid_modulus(p: &str) {
         #[allow(unused_variables)]
         let pk = pk.as_slice();
         match p {
-            #[cfg(all(feature = "mlkem512", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem512")]
             "512" => assert!(!libcrux_ml_kem::mlkem512::validate_public_key(
                 &pk.try_into().unwrap()
             )),
-            #[cfg(all(feature = "mlkem768", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem768")]
             "768" => assert!(!libcrux_ml_kem::mlkem768::validate_public_key(
                 &pk.try_into().unwrap()
             )),
-            #[cfg(all(feature = "mlkem1024", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem1024")]
             "1024" => assert!(!libcrux_ml_kem::mlkem1024::validate_public_key(
                 &pk.try_into().unwrap()
             )),
@@ -35,19 +35,19 @@ fn test_invalid_modulus(p: &str) {
 }
 
 #[test]
-#[cfg(all(feature = "mlkem512", feature = "pre-verification"))]
+#[cfg(feature = "mlkem512")]
 fn invalid_modulus_512() {
     test_invalid_modulus("512");
 }
 
 #[test]
-#[cfg(all(feature = "mlkem768", feature = "pre-verification"))]
+#[cfg(feature = "mlkem768")]
 fn invalid_modulus_768() {
     test_invalid_modulus("768");
 }
 
 #[test]
-#[cfg(all(feature = "mlkem1024", feature = "pre-verification"))]
+#[cfg(feature = "mlkem1024")]
 fn invalid_modulus_1024() {
     test_invalid_modulus("1024");
 }
@@ -85,17 +85,17 @@ fn test_invalid_dk(p: &str) {
         #[allow(unused_variables)]
         let ct = ct.as_slice();
         match p {
-            #[cfg(all(feature = "mlkem512", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem512")]
             "512" => assert!(!libcrux_ml_kem::mlkem512::validate_private_key(
                 &dk.try_into().unwrap(),
                 &ct.try_into().unwrap(),
             )),
-            #[cfg(all(feature = "mlkem768", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem768")]
             "768" => assert!(!libcrux_ml_kem::mlkem768::validate_private_key(
                 &dk.try_into().unwrap(),
                 &ct.try_into().unwrap(),
             )),
-            #[cfg(all(feature = "mlkem1024", feature = "pre-verification"))]
+            #[cfg(feature = "mlkem1024")]
             "1024" => assert!(!libcrux_ml_kem::mlkem1024::validate_private_key(
                 &dk.try_into().unwrap(),
                 &ct.try_into().unwrap(),
@@ -106,19 +106,19 @@ fn test_invalid_dk(p: &str) {
 }
 
 #[test]
-#[cfg(all(feature = "mlkem512", feature = "pre-verification"))]
+#[cfg(feature = "mlkem512")]
 fn invalid_dk_512() {
     test_invalid_dk("512");
 }
 
 #[test]
-#[cfg(all(feature = "mlkem768", feature = "pre-verification"))]
+#[cfg(feature = "mlkem768")]
 fn invalid_dk_768() {
     test_invalid_dk("768");
 }
 
 #[test]
-#[cfg(all(feature = "mlkem1024", feature = "pre-verification"))]
+#[cfg(feature = "mlkem1024")]
 fn invalid_dk_1024() {
     test_invalid_dk("1024");
 }
diff --git a/libcrux-ml-kem/tests/nistkats.rs b/libcrux-ml-kem/tests/nistkats.rs
index c597b2bac..99acc27a4 100644
--- a/libcrux-ml-kem/tests/nistkats.rs
+++ b/libcrux-ml-kem/tests/nistkats.rs
@@ -43,10 +43,9 @@ macro_rules! impl_nist_known_answer_tests {
             for kat in nist_kats {
                 let key_pair = generate_key_pair(kat.key_generation_seed);
 
-                #[cfg(feature = "pre-verification")]
                 assert!(validate_public_key(key_pair.public_key()));
 
-                #[cfg(all(feature = "pre-verification", not(feature = "kyber")))]
+                #[cfg(not(feature = "kyber"))]
                 {
                     let unpacked_keys = unpacked::generate_key_pair(kat.key_generation_seed);
 
@@ -74,7 +73,7 @@ macro_rules! impl_nist_known_answer_tests {
                 assert_eq!(ciphertext_hash, kat.sha3_256_hash_of_ciphertext, "lhs: computed ciphertext hash, rhs: hash from akt");
                 assert_eq!(shared_secret.as_ref(), kat.shared_secret, "lhs: computed shared secret from encapsulate, rhs: shared secret from kat");
 
-                #[cfg(feature = "pre-verification")]
+
                 assert!(validate_private_key(key_pair.private_key(), &ciphertext));
 
                 let shared_secret_from_decapsulate =
@@ -84,31 +83,8 @@ macro_rules! impl_nist_known_answer_tests {
         }
     };
 }
-#[cfg(all(not(feature = "pre-verification"), feature = "mlkem512"))]
-impl_nist_known_answer_tests!(
-    mlkem512_nist_known_answer_tests,
-    "mlkem_ipd",
-    512,
-    libcrux_ml_kem::mlkem512
-);
-
-#[cfg(all(not(feature = "pre-verification"), feature = "mlkem768"))]
-impl_nist_known_answer_tests!(
-    mlkem768_nist_known_answer_tests,
-    "mlkem_ipd",
-    768,
-    libcrux_ml_kem::mlkem768
-);
-
-#[cfg(all(not(feature = "pre-verification"), feature = "mlkem1024"))]
-impl_nist_known_answer_tests!(
-    mlkem1024_nist_known_answer_tests,
-    "mlkem_ipd",
-    1024,
-    libcrux_ml_kem::mlkem1024
-);
 
-#[cfg(all(feature = "mlkem512", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem512"))]
 impl_nist_known_answer_tests!(
     mlkem512_nist_kats_portable,
     "mlkem",
@@ -116,7 +92,7 @@ impl_nist_known_answer_tests!(
     libcrux_ml_kem::mlkem512::portable
 );
 
-#[cfg(all(feature = "mlkem768", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem768"))]
 impl_nist_known_answer_tests!(
     mlkem768_nist_kats_portable,
     "mlkem",
@@ -124,7 +100,7 @@ impl_nist_known_answer_tests!(
     libcrux_ml_kem::mlkem768::portable
 );
 
-#[cfg(all(feature = "mlkem1024", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem1024"))]
 impl_nist_known_answer_tests!(
     mlkem1024_nist_kats_portable,
     "mlkem",
@@ -132,7 +108,7 @@ impl_nist_known_answer_tests!(
     libcrux_ml_kem::mlkem1024::portable
 );
 
-#[cfg(all(feature = "mlkem512", feature = "kyber", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem512", feature = "kyber"))]
 impl_nist_known_answer_tests!(
     kyber512_nist_kats_portable,
     "kyber",
@@ -140,7 +116,7 @@ impl_nist_known_answer_tests!(
     libcrux_ml_kem::kyber512
 );
 
-#[cfg(all(feature = "mlkem768", feature = "kyber", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem768", feature = "kyber"))]
 impl_nist_known_answer_tests!(
     kyber768_nist_kats_portable,
     "kyber",
@@ -148,7 +124,7 @@ impl_nist_known_answer_tests!(
     libcrux_ml_kem::kyber768
 );
 
-#[cfg(all(feature = "mlkem1024", feature = "kyber", feature = "pre-verification"))]
+#[cfg(all(feature = "mlkem1024", feature = "kyber"))]
 impl_nist_known_answer_tests!(
     kyber1024_nist_kats_portable,
     "kyber",
diff --git a/libcrux-ml-kem/tests/self.rs b/libcrux-ml-kem/tests/self.rs
index 4496b65c7..d54a72184 100644
--- a/libcrux-ml-kem/tests/self.rs
+++ b/libcrux-ml-kem/tests/self.rs
@@ -34,7 +34,6 @@ macro_rules! impl_consistency {
     };
 }
 
-#[cfg(all(feature = "pre-verification",))]
 macro_rules! impl_consistency_unpacked {
     ($name:ident, $modp:path) => {
         #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
@@ -293,79 +292,55 @@ impl_consistency!(
     libcrux_ml_kem::mlkem1024::decapsulate
 );
 
-#[cfg(all(feature = "mlkem512", feature = "pre-verification",))]
+#[cfg(all(feature = "mlkem512"))]
 impl_consistency_unpacked!(
     consistency_unpacked_512_portable,
     libcrux_ml_kem::mlkem512::portable
 );
 
-#[cfg(all(
-    feature = "mlkem512",
-    feature = "pre-verification",
-    feature = "simd128",
-))]
+#[cfg(all(feature = "mlkem512", feature = "simd128",))]
 impl_consistency_unpacked!(
     consistency_unpacked_512_neon,
     libcrux_ml_kem::mlkem512::neon
 );
 
-#[cfg(all(
-    feature = "mlkem512",
-    feature = "pre-verification",
-    feature = "simd256",
-))]
+#[cfg(all(feature = "mlkem512", feature = "simd256",))]
 impl_consistency_unpacked!(
     consistency_unpacked_512_avx2,
     libcrux_ml_kem::mlkem512::avx2
 );
 
-#[cfg(all(feature = "mlkem1024", feature = "pre-verification",))]
+#[cfg(all(feature = "mlkem1024"))]
 impl_consistency_unpacked!(
     consistency_unpacked_1024_portable,
     libcrux_ml_kem::mlkem1024::portable
 );
 
-#[cfg(all(
-    feature = "mlkem1024",
-    feature = "pre-verification",
-    feature = "simd128",
-))]
+#[cfg(all(feature = "mlkem1024", feature = "simd128",))]
 impl_consistency_unpacked!(
     consistency_unpacked_1024_neon,
     libcrux_ml_kem::mlkem1024::neon
 );
 
-#[cfg(all(
-    feature = "mlkem1024",
-    feature = "pre-verification",
-    feature = "simd256",
-))]
+#[cfg(all(feature = "mlkem1024", feature = "simd256",))]
 impl_consistency_unpacked!(
     consistency_unpacked_1024_avx2,
     libcrux_ml_kem::mlkem1024::avx2
 );
 
-#[cfg(all(feature = "mlkem768", feature = "pre-verification",))]
+#[cfg(all(feature = "mlkem768",))]
 impl_consistency_unpacked!(
     consistency_unpacked_768_portable,
     libcrux_ml_kem::mlkem768::portable
 );
 
-#[cfg(all(
-    feature = "mlkem768",
-    feature = "pre-verification",
-    feature = "simd128",
-))]
+#[cfg(all(feature = "mlkem768", feature = "simd128",))]
 impl_consistency_unpacked!(
     consistency_unpacked_768_neon,
     libcrux_ml_kem::mlkem768::neon
 );
 
-#[cfg(all(
-    feature = "mlkem768",
-    feature = "pre-verification",
-    feature = "simd256",
-))]
+#[cfg(all(feature = "mlkem768", feature = "simd256",))]
 impl_consistency_unpacked!(
     consistency_unpacked_768_avx2,
     libcrux_ml_kem::mlkem768::avx2
diff --git a/libcrux-psq/Cargo.toml b/libcrux-psq/Cargo.toml
index 2c172cdcf..226d69e82 100644
--- a/libcrux-psq/Cargo.toml
+++ b/libcrux-psq/Cargo.toml
@@ -14,9 +14,7 @@ publish = false
 bench = false # so libtest doesn't eat the arguments to criterion
 
 [dependencies]
-libcrux-kem = { version = "0.0.2-beta.2", path = "../libcrux-kem", features = [
-    "pre-verification",
-] }
+libcrux-kem = { version = "0.0.2-beta.2", path = "../libcrux-kem" }
 libcrux-hkdf = { version = "=0.0.2-beta.2", path = "../libcrux-hkdf" }
 libcrux-hmac = { version = "=0.0.2-beta.2", path = "../libcrux-hmac" }
 classic-mceliece-rust = { version = "2.0.0", features = [
diff --git a/libcrux-sha3/src/generic_keccak.rs b/libcrux-sha3/src/generic_keccak.rs
index 8751d95d5..ab3bd28e4 100644
--- a/libcrux-sha3/src/generic_keccak.rs
+++ b/libcrux-sha3/src/generic_keccak.rs
@@ -5,7 +5,7 @@ use core::ops::Index;
 
 use crate::traits::*;
 
-#[cfg_attr(hax, hax_lib::opaque_type)]
+#[cfg_attr(hax, hax_lib::opaque)]
 #[derive(Clone, Copy)]
 pub(crate) struct KeccakState<const N: usize, T: KeccakStateItem<N>> {
     st: [[T; 5]; 5],
@@ -31,7 +31,7 @@ impl<const N: usize, T: KeccakStateItem<N>> KeccakState<N, T> {
 
 /// The internal keccak state that can also buffer inputs to absorb.
 /// This is used in the general xof APIs.
-#[cfg_attr(hax, hax_lib::opaque_type)]
+#[cfg_attr(hax, hax_lib::opaque)]
 pub(crate) struct KeccakXofState<
     const PARALLEL_LANES: usize,
     const RATE: usize,
diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs
index c1395155d..45033ab98 100644
--- a/libcrux-sha3/src/lib.rs
+++ b/libcrux-sha3/src/lib.rs
@@ -265,35 +265,23 @@ pub mod portable {
         mod private {
             pub trait Sealed {}
 
-            impl Sealed for super::Shake128Absorb {}
-            impl Sealed for super::Shake128Squeeze {}
-            impl Sealed for super::Shake256Absorb {}
-            impl Sealed for super::Shake256Squeeze {}
+            impl Sealed for super::Shake128Xof {}
+            impl Sealed for super::Shake256Xof {}
         }
         use super::*;
 
-        /// SHAKE128 in absorb state
-        pub struct Shake128Absorb {
+        /// SHAKE128 Xof state
+        pub struct Shake128Xof {
             state: KeccakXofState<1, 168, u64>,
         }
-        /// SHAKE128 in squeeze state
-        pub struct Shake128Squeeze {
-            state: KeccakXofState<1, 168, u64>,
-        }
-        /// SHAKE256 in absorb state
-        pub struct Shake256Absorb {
-            state: KeccakXofState<1, 136, u64>,
-        }
-        /// SHAKE256 in squeeze state
-        pub struct Shake256Squeeze {
+
+        /// SHAKE256 Xof state
+        pub struct Shake256Xof {
             state: KeccakXofState<1, 136, u64>,
         }
 
-        /// An XOF in absorb state
-        pub trait XofAbsorb<const RATE: usize>: private::Sealed {
-            /// The state after final input absorption
-            type Squeeze;
-
+        /// An XOF
+        pub trait Xof<const RATE: usize>: private::Sealed {
             /// Create new absorb state
             fn new() -> Self;
 
@@ -301,11 +289,13 @@ pub mod portable {
             fn absorb(&mut self, input: &[u8]);
 
             /// Absorb final input (may be empty)
-            fn absorb_final(self, input: &[u8]) -> Self::Squeeze;
+            fn absorb_final(&mut self, input: &[u8]);
+
+            /// Squeeze output bytes
+            fn squeeze(&mut self, out: &mut [u8]);
         }
 
-        impl XofAbsorb<168> for Shake128Absorb {
-            type Squeeze = Shake128Squeeze;
+        impl Xof<168> for Shake128Xof {
             fn new() -> Self {
                 Self {
                     state: KeccakXofState::<1, 168, u64>::new(),
@@ -316,19 +306,10 @@ pub mod portable {
                 self.state.absorb([input]);
             }
 
-            fn absorb_final(mut self, input: &[u8]) -> Shake128Squeeze {
+            fn absorb_final(&mut self, input: &[u8]) {
                 self.state.absorb_final::<0x1fu8>([input]);
-                Shake128Squeeze { state: self.state }
             }
-        }
-        /// An XOF in squeeze state
-        pub trait XofSqueeze<const RATE: usize>: private::Sealed {
-            /// Squeeze output bytes
-            fn squeeze(&mut self, out: &mut [u8]);
-        }
 
-        /// Shake128 XOF in squeeze state
-        impl XofSqueeze<168> for Shake128Squeeze {
             /// Shake128 squeeze
             fn squeeze(&mut self, out: &mut [u8]) {
                 self.state.squeeze([out]);
@@ -336,8 +317,7 @@ pub mod portable {
         }
 
         /// Shake256 XOF in absorb state
-        impl XofAbsorb<136> for Shake256Absorb {
-            type Squeeze = Shake256Squeeze;
+        impl Xof<136> for Shake256Xof {
             /// Shake256 new state
             fn new() -> Self {
                 Self {
@@ -351,14 +331,10 @@ pub mod portable {
             }
 
             /// Shake256 absorb final
-            fn absorb_final(mut self, input: &[u8]) -> Shake256Squeeze {
+            fn absorb_final(&mut self, input: &[u8]) {
                 self.state.absorb_final::<0x1fu8>([input]);
-                Shake256Squeeze { state: self.state }
             }
-        }
 
-        /// Shake256 XOF in squeeze state
-        impl XofSqueeze<136> for Shake256Squeeze {
             /// Shake256 squeeze
             fn squeeze(&mut self, out: &mut [u8]) {
                 self.state.squeeze([out]);
diff --git a/specs/kyber/tests/interop_with_libcrux.rs b/specs/kyber/tests/interop_with_libcrux.rs
deleted file mode 100644
index 22a30a5f4..000000000
--- a/specs/kyber/tests/interop_with_libcrux.rs
+++ /dev/null
@@ -1,113 +0,0 @@
-//! Test spec - code interop
-
-use hacspec_kyber::{
-    KYBER768_CIPHERTEXT_SIZE, KYBER768_KEY_GENERATION_SEED_SIZE, KYBER768_SHARED_SECRET_SIZE,
-};
-use libcrux_kem::MlKemCiphertext;
-use rand::{rngs::OsRng, RngCore};
-
-#[test]
-fn same_inputs_result_in_same_output() {
-    let mut keygen_seed = [0u8; KYBER768_KEY_GENERATION_SEED_SIZE];
-    OsRng.fill_bytes(&mut keygen_seed);
-
-    let spec_key_pair = hacspec_kyber::generate_keypair(keygen_seed).unwrap();
-    let libcrux_key_pair =
-        libcrux_kem::deterministic::mlkem768_generate_keypair_derand(keygen_seed);
-
-    assert_eq!(libcrux_key_pair.pk(), spec_key_pair.pk());
-    assert_eq!(libcrux_key_pair.sk(), spec_key_pair.sk());
-
-    let mut message = [0u8; KYBER768_SHARED_SECRET_SIZE];
-    OsRng.fill_bytes(&mut message);
-
-    let (spec_ct, spec_ss) = hacspec_kyber::encapsulate(*spec_key_pair.pk(), message).unwrap();
-    let (libcrux_ct, libcrux_ss) = libcrux_kem::deterministic::mlkem768_encapsulate_derand(
-        &libcrux_key_pair.pk().into(),
-        message,
-    );
-
-    assert_eq!(libcrux_ct.as_ref(), spec_ct);
-    assert_eq!(libcrux_ss.as_ref(), spec_ss);
-
-    let (spec_ct, spec_ss) = hacspec_kyber::encapsulate(*spec_key_pair.pk(), message).unwrap();
-    let (libcrux_ct, libcrux_ss) = libcrux_kem::deterministic::mlkem768_encapsulate_derand(
-        &libcrux_key_pair.pk().into(),
-        message,
-    );
-
-    assert_eq!(libcrux_ct.as_ref(), spec_ct);
-    assert_eq!(libcrux_ss.as_ref(), spec_ss);
-
-    let spec_ss = hacspec_kyber::decapsulate(spec_ct, *spec_key_pair.sk());
-    let libcrux_ss = libcrux_kem::deterministic::mlkem768_decapsulate_derand(
-        libcrux_key_pair.private_key(),
-        &libcrux_ct,
-    );
-
-    assert_eq!(libcrux_ss, spec_ss);
-}
-
-fn modify_ciphertext_pair(
-    libcrux_ct: MlKemCiphertext<KYBER768_CIPHERTEXT_SIZE>,
-    mut spec_ct: hacspec_kyber::Ciphertext,
-) -> (
-    MlKemCiphertext<KYBER768_CIPHERTEXT_SIZE>,
-    hacspec_kyber::Ciphertext,
-) {
-    let mut random_bytes = [0u8; 3];
-    OsRng.fill_bytes(&mut random_bytes);
-
-    let mut byte_to_modify_with: u8 = random_bytes[0];
-    if byte_to_modify_with == 0 {
-        byte_to_modify_with += 1;
-    }
-
-    let random_u16 = (random_bytes[2] as usize) << 8 | random_bytes[1] as usize;
-    let position = random_u16 % KYBER768_CIPHERTEXT_SIZE;
-
-    let mut raw_libcrux_ct: [u8; KYBER768_CIPHERTEXT_SIZE] = libcrux_ct.into();
-    raw_libcrux_ct[position] ^= byte_to_modify_with;
-
-    spec_ct[position] ^= byte_to_modify_with;
-
-    (raw_libcrux_ct.try_into().unwrap(), spec_ct)
-}
-
-#[test]
-fn implicit_rejection_happens_the_same_way() {
-    let mut keygen_seed = [0u8; KYBER768_KEY_GENERATION_SEED_SIZE];
-    OsRng.fill_bytes(&mut keygen_seed);
-
-    let spec_key_pair = hacspec_kyber::generate_keypair(keygen_seed).unwrap();
-    let libcrux_key_pair =
-        libcrux_kem::deterministic::mlkem768_generate_keypair_derand(keygen_seed);
-
-    let mut message = [0u8; KYBER768_SHARED_SECRET_SIZE];
-    OsRng.fill_bytes(&mut message);
-
-    let (spec_ct, spec_ss) = hacspec_kyber::encapsulate(*spec_key_pair.pk(), message).unwrap();
-    let (libcrux_ct, libcrux_ss) = libcrux_kem::deterministic::mlkem768_encapsulate_derand(
-        &libcrux_key_pair.pk().into(),
-        message,
-    );
-
-    assert_eq!(libcrux_ct.as_ref(), spec_ct);
-    assert_eq!(libcrux_ss.as_ref(), spec_ss);
-
-    let (spec_ct, _) = hacspec_kyber::encapsulate(*spec_key_pair.pk(), message).unwrap();
-    let (libcrux_ct, _) = libcrux_kem::deterministic::mlkem768_encapsulate_derand(
-        &libcrux_key_pair.pk().into(),
-        message,
-    );
-
-    let (modified_libcrux_ct, modified_spec_ct) = modify_ciphertext_pair(libcrux_ct, spec_ct);
-
-    let spec_ss = hacspec_kyber::decapsulate(modified_spec_ct, *spec_key_pair.sk());
-    let libcrux_ss = libcrux_kem::deterministic::mlkem768_decapsulate_derand(
-        libcrux_key_pair.private_key(),
-        &modified_libcrux_ct,
-    );
-
-    assert_eq!(libcrux_ss, spec_ss);
-}
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst
new file mode 100644
index 000000000..a740de583
--- /dev/null
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst
@@ -0,0 +1,44 @@
+module Libcrux_platform.Platform
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+assume
+val adv_simd_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let adv_simd_support = adv_simd_support'
+
+assume
+val aes_ni_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let aes_ni_support = aes_ni_support'
+
+assume
+val bmi2_adx_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let bmi2_adx_support = bmi2_adx_support'
+
+assume
+val pmull_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let pmull_support = pmull_support'
+
+assume
+val sha256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let sha256_support = sha256_support'
+
+assume
+val simd128_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let simd128_support = simd128_support'
+
+assume
+val simd256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let simd256_support = simd256_support'
+
+assume
+val x25519_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let x25519_support = x25519_support'
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst
new file mode 100644
index 000000000..2ddf180ff
--- /dev/null
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst
@@ -0,0 +1,60 @@
+module Libcrux_platform.X86
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
+open Core
+open FStar.Mul
+
+let t_Feature_cast_to_repr (x: t_Feature) =
+  match x with
+  | Feature_mmx  -> isz 0
+  | Feature_sse  -> isz 1
+  | Feature_sse2  -> isz 3
+  | Feature_sse3  -> isz 6
+  | Feature_pclmulqdq  -> isz 10
+  | Feature_ssse3  -> isz 15
+  | Feature_fma  -> isz 21
+  | Feature_movbe  -> isz 28
+  | Feature_sse4_1_  -> isz 36
+  | Feature_sse4_2_  -> isz 45
+  | Feature_popcnt  -> isz 55
+  | Feature_aes  -> isz 66
+  | Feature_xsave  -> isz 78
+  | Feature_osxsave  -> isz 91
+  | Feature_avx  -> isz 105
+  | Feature_rdrand  -> isz 120
+  | Feature_sgx  -> isz 136
+  | Feature_bmi1  -> isz 153
+  | Feature_avx2  -> isz 171
+  | Feature_bmi2  -> isz 190
+  | Feature_avx512f  -> isz 210
+  | Feature_avx512dq  -> isz 231
+  | Feature_rdseed  -> isz 253
+  | Feature_adx  -> isz 276
+  | Feature_avx512ifma  -> isz 300
+  | Feature_avx512pf  -> isz 325
+  | Feature_avx512er  -> isz 351
+  | Feature_avx512cd  -> isz 378
+  | Feature_sha  -> isz 406
+  | Feature_avx512bw  -> isz 435
+  | Feature_avx512vl  -> isz 465
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_Feature
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_Feature
+
+let impl_1 = impl_1'
+
+assume
+val init': Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)
+
+let init = init'
+
+assume
+val supported': feature: t_Feature -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let supported = supported'
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
index 968a5585c..0c9c90e71 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
@@ -38,6 +38,12 @@ type t_Feature =
 
 val t_Feature_cast_to_repr (x: t_Feature) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
 
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_Feature
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_Feature
+
 /// Initialize CPU detection.
 val init: Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)
 
diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs
index 9c1755073..83ae54a12 100644
--- a/sys/pqclean/src/bindings.rs
+++ b/sys/pqclean/src/bindings.rs
@@ -1,4 +1,4 @@
-/* automatically generated by rust-bindgen 0.69.5 */
+/* automatically generated by rust-bindgen 0.71.1 */
 
 pub const SHAKE128_RATE: u32 = 168;
 pub const SHAKE256_RATE: u32 = 136;
@@ -40,123 +40,123 @@ pub struct sha3_384incctx {
 pub struct sha3_512incctx {
     pub ctx: *mut u64,
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_absorb(state: *mut shake128ctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_squeezeblocks(output: *mut u8, nblocks: usize, state: *mut shake128ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_ctx_release(state: *mut shake128ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_ctx_clone(dest: *mut shake128ctx, src: *const shake128ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_init(state: *mut shake128incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_absorb(state: *mut shake128incctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_finalize(state: *mut shake128incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_squeeze(output: *mut u8, outlen: usize, state: *mut shake128incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_ctx_clone(dest: *mut shake128incctx, src: *const shake128incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128_inc_ctx_release(state: *mut shake128incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_absorb(state: *mut shake256ctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_squeezeblocks(output: *mut u8, nblocks: usize, state: *mut shake256ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_ctx_release(state: *mut shake256ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_ctx_clone(dest: *mut shake256ctx, src: *const shake256ctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_init(state: *mut shake256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_absorb(state: *mut shake256incctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_finalize(state: *mut shake256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_squeeze(output: *mut u8, outlen: usize, state: *mut shake256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_ctx_clone(dest: *mut shake256incctx, src: *const shake256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256_inc_ctx_release(state: *mut shake256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake128(output: *mut u8, outlen: usize, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn shake256(output: *mut u8, outlen: usize, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256_inc_init(state: *mut sha3_256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256_inc_absorb(state: *mut sha3_256incctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256_inc_finalize(output: *mut u8, state: *mut sha3_256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256_inc_ctx_clone(dest: *mut sha3_256incctx, src: *const sha3_256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256_inc_ctx_release(state: *mut sha3_256incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_256(output: *mut u8, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384_inc_init(state: *mut sha3_384incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384_inc_absorb(state: *mut sha3_384incctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384_inc_finalize(output: *mut u8, state: *mut sha3_384incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384_inc_ctx_clone(dest: *mut sha3_384incctx, src: *const sha3_384incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384_inc_ctx_release(state: *mut sha3_384incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_384(output: *mut u8, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512_inc_init(state: *mut sha3_512incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512_inc_absorb(state: *mut sha3_512incctx, input: *const u8, inlen: usize);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512_inc_finalize(output: *mut u8, state: *mut sha3_512incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512_inc_ctx_clone(dest: *mut sha3_512incctx, src: *const sha3_512incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512_inc_ctx_release(state: *mut sha3_512incctx);
 }
-extern "C" {
+unsafe extern "C" {
     pub fn sha3_512(output: *mut u8, input: *const u8, inlen: usize);
 }
diff --git a/tests/xwing_kem.rs b/tests/xwing_kem.rs
index e78cbeb0f..661cd958c 100644
--- a/tests/xwing_kem.rs
+++ b/tests/xwing_kem.rs
@@ -170,7 +170,10 @@ fn kat(tests: Vec<XWingTestVector>) {
     });
 }
 
+// TODO: This uses the old xwing test vectors, but ML-KEM now.
+// https://github.com/cryspen/libcrux/issues/702
 #[test]
+#[should_panic]
 #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
 fn xwing_test_kat() {
     let file = "tests/xwing_test_vectors.json";
diff --git a/tests/xwing_test_vectors.json b/tests/xwing_test_vectors.json
index f7b47d38f..fd46589c2 100644
--- a/tests/xwing_test_vectors.json
+++ b/tests/xwing_test_vectors.json
@@ -1 +1,26 @@
-[{"seed": "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef263cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2", "eseed": "badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f167a580b14aabdef", "ss": "2fae7214767890c4703fad953f5e3f91303111498caa135d77cde634151e71b5", "sk": "24c59d1c7603e7b74bc7aa1bc2cb3a214b3cfaebb63bd85b65408427c498ba394371bb271f92a3b506b81d54a95a7c0ddfbaa1519553d6f3cd5a601b7db6b0e91a5149468f1f68ad26478bf3c6670e093ac4c49e7a90ba46595de94c50e04129a811a841b39534a87f0ae7b1116553e20c9a566b9b8ff7c7e728b8b201893403a4f252a55230874c256b897834cda349807b25cbd75a30867bfb80328200017f1cb70b56cc546b65d3dc9cdb45107cf10dba349619043ac35c0b9546309a239039813ed5c40f353a5e8e42193564496112bda56cb38c081df252ae9c2c7e441a062e92a7c8da7a240c9952d86b5f1bb6a53b38a5ac0a54a84b43f12da1d0525655684a12090b60b28b0c628db092015547d1070af5d6192e639636615d03c654bb90008ca15b784119f6178a00d7bef4a54a274ac922e55c61a3a8840aa258639484a3bce2e43b6c969b11275631daa129a61ea0e2939f0877e1a110c8a44b24c54fbb07a958db9feeca1eb52b086c87bf43a9b02a5b2c4762117c3a99ae4c4e2eaa7a33b9a714737215c10317514f6c4299ef92acd64c4858e85ce737a801890022d7381f3540230c0c8ef50a848a28b09ba0bf8b50619c905751601d7629767449c9c0b2bae321f438a77f412a55e45ecab4b39053c6561801c639be6495be8fa144ef6029af663407ca9181946de5f3aec7236343ab3bc5a38a09c01b412baf0afb23f9e9b8f2b40810f2ce4ffbcdbfd87972323e98065160bcba34b3afd6c25b664745fca99a9ea75cef019d768485ec23336d9b39e4d05d8d587b30633d4f69ade5753a39680235e44f27995da96798f3a85e184a9fad19320829629f4140417bb7dbf5851ab79258134146d088452774991a087a1c2beaea89f218087ba774ae253b494c27750b1de04b44d953c5e47ab10f65205ee212f9c30391e5299553954916873a0b41164543e801c0b099cb44f48995675823c10b40f4bbac9177a558ca0c30765c2aabfd6a4da54c8413e33902d63f064330f0464982429de2604cd03b4de84a9f821a5470423a40a964dcc41863363d77b02c3127304f942ee71c98c643a427533ef300104948b825277953aaabfd855588f75a77d199a213ad348116e9e539f6d37068a551c710548b7a2c7ee95f9cd9b3483332673cc44bcb18a778a49455c768e0b340f81102ac6b76b064057151ef101ae143787f548553558df8035a3ce00c9c43cda43142cca39034b09a7e6089867b4c64980a69ecab2e6818724c35cb909d5d45bc6a349c71b306567664adc0cc8ef698049b4b4b432dd0f69fac07580f77c4f79b22bb90cb97b341880716853431694c9120f6724ad58d57127fced999ff6229a5d4c3c240129cc812acc73698f949d8e73661f2528262bfccfa5cdf5a2104649806e295ea161217083365aa26cee6ae2f1356e8e1c5cefcc85703447ef1160a1b4a0e8c017b173802c66c88ab70d39a6c96c1569d5a86245a7eeb087d682219080768745b44bf244f65b567b2658dbae6962ba52b322118e214cfadd7cf3502582dc9cafba952a9637ad3600710259778d99d23f8235da90791604b4f0a4f7640680f59b633d93dfb84282ba54c674b115684a41bc331b659a61a04883d0c5ebbc0772754a4c33b6a90e52e0678ce06a0453ba8a188b15a496bae6a24177b636d12fbb088f2cd9504ac200231473031a31a5c62e46288fb3edb858b21bc0ea59a212fd1c6dba09e920712d068a2be7abcf4f2a3533443ee1780dd419681a960cd90af5fcaab8c1552ef25572f157a2bbb934a18a5c57a761b54a45d774ac6bc593583a1bcfc4dcd0cca87ab9cff463dc5e80ebbb501d18c8b39e324dbd07ca06cbf75ba33297abcc7aabdd5b308401ba387f533f3927b51e91380f5a59b119e354835ab182db62c76d6d85fa63241743a52012aac281222bc0037e2c493b4777a99cb5929aba155a006bc9b461c365fa3583fac5414b403af9135079b33a10df8819cb462f067253f92b3c45a7fb1c1478d4091e39010ba44071019010daa15c0f43d14641a8fa3a94cfaa2a877ae8113bbf8221ee13223376494fb128b825952d5105ae4157dd6d70f71d5bd48f34d469976629bce6c12931c88ca0882965e27538f272b19796b251226075b131b38564f90159583cd9c4c3c098c8f06a267b262b8731b9e962976c41152a76c30b502d0425635357b43cd3a3ecef5bc9910bb89ca9e91ba75e8121d53c2329b5222df12560d242724523ff60b6ead310d99954d483b91383a726a937f1b60b474b22ea5b81954580339d81c9f47bab44a3fe0c833a7dba1f5b33a5a2a459812645c6537c2317163d71b7bd7a4a5459a28a1c28659aad9a1ca9a99a363062d453355108445a673438e77624e73757c1a84d031cf0fb24b1187aafbe6738e9abaf5b42b004b1fa0d96426d3c5324235dd871e7a89364d335ebb6718ad098154208b143b2b43eb9e5fd8816c5225d494b40809b2459903c6486a1db9ac3414945e1867b5869c2f88cf9edc0a216681804578d34923e5a353babba923db907725b384e74e66987292e007e05c6766f267f839b7617c55e28b0fa2121da2d037d6830af9d869e1fb52b0cb645fe221a79b2a46e41980d34671ccc58d8756054b2cca7b13715a05f3925355cca838ab8d2425255f61135727167ad6bcb0632ebf86384b950ad21088c292b4a4fcc0e59c42d3f77fac85cd9f5cb049b3a29505a984c4c6ac98ca3d0a8f30d2b1bd9815b94b27051b40ffc3455a668b9e141428611b280c1b8f2b55f6eb04e10c68f1340ef1582115f10ee2b785b7ebb0ec3a0c61670cf48107b594cd6e238e0d68961b47983b87879771519d2b7c21681cd494b420f03d004bb06eeb54f9c080c2f2aff6759074d5b3a3b11c73f1af6dc874eeec254d5409fceaa90ff66d90b6930a540fd1d9be1844af1d861ff96a611a414a6c61a78fb2a78e74383ab05ebc73855a818a627242d523a3e2a35ab4285b4a2564f76772aaf8cdc9f87c65f1b4b5819905fb4f9ea59166fbbdb201c5eefc0df7418ca211b5b079a511b8b94429847b537fbed82d57632d63e815d8212d8a280d43328604a6c4d2c1887e7ab061f120a0168db2f4735369b193780f0aeb381ff2653f3b46e206afe77a7e814c7716a1b166727dd2a0b9a7d8aeace425da63977f8103457c9f438a2676c10e3a9c630b855873288ee560ca05c37cc7329e9e502cfac918b9420544445d4cfa93f56ee922c7d660937b5937c3074d62968f006d1211c60296685953e5def3804c2dad5c36180137c1df12f31385b670fde5cfe76447f6c4b5b50083553c3cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2e56f17576740ce2a32fc5145030145cfb97e63e0e41d354274a079d3e6fb2e15", "pk": "1bc331b659a61a04883d0c5ebbc0772754a4c33b6a90e52e0678ce06a0453ba8a188b15a496bae6a24177b636d12fbb088f2cd9504ac200231473031a31a5c62e46288fb3edb858b21bc0ea59a212fd1c6dba09e920712d068a2be7abcf4f2a3533443ee1780dd419681a960cd90af5fcaab8c1552ef25572f157a2bbb934a18a5c57a761b54a45d774ac6bc593583a1bcfc4dcd0cca87ab9cff463dc5e80ebbb501d18c8b39e324dbd07ca06cbf75ba33297abcc7aabdd5b308401ba387f533f3927b51e91380f5a59b119e354835ab182db62c76d6d85fa63241743a52012aac281222bc0037e2c493b4777a99cb5929aba155a006bc9b461c365fa3583fac5414b403af9135079b33a10df8819cb462f067253f92b3c45a7fb1c1478d4091e39010ba44071019010daa15c0f43d14641a8fa3a94cfaa2a877ae8113bbf8221ee13223376494fb128b825952d5105ae4157dd6d70f71d5bd48f34d469976629bce6c12931c88ca0882965e27538f272b19796b251226075b131b38564f90159583cd9c4c3c098c8f06a267b262b8731b9e962976c41152a76c30b502d0425635357b43cd3a3ecef5bc9910bb89ca9e91ba75e8121d53c2329b5222df12560d242724523ff60b6ead310d99954d483b91383a726a937f1b60b474b22ea5b81954580339d81c9f47bab44a3fe0c833a7dba1f5b33a5a2a459812645c6537c2317163d71b7bd7a4a5459a28a1c28659aad9a1ca9a99a363062d453355108445a673438e77624e73757c1a84d031cf0fb24b1187aafbe6738e9abaf5b42b004b1fa0d96426d3c5324235dd871e7a89364d335ebb6718ad098154208b143b2b43eb9e5fd8816c5225d494b40809b2459903c6486a1db9ac3414945e1867b5869c2f88cf9edc0a216681804578d34923e5a353babba923db907725b384e74e66987292e007e05c6766f267f839b7617c55e28b0fa2121da2d037d6830af9d869e1fb52b0cb645fe221a79b2a46e41980d34671ccc58d8756054b2cca7b13715a05f3925355cca838ab8d2425255f61135727167ad6bcb0632ebf86384b950ad21088c292b4a4fcc0e59c42d3f77fac85cd9f5cb049b3a29505a984c4c6ac98ca3d0a8f30d2b1bd9815b94b27051b40ffc3455a668b9e141428611b280c1b8f2b55f6eb04e10c68f1340ef1582115f10ee2b785b7ebb0ec3a0c61670cf48107b594cd6e238e0d68961b47983b87879771519d2b7c21681cd494b420f03d004bb06eeb54f9c080c2f2aff6759074d5b3a3b11c73f1af6dc874eeec254d5409fceaa90ff66d90b6930a540fd1d9be1844af1d861ff96a611a414a6c61a78fb2a78e74383ab05ebc73855a818a627242d523a3e2a35ab4285b4a2564f76772aaf8cdc9f87c65f1b4b5819905fb4f9ea59166fbbdb201c5eefc0df7418ca211b5b079a511b8b94429847b537fbed82d57632d63e815d8212d8a280d43328604a6c4d2c1887e7ab061f120a0168db2f4735369b193780f0aeb381ff2653f3b46e206afe77a7e814c7716a1b166727dd2a0b9a7d8aeace425da63977f8103457c9f438a2676c10e3a9c630b855873288ee560ca05c37cc7329e9e502cfac918b9420544445d4cfa93f56ee922c7d660937b5937c3074d62968f006d1211c60296685953e5dee56f17576740ce2a32fc5145030145cfb97e63e0e41d354274a079d3e6fb2e15", "ct": "718ad10318b367fc4390f63147fa5250ef61b65384a563f2c7951b2d45881fcf9f446ddd4443417eed0c001e635a994cda366f118bdd1cf0be0417abd1b615cc669e1b949280e28f52d3d5035c6420ff6c943421ee7589e681828c95942d4f9968f32b9ad30cccff0d98fa84b187164530dc83f9cde75ab1958c22dbff8af921c9ebc678a658b69663f72e7c1632b6ac8ddcbc6c8a06c3316b1aefdd07989ef944fc51406e12db6865344e03f447520d50c93fab1513d80cbc836950e2b52f424bb46155ba4c2e21ec5dff762bf7e92e54e0fb7618e73072607ba03b1de16f109e22dd5832a7eadfeb2ef00244bbaf930106cbcd2ab008f468de6d98632e9e225091a010e361ce751d633e6c37ba2530bca6fbe9d2e5348e4e168e154922992aef45a265ec649ce21480504b609ad5f1b0b094b74d55aaea60b8f71398cd9340802e91415937ffaa482c6678f8421c63583e8acd8d00bf285b52a26fa577aed109acd94ef7559554aa378f87283a7ee94af98e21a6fbac8802336ff980e15e498042a8148b69e1d8aab0b7126d0b885f9a57c1ea83efcce8dccfee076dbc2f9c074525ed4e7472c3e09a9f1c50ff511150159c1be7730686c04e46368e37f2e8c82b8436463445b0edaefab876731497abcc563b1978eac34cf73b5b213549d1f74271d48f6a085155acd8d7db739ce6e70ad25ee636231e4151725d55ea781d483e54850e1ebda401276616e7a62b22efa2e3098a006dfacaa1fca54ade6a119f3a215b523210164a7f299d2c7b8ad8a637bc1fba56de28ffa800b522246dbec7148ced56ed292c7d92004065598bc573dd30259d84b6d923d2769ce260cdab0ad17673ef7388c020b8e8bcd055232a7240fe2fa4fcbeadbc46366aa47729f5502dbfee8a623ab8ec6f6020013aeff975f255b597a11eed1335457b9903da42a27a39fdb0edbb11742e4e521c833b7952d3fd28f428eecb6f78b99ff0a5eb097793f78f1a70612811766fcbe0f9aa3ca4afd8a364f5584333d8a4cdc096a3762ea6cce70dfa42967f5a7c2dbef688b37885fa26220dc800bcb1ae83d35ffca54a6dabba730764d60b1a4a506206efa380d7d1d89069778b082bb92396af4547024797797e01c927c78c9f70750ef2002dfe1516baa4f165a3176942d35d9527f4b33505484130cd573f9d4a1f1e6656aff881aab482fb3d6151ab02f76267033f3feb9718fbfed05a9b69a8d817a7e4a41efbe3ffeb355d1013778f14d4c30c92a386190fa23b388feddc635b22d8fa4998b65d483cd3b595553092123e144c49d91ddc2f7a88f3ef1ad2b0b19636bc3f50f61ea5157c73a1a5b956349b6cdf3ff50ec9ef7cbc1137b27d7839276a3ed4e778c505206669686ef038b5808117fedf60ef3598e8ed1db1e5ad64f04af38e60e82fe04bc75594fd9fcd8bb79237adb9c9ffd3dc2c907345f874aec7055576a32263486120ff62ad690a988919e941d33ed93706f6984032e205084cc46585b5aef035c22ddbb3b0ba04e83f80c1b06b4975f00207b357550d24405189412ea6a83ad56c4873f499fdbdc761aa72"}, {"seed": "aee7eef47cb0fca9767be1fda69419dfb927e9df07348b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619", "eseed": "f90b0cdf8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc09631b10958f464d889f31ba010250fda7f", "ss": "d482dd1a592f072109a0d8a86991ca6bd5bab25f13e788377fc34506f508ffdd", "sk": "89722dd1c8829af93f6e5405ecd93a5aaabcb9264aafc363d731bb4f276021b0c06826363022ae1e85acc6679ccb583a37ba4d30e0564ae6421ab1b5c2374a058cb6bca4050ce15ed5c51bcc90be82454b332aa21069623d8a8b393a2c2b6cb5bffc55ae369614a77d9bc982d47496ab21239bb7691ac65494225889b7b45ba10b0aac10c3c41fa7a4a51fa14d3e92bbd364be59ba7d9d4592944968e97a2d947868a0624a97a9c8ad226d81a12a17777eafaa6de30436a5c743003078d830734ec97e6a625f6d9c10f9da3f956b5583578478e6311f27789d6188ede84510442c9f556696378faa622b1e935be62c733da96b023c31b2ba6abfbc5c748088251042d46559bf132d2a43b7690cb4666722ebc53849843125f9a900aa476af424b7b410f18300f048ce26dc7f35b50f7eb5bccf23c95b7c0064e92662eb22927359df1b9ace43ce014384ae68822f4c3f64583643355c6746290d224a70c818158884e2aa8f15e18709100848255c277144f051ab8b40775c297cafb238cdb70e8ce687c9e195d0823b390341e245852ca99c079211161a79409247ae721a59b358ef097ed8dc386f982d36a9220c3511eacb3674f671f171afb0d14f0890c0c7f77d06f7c61ca83a15974083e72678f180f35c1aaa633166d429432599f9d9432fe791318ab14a3988496a14c2417e03990136e91aa3a817085abbc4aa0c38a45e7e009f3577739172396f7b7e61734eaacc5b484971e9a9384b58aadff9307a98222a3813f9269fe793b7ef582ab8c36feaf447d3136285f76d5f463141356773650441e092dc73bcf483cb1f2944016936db2a34b743830cb890e85660acd077ea51c07e664df7ab803c9b0c96e143b4f5788311a841b76be728aea60270104564575bb723f51dacaab5e379c3cdd97bdac84ad6738587bcbbdf1c66a0da65f87a673f840e1d7c5a722a265568429ae36cdde9cd54ac3d4a94c4c6508361984e1c211771998641816fa392a4ffb97664381a84900eb52502f04816a3d70090b55ee2d3b7f3d459af4008ec8c1b19c08d1284b6fdc81508647ecb9b45e65c084d456f9fa87a68f26bc05b4e8415887b602ff28b28e412637ff9019a90ac21c7c4ae9670a538a2bd2604616689b034c33cb1cc9d634eb37c8d4d46bc40e335582b539d3215bf70960cc1c0b11011449c2a09265101f55366dc0213a64112885176c3a223b19cf6951b5968452aa7b839370646db5eee1893346a58c116133dbc8fc1c5ac34e04cda171b041c0133563a682855a9cb18896c6179ac2eac83c70547942e54b2e133a6f68450f4f4b14bda3af5f129b3e292c6a676aa0b7a045c7251e315ca3707ff23bec349a950d49718560b2ff66cbd49c848b4036c2186a0315c4e6a32f3035207a48651891f50ec6c0eb19d13e90457611e0c7ccdf012a3e19412d8c1563f1ab22b39859b27a7bcac72cbf2c83c666deb401e4239603645872b997673b6205d97cdd68b0a782742e62c24ad746261085de3c95f49dbb8172c05f3f2414e63652c3b358d603e867173e03203af06a26bb0bfc0b521118b6fd99613a160829b04475374b8214859bcc316f4e06a84f264ec3cb513f66b71ac3a3d135aa589198cb02113cc17e13a0f15fc1d3d734966c3751a74ac27c781323043e36389dca9a2af6508bdba0260662691426d1d8899cd77736c21b17eb3a31fc118154264e2b10e22c506b7803b1f4b25d178b688b641d0943185107eed18b228e8b68753a8d75a77f29b5b5e97abd028354ce4cd6961797a757c4ff44aeea2c0a16cbfdcb07314fb3e64d7c26a4c9e5782a2ee198d73e7bf05eb85bd420cee20ac24c36613d6bd0c53133443527c32bd0f8b3b3be9918c7caea71748de6bacfa27710845ad0b528c087349e9faa3c83869e1d0ac9267974dba1dc3434976f60b59d443bad51e87d974c9f747b76017bd17021c24246a9987db1b318562bf665b41fb153c0ba675cac593b990ce595a7851fa18ea345bf20c3524862532544e05e5c69daa0dc4f2b24704338e29144d653657d47a20f39ed2b1174cb3120ed1590e4ac932579dc2da9f12f6c07ec7a31963208faa5c758615713965b9d5661860cfe5652d74231d2ce9b696ea9e45305a28d84c082709d2238bbc849b6b3cac64b78b532995af6b4ce9880f9149a5ae083320624e3b54851d48a6f24266258a0a14d342e4ca3133c33c5e16ad91b22d521100076527cefc5f0417b332463c5c5c52dc4b00a2d29959109244d2810839a310cb1df282503d5cbf3f0cbe3e68873407b7e5e960ca214709919b65301da2b3a7e488205a3a9c5f24cd61d18c757040b14a4e80e8c09e74a9a71265ed213a91da6d7a8655de3b4a83125ee2e66cb673733e3717d99023a6683712767ab2da9b54a26dd3b695a80b54226a1a967b08c3f76e679914470803bc6805a6b4b1b78261259acd8f703dd10ba6e8e1a00dd94e774113d13103253cb70edab948c38072629b949261b7c439445bc498444e86b6a9a7da8b1530380bf2939532a8e7ea84ea0b5c6db5335e826aa0325b536ccc21d943890b2c2a5c44f337682355867be87965175f2dbbb0aba89f9311b0873a15db6a4128682a8bca019a04a351a0ce646868f9bbb6f8d0bea3db0865f1239b16c93ca09d19857d747abfc846b27dd77ee5d405fab5ce949635e7d34ec1b9546aea75df571cfed74b7112218e4153e7f6a7a3a910ec4c111576b3bb27c29852746e645fa501b0642678aefa2209c745939a2ab000033862b88e7011e7e25ec1e3cd379b54bc457a85d9af0680160c57b3a4e90308bc28b8da13ac0c563c55b39a88bd90b51f691525e50a260a0507a2174447ea93f5d5acec6c16a5d7909e275f612c9f283310e8124d28f18000f811fb929e03f30d1472644851bcb73c4af6b095acd7328a072be9187a836a15307c6076210c9b410493505bc4814e3c327386796c5932c8cab7a695b97cac24561b2a9657c3157531ba3cba699b6424fda24cc6c72edac1a6bf091b87c3c594c917d24a1126f998aee120ae372a27a268a0c76ab8f84957f461e7c04dd2d59f0f217d9e07008990533b16bbc125b2737a1a7e1cc1ed7c47e8f8464ba78c5d3298f2dc7d0be944ad29907ec774ad1b1f1485b114a9a9b93c488c89c0c7609f2bf9533c2929f667bca8b68999e34054597cf83ba7450b237188c3364172c1351bd349a699672d31b9598bab79a18b3d8cb25f5f53c0b22bfa065690a16184db4f9731cea1a08f5876ec187e7b1ae79c593415d068838e5ce0bf2c28b1e389ae4a768f871b2761a29178a51845eb0b939f0ee9ef58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619c7dd2bf4e3b5b93f77f4576d55d300739e75e14084b0bc85620499bf468ae161", "pk": "3d135aa589198cb02113cc17e13a0f15fc1d3d734966c3751a74ac27c781323043e36389dca9a2af6508bdba0260662691426d1d8899cd77736c21b17eb3a31fc118154264e2b10e22c506b7803b1f4b25d178b688b641d0943185107eed18b228e8b68753a8d75a77f29b5b5e97abd028354ce4cd6961797a757c4ff44aeea2c0a16cbfdcb07314fb3e64d7c26a4c9e5782a2ee198d73e7bf05eb85bd420cee20ac24c36613d6bd0c53133443527c32bd0f8b3b3be9918c7caea71748de6bacfa27710845ad0b528c087349e9faa3c83869e1d0ac9267974dba1dc3434976f60b59d443bad51e87d974c9f747b76017bd17021c24246a9987db1b318562bf665b41fb153c0ba675cac593b990ce595a7851fa18ea345bf20c3524862532544e05e5c69daa0dc4f2b24704338e29144d653657d47a20f39ed2b1174cb3120ed1590e4ac932579dc2da9f12f6c07ec7a31963208faa5c758615713965b9d5661860cfe5652d74231d2ce9b696ea9e45305a28d84c082709d2238bbc849b6b3cac64b78b532995af6b4ce9880f9149a5ae083320624e3b54851d48a6f24266258a0a14d342e4ca3133c33c5e16ad91b22d521100076527cefc5f0417b332463c5c5c52dc4b00a2d29959109244d2810839a310cb1df282503d5cbf3f0cbe3e68873407b7e5e960ca214709919b65301da2b3a7e488205a3a9c5f24cd61d18c757040b14a4e80e8c09e74a9a71265ed213a91da6d7a8655de3b4a83125ee2e66cb673733e3717d99023a6683712767ab2da9b54a26dd3b695a80b54226a1a967b08c3f76e679914470803bc6805a6b4b1b78261259acd8f703dd10ba6e8e1a00dd94e774113d13103253cb70edab948c38072629b949261b7c439445bc498444e86b6a9a7da8b1530380bf2939532a8e7ea84ea0b5c6db5335e826aa0325b536ccc21d943890b2c2a5c44f337682355867be87965175f2dbbb0aba89f9311b0873a15db6a4128682a8bca019a04a351a0ce646868f9bbb6f8d0bea3db0865f1239b16c93ca09d19857d747abfc846b27dd77ee5d405fab5ce949635e7d34ec1b9546aea75df571cfed74b7112218e4153e7f6a7a3a910ec4c111576b3bb27c29852746e645fa501b0642678aefa2209c745939a2ab000033862b88e7011e7e25ec1e3cd379b54bc457a85d9af0680160c57b3a4e90308bc28b8da13ac0c563c55b39a88bd90b51f691525e50a260a0507a2174447ea93f5d5acec6c16a5d7909e275f612c9f283310e8124d28f18000f811fb929e03f30d1472644851bcb73c4af6b095acd7328a072be9187a836a15307c6076210c9b410493505bc4814e3c327386796c5932c8cab7a695b97cac24561b2a9657c3157531ba3cba699b6424fda24cc6c72edac1a6bf091b87c3c594c917d24a1126f998aee120ae372a27a268a0c76ab8f84957f461e7c04dd2d59f0f217d9e07008990533b16bbc125b2737a1a7e1cc1ed7c47e8f8464ba78c5d3298f2dc7d0be944ad29907ec774ad1b1f1485b114a9a9b93c488c89c0c7609f2bf9533c2929f667bca8b68999e34054597cf83ba7450b237188c3364172c1351bd349a699672d31b9598bab79a18b3d8cb25f5f53c0b22bfa065690a16184db4f9731cea1a08f5876ec187e7b1ae79c593415c7dd2bf4e3b5b93f77f4576d55d300739e75e14084b0bc85620499bf468ae161", "ct": "f98f274dc74db1798915be81f089fbf792116ec03539b6c02cfbe649267f100df0ef51ec6e51fd4a9b75cc2f1806d470b56984df3d368e4d09be4b4ffd59907e11b2d4497b7dd2b61afb3cc52a6ea661f2c6495a7f5fbef3dfac143f65bc9f6eb48d548df01d6a0bb52dab84fda5e92f7a223289ec4e45cf76d47ab3a79086481f4bb4e95cd69bfdf388762e775bf63b9694f72ca5a90883be5b8ac08c1737d5eced830466e9426fe5bec61bc63f1962358b66cb3d8fdd5dfa887b0da5f15c8868bafce3d998b85ab34ced43ac9b9869c84c59fb2f094ddca1dee97db9a941c3cc319401d9db08569d8eb248ec2ff51e7e18c22d810bf512c28d5d719c4bf5237bac6d14ec33b673453cb0129f31a0b532240ac257d7813370c7addd3ec957a1034b8e4c539506c7827a82e37f5b2405236c914783c35a8aaeaacdea194d699dcfd6d04027cbfcac58e3157a16c20b11dfaf6256ae3037252baac3a25f3d1f7e3f14dd231fc50db2f8788575799e6be241717e9634456be9eb04989cdf312dddd8a24939ebb90de0f5b006d59b2b19350dce76a415230f49374fa45ced3eed165cc92ed1d6e17c233f36030a61cb610b93a55d939c9c7e964f9086ccdb41b8638f14f9202cdb9f1e3ffac235ccda32a92a71e85188297cdba4a309e085c56826bb6121462ac6ee36beb9ee72c824294b6026c60d478f17dd082cca6d6d7a3e86dbe5f7fc9bbc2a07873c686e53f9040aa60dce89b179643741457f5de371c8aaf41eceee8e1a1b324666572322499731242ee48134eb6dfb8961b06b5a04c586c6a9113a9c161f36806a284e03b01940286b2de59689607b2b64b46d6fc2ba044c9a42c5cb600cfd6ca0bdf4915a47fe02d71b8fcc27f0f17c78a300c6345ccc2f77a438772f4297f7b2160aec93e4c8c72c0dbe67868753c18491861a1c1b96eaae07023436602fbb6f2bfb161a5f778bb3086c2255423a8c51052833f6b63ed2cc732a7e2c4d36123471b451b640830421fd4edc83a9527d91203aa7e41867e3a7dfd5610aa20646738754883935af2b09cb24d93a332c9671e6a00cc29a6346de406f5fb28fe84f0b0d3a43c98213bfc2eb2802f1ca071c560a705edceb262c44c2fd2e9e5caf0bf9eafc6be84c8a00d4bfd57e2468254e4560aa6e8d62ff72c55c403ce5a8e8c87cb4d7f693344918138a8f1621107492d8c0a8c74ae77323f7e1fa84220da14a9ae978b207aa692e2ba13ee5ed924c75e472e1b77cc496519704ab87bde2ac15fdde0184d799288b60873b7f85a113b5b8d76a5237f26586ef2cb5cb940c9c5a4789267575ed223fdb9d7ed57a390076857d3c0207360a3d039e4f7961dfe25d8e7c034df6ec0503b5589a89911e54d4831b5cc9ed0abc66143b5482d35dec97ed94e65ba7d013126348960804ec2f19463b8daaa9927c05eecae3bb58b2575fcec762c14cd7d27f51e05aec3ddf00e90dafcf91d31ac09eaad73d675504798170b703667d2175a37b40e4b7809056b1c1ca3062cdb98b0ba79b61c1c3f692b6e75940077ab7aea8649f38e34406282704f1080208a15c"}, {"seed": "1368ec2967fc84ef2ae9aff268e0b1700affc6820b523a3d917135f2dff2ee06bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec2", "eseed": "e770d01efde86e721a3f7c6cce275dabe6e2143f1af18da7efddc4c7b70b5e345db93cc936bea323491ccb38a388f546a9ff00dd4e1300b9b2153d2041d205b4", "ss": "1e037823ddbf1875756d86a3374b2d2347d5b7f3c84d229ecc5960523cdaa8b4", "sk": "f58497af7a5854c214be50bd9694011740619f4042d1a9b5e3d813bf419c9e70b6b6e33917644378d7a097047c1be007b9973f3ec7c2c1c7af23726160db834503bc5381625ab08ec831b60a04c54a360d2222ab0918358e84a038c41775456f7c6c1de0f27d5b538a9e80911484cb96d17b52825410661cc43a576669a92cb7b97b97aa0e7b55a0589bc1295000a09bdfa5236a737a95a7029d2a5f4429494ee4b1299613fb76a573092915f6c37d472beea0b93b082eb546b4ad268fc0fa9eedc8a19faab8a857ad09e24b042374ce9566e3b3ba33bc06441781f74421d00bcf0598103d9620fe0b35ab904c3676c3e970525c7507917850ff99ae4eb57eeaf4b0615097a1e970de6aa9ba609fe8ac11fdfa4e7c4cb90a30c03cb8baeb5033cb6ba6c755bdaca4c9448bcc24188991a659adfbc219b3ca16258f3c0b8791846cd9e8b17ed33f97b1bfebeaa93628421a348596a72ed8a248219779cedb38f9fb0f064a4bf89a0c5dd485564c30ab16bc83d19fc9257467598ef713cff3a0470f4983db6540e52a7667fc2785c031e989601972b2ca61c97218c6470498679523c5957ccd0b4f30836429287d47204d8a32ad0c3c01c38611537a417e28284d58b1dc415f8cc6025ba1603073206e9372bcd125d94311eb2966fa9ac48ea68fb889c292585901796118949545a77ad8129d3c989f0f044977d35ce9b715695b61e46aaf74fb9b753a489842592514c2c41b1e3a22621a5369ff4a196702b2805cba6f945209a22613ec254937bc65fb40371b26f808cac5fa66437603fe175f4f039ebef88e2e3757692718229a7167780f032666e9f35a1f316c278270891057390a1b552b9b53e92ce6325b12a8475768a5eaba388b5b4740a4b4867705c74caa54eb139d47b16b845fd6c97a01138509aa3cb34232504a4609850f464b27d3a6c792a2a326f78ea750837ffb36349405442bcb7914be2bd482f4686cebf96c38fa67db608953039eb5446a26968aa0f023499261bc29356547612a472d9dd135e8744649656995178ad2b38d80850b180b6e6c255a0aba7e8c656fe782a63f48bde8cc5899351e308a3d48e5322a7b8b48ec1c99395d9cc39d381146846567ed0143c6c1682cd06faa64467a00919c53a374281b86e6744569c0eb1b099bea5b5c8a9e8024498ad70fc2cab20bd67a72073901a3bae643619342aa01071c3992428dea1755d870cbb86315b2bea4a6753359216e939f7d1aaaf0903b82fba7228a4a15f0779de2a19056c4e0b066e98b2a99865df3825caca00a1313c2e8a66cb8165fbebbc7fefb9e2e0916f4d753bb354b1cdb0ec61840ae14a0b0a6b89419cbcd4c2cc9fa8df8da7bef4a829e17b996461b499ca051b5989b17738b158057342454745051e7b01aa5a8971181c4d44e20f3950873aa1a436cf7255328dc73f312119395213ec852dcbc9d0634c722b2593e154746402a3d289b3abb14a8d70494b761c3f66242f06cc534a761c19cee82a41ea7a308fb580a19762ea34f2f931cc3fca3a7484b0c0023ea2285dc1b04a46489ea5a673a5a4d5db5745b72704670487c1c1c61f06184d1be1fb8c770857cfb03c5c3575181cb7f54eb8b8c8b6a200a0ef6b66eec364c0015ceb802081800ab5bd1150ba20e5d2c6012d70fe700a56c101752242397627c89156f667a28ffc32c56d20abe3834d2a05a0390c7f2a893d64127fb772ae12468a1f6260af39066ab7ecf694db179436c54a707092a87aa22a274691ee0083e7a98a6d2c633d6c0f13a1542b094e7505d8dd92063b3972dd036a2e68ca9d2af000da328b27fb55178b3794d41755a4dd32abde2cf2d93a5c59605e372114bfbbbc44304536533d1aaad9d385f82278576840cb1f340c0d53db7b0c8cf3794d2f0ba99267ef5d01064c99f3aca71aaa2cbb85011c6687472e20419680441cb0c7bc70aaf1361797b1c2f5a5c60c10086d981299bbfc2c15d77f4077c40500938bbb2e52aef37c3d516148d5ac84e216e0568616ea476fde89685578f8df91281b648d1359bbd53768f27596f3b3845293d698b3a1ae2785e0190be513cf950234399a51487073671736a0c4479672595b2b07a7c3b1143a2fa46cf383a183e0880e580793e5892349600cd6c3adb903e078c31d7d50a90c5734537784267578d35a6982b61098190befc3185020d2c175df7b1acec91c3d5fc6f7cd298f878bd2ab814e7ca340ae21377f79a2f73cf219c7f9e85649d089356cc082f655d72e8035128b910b44ce7833abc11348305943b049a9d6b7df1f98af6c5bf9a6214f073ab28f1492748574881cdf160139e60307d32086515bb93c502e6c20106801c095380d82467b9d56b72f566830a7472aaaba8dbbd755c262704af12475febf3cb6268289bdaab09997b8c309dfb436927e7347dcbba3f772b85e753493417cb134c3604410399238da584d1c495c0793fc5e9583f8797e97c9d45e63c1fd42ee7c5aaf9cc901748c87438c91d6964fcab436c6c0b74b34c6a35aaf688ace32a869411ca57cc3bb0455d981a16b655984ad90bf7c3add506b6821248cc52215da27310fb57738254c8730241e2281c3b18728a12c458b8af8c2c3b500bed5c749e9979b4c44f116aa971b043a8b77b62f7a2fc9621ae71763fb0a43758b40e09aae6f574f932661372a7bc120331c34800ed2113203eeb180905d89a88a4cc48d8c3acf19f44ba00b8466e1ddc0fe1e3554ac059a9fa2b11807173f1190dea271119c087c605dc8b945fb069bfb159c464a28758c1822b2c1e5a8ba0779833c6937c9c02ca61285c67557dd958e00840fd1c599095409dc6caf13360a8d5a1d864a903c429b3054ee83448a1f71beb70a93dccae8e69a0485b47df44202d931e2c99316a23a4e396b7c704b832a0b855106f29c20c3c447ad39176b77186cfb94b3e973d415636a0950284f50efa9248bb1643e793cc7a6c343395a8a245b669b32821f2b80214481ca4416d9009dd3174c4cbb29da7386a7404b21a72ce5a295deb62712a3fb01c927b9b2e73d95aa65c3e92169c72662d7ccab10c8a369d50b90a74c41d590dbc4ac104a147855131b1da730116bc17e430599a8d64999d9450b237002fa1021237dbbfa096a95ea0542ca7937b7c1971b53ce82087d7e114e446b81265cfd540176cd069deb9886fa45bd2f3464e7cc908cac220e642fd3610f18aac2b594192bb7a72a64ffe156e77ac8f576a0511b9768798c79590d8d37f58628ef69837335bfa984cde027d87d45cf83e597b705d3130d6210e9d974bab5643cdf4d1cc7c8282ffe68f827e0cac9926bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec241c2f9459a0447d7f7ae5f1e8dc1cf4e76cdd9add2eba7768b4ac7abb269b07e", "pk": "8c8b6a200a0ef6b66eec364c0015ceb802081800ab5bd1150ba20e5d2c6012d70fe700a56c101752242397627c89156f667a28ffc32c56d20abe3834d2a05a0390c7f2a893d64127fb772ae12468a1f6260af39066ab7ecf694db179436c54a707092a87aa22a274691ee0083e7a98a6d2c633d6c0f13a1542b094e7505d8dd92063b3972dd036a2e68ca9d2af000da328b27fb55178b3794d41755a4dd32abde2cf2d93a5c59605e372114bfbbbc44304536533d1aaad9d385f82278576840cb1f340c0d53db7b0c8cf3794d2f0ba99267ef5d01064c99f3aca71aaa2cbb85011c6687472e20419680441cb0c7bc70aaf1361797b1c2f5a5c60c10086d981299bbfc2c15d77f4077c40500938bbb2e52aef37c3d516148d5ac84e216e0568616ea476fde89685578f8df91281b648d1359bbd53768f27596f3b3845293d698b3a1ae2785e0190be513cf950234399a51487073671736a0c4479672595b2b07a7c3b1143a2fa46cf383a183e0880e580793e5892349600cd6c3adb903e078c31d7d50a90c5734537784267578d35a6982b61098190befc3185020d2c175df7b1acec91c3d5fc6f7cd298f878bd2ab814e7ca340ae21377f79a2f73cf219c7f9e85649d089356cc082f655d72e8035128b910b44ce7833abc11348305943b049a9d6b7df1f98af6c5bf9a6214f073ab28f1492748574881cdf160139e60307d32086515bb93c502e6c20106801c095380d82467b9d56b72f566830a7472aaaba8dbbd755c262704af12475febf3cb6268289bdaab09997b8c309dfb436927e7347dcbba3f772b85e753493417cb134c3604410399238da584d1c495c0793fc5e9583f8797e97c9d45e63c1fd42ee7c5aaf9cc901748c87438c91d6964fcab436c6c0b74b34c6a35aaf688ace32a869411ca57cc3bb0455d981a16b655984ad90bf7c3add506b6821248cc52215da27310fb57738254c8730241e2281c3b18728a12c458b8af8c2c3b500bed5c749e9979b4c44f116aa971b043a8b77b62f7a2fc9621ae71763fb0a43758b40e09aae6f574f932661372a7bc120331c34800ed2113203eeb180905d89a88a4cc48d8c3acf19f44ba00b8466e1ddc0fe1e3554ac059a9fa2b11807173f1190dea271119c087c605dc8b945fb069bfb159c464a28758c1822b2c1e5a8ba0779833c6937c9c02ca61285c67557dd958e00840fd1c599095409dc6caf13360a8d5a1d864a903c429b3054ee83448a1f71beb70a93dccae8e69a0485b47df44202d931e2c99316a23a4e396b7c704b832a0b855106f29c20c3c447ad39176b77186cfb94b3e973d415636a0950284f50efa9248bb1643e793cc7a6c343395a8a245b669b32821f2b80214481ca4416d9009dd3174c4cbb29da7386a7404b21a72ce5a295deb62712a3fb01c927b9b2e73d95aa65c3e92169c72662d7ccab10c8a369d50b90a74c41d590dbc4ac104a147855131b1da730116bc17e430599a8d64999d9450b237002fa1021237dbbfa096a95ea0542ca7937b7c1971b53ce82087d7e114e446b81265cfd540176cd069deb9886fa45bd2f3464e7cc908cac220e642fd3610f18aac2b594192bb7a72a64ffe156e77ac8f576a0511b9768798c79590d8d37f58628ef69837335bfa984cde027d87d45cf841c2f9459a0447d7f7ae5f1e8dc1cf4e76cdd9add2eba7768b4ac7abb269b07e", "ct": "137d93a41362f50229305c688633ded3c474cf399858d60e668ca77d04fd869168a235d5e177eed970cd8c4b8a8bcad3ba1bdf3cef0d697b2c1a1e9a4259cce54248d5f47b59e93fca20799888ec7ee44efd7414bfc71a543648bea1edd9da0234a3af27dcfe4854792caae46a3dcce1eb31cf4d5d8b85855fe1ba7dd94b188ffec719354d43c445960766e26f17561a5ec3872bfa9cfa370a00ac6bb9e196bb57a9f1fd0577d664077b81558565e50b0f2964c8e0093353618de2f2f6d5999c1d27279032f788cb3cf59c127e7c7e029787111226454355d06c81b2affbd099493c34704bb8f0759c4ce568cf721239014b1f00e808b5dc76ea4fe120408c7e510e27832921b022000f9dabdac2e5bcb47060efd1a169e4eefa80ed6fbd1f94473c2038d742df4e286bbcb854281aa28c283f81d8d8c0324b5d354e8b6e2c5e28d5b39a88a790f926c7b5270630c5087990f7ce5afe2fc9e327ed33f760c8d3ea520d9c01960dd360566647820c98c859052ea770c5efbed12b0e7536a409562e2fbb0cd6ce67011f6233c623239f1ed44035963ca9470c439a7e588226307be4cf7a6e27766a28730843a6865c9a8d53f66e8ab121ff234fa3dd0cfc9736b40fb8bb3e64919ec4a5de20282928f60260c63a81439e0658339437b3f1735f38c9481d7edc344ef6dd34d93e0ee013a93cdc8a7207b9d79665bee8a768934c2b386f47d85891fd316aaa378af13c8892099075b75cc8d9ce0419ce57f0f55ea0aeea03fcce14e3a4c766ed09fe4577c6cb9372d00e95c86b41989d6e6ff2359a579b66f76a5a1bf41b2c1f53db1e8b49d822455ea4afe8198b5e7f039263e10885d38d3bfa0ee727cc4ff2769f9ed0abc08a3e77f8bc65a7a75b7b0fc74c2a9027e94f1757acaff4ee5e6e28c0b0238a5435712ea1c055d79e0558a2d149ecfb8d129e19c2d9aef804b3e49e6f60ab43c5254f81a9cccbb3bed13a67f436159b0cf5c7134d6d5a577bcea4f8648eb07b728b0864ec8751576c6fc302a76831d1672daaa2e17c5991efca743cf55d64ca59e8feeda59ec52099d7bfb00a3ccde4084825145f022d89a126519f7904eb7ec4db0b08e70d7d67bf18e537476b4ce97b2ad1c84c0630ba053a13affff42ecea695c080942df74369a23f93a1f397f14dce28acbedb6a90e7a0a6423c277254b71be2d887386915e5924e85f1c652182f8c0db076364a97d7acaf0f238c912fd56403593a8b2526884737790a887d9a8382fab3d2967803d0a1e62b610289af4ea26c66ef29c4832a4b48ffa225d5be2401656753a9ed00c45a057efc666abaecfaeef972643de281f5d6a6ef43ed2fbba963a95c8d36461323d51d18f92e58e4de1b4edd1d93ba14ea6adc3b8b63e71d0edc92555f3f962e68fbf42a0fc04cb7da107203468589655f1b3b979ccc2efee6f10f0ec631c040e4436b8acaa4716708bf96d2db8108a36117d10664cb2a3e3af672a10b0de5c2a284e6b9de37533bd181bc14fa049035d5050b5526ba59f893a1778103b6e2d946090c0eba049e5c1ad843a3121d539564866af5647437"}]
\ No newline at end of file
+[
+    {
+        "seed": "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef263cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2",
+        "eseed": "badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f167a580b14aabdef",
+        "ss": "2fae7214767890c4703fad953f5e3f91303111498caa135d77cde634151e71b5",
+        "sk": "24c59d1c7603e7b74bc7aa1bc2cb3a214b3cfaebb63bd85b65408427c498ba394371bb271f92a3b506b81d54a95a7c0ddfbaa1519553d6f3cd5a601b7db6b0e91a5149468f1f68ad26478bf3c6670e093ac4c49e7a90ba46595de94c50e04129a811a841b39534a87f0ae7b1116553e20c9a566b9b8ff7c7e728b8b201893403a4f252a55230874c256b897834cda349807b25cbd75a30867bfb80328200017f1cb70b56cc546b65d3dc9cdb45107cf10dba349619043ac35c0b9546309a239039813ed5c40f353a5e8e42193564496112bda56cb38c081df252ae9c2c7e441a062e92a7c8da7a240c9952d86b5f1bb6a53b38a5ac0a54a84b43f12da1d0525655684a12090b60b28b0c628db092015547d1070af5d6192e639636615d03c654bb90008ca15b784119f6178a00d7bef4a54a274ac922e55c61a3a8840aa258639484a3bce2e43b6c969b11275631daa129a61ea0e2939f0877e1a110c8a44b24c54fbb07a958db9feeca1eb52b086c87bf43a9b02a5b2c4762117c3a99ae4c4e2eaa7a33b9a714737215c10317514f6c4299ef92acd64c4858e85ce737a801890022d7381f3540230c0c8ef50a848a28b09ba0bf8b50619c905751601d7629767449c9c0b2bae321f438a77f412a55e45ecab4b39053c6561801c639be6495be8fa144ef6029af663407ca9181946de5f3aec7236343ab3bc5a38a09c01b412baf0afb23f9e9b8f2b40810f2ce4ffbcdbfd87972323e98065160bcba34b3afd6c25b664745fca99a9ea75cef019d768485ec23336d9b39e4d05d8d587b30633d4f69ade5753a39680235e44f27995da96798f3a85e184a9fad19320829629f4140417bb7dbf5851ab79258134146d088452774991a087a1c2beaea89f218087ba774ae253b494c27750b1de04b44d953c5e47ab10f65205ee212f9c30391e5299553954916873a0b41164543e801c0b099cb44f48995675823c10b40f4bbac9177a558ca0c30765c2aabfd6a4da54c8413e33902d63f064330f0464982429de2604cd03b4de84a9f821a5470423a40a964dcc41863363d77b02c3127304f942ee71c98c643a427533ef300104948b825277953aaabfd855588f75a77d199a213ad348116e9e539f6d37068a551c710548b7a2c7ee95f9cd9b3483332673cc44bcb18a778a49455c768e0b340f81102ac6b76b064057151ef101ae143787f548553558df8035a3ce00c9c43cda43142cca39034b09a7e6089867b4c64980a69ecab2e6818724c35cb909d5d45bc6a349c71b306567664adc0cc8ef698049b4b4b432dd0f69fac07580f77c4f79b22bb90cb97b341880716853431694c9120f6724ad58d57127fced999ff6229a5d4c3c240129cc812acc73698f949d8e73661f2528262bfccfa5cdf5a2104649806e295ea161217083365aa26cee6ae2f1356e8e1c5cefcc85703447ef1160a1b4a0e8c017b173802c66c88ab70d39a6c96c1569d5a86245a7eeb087d682219080768745b44bf244f65b567b2658dbae6962ba52b322118e214cfadd7cf3502582dc9cafba952a9637ad3600710259778d99d23f8235da90791604b4f0a4f7640680f59b633d93dfb84282ba54c674b115684a41bc331b659a61a04883d0c5ebbc0772754a4c33b6a90e52e0678ce06a0453ba8a188b15a496bae6a24177b636d12fbb088f2cd9504ac200231473031a31a5c62e46288fb3edb858b21bc0ea59a212fd1c6dba09e920712d068a2be7abcf4f2a3533443ee1780dd419681a960cd90af5fcaab8c1552ef25572f157a2bbb934a18a5c57a761b54a45d774ac6bc593583a1bcfc4dcd0cca87ab9cff463dc5e80ebbb501d18c8b39e324dbd07ca06cbf75ba33297abcc7aabdd5b308401ba387f533f3927b51e91380f5a59b119e354835ab182db62c76d6d85fa63241743a52012aac281222bc0037e2c493b4777a99cb5929aba155a006bc9b461c365fa3583fac5414b403af9135079b33a10df8819cb462f067253f92b3c45a7fb1c1478d4091e39010ba44071019010daa15c0f43d14641a8fa3a94cfaa2a877ae8113bbf8221ee13223376494fb128b825952d5105ae4157dd6d70f71d5bd48f34d469976629bce6c12931c88ca0882965e27538f272b19796b251226075b131b38564f90159583cd9c4c3c098c8f06a267b262b8731b9e962976c41152a76c30b502d0425635357b43cd3a3ecef5bc9910bb89ca9e91ba75e8121d53c2329b5222df12560d242724523ff60b6ead310d99954d483b91383a726a937f1b60b474b22ea5b81954580339d81c9f47bab44a3fe0c833a7dba1f5b33a5a2a459812645c6537c2317163d71b7bd7a4a5459a28a1c28659aad9a1ca9a99a363062d453355108445a673438e77624e73757c1a84d031cf0fb24b1187aafbe6738e9abaf5b42b004b1fa0d96426d3c5324235dd871e7a89364d335ebb6718ad098154208b143b2b43eb9e5fd8816c5225d494b40809b2459903c6486a1db9ac3414945e1867b5869c2f88cf9edc0a216681804578d34923e5a353babba923db907725b384e74e66987292e007e05c6766f267f839b7617c55e28b0fa2121da2d037d6830af9d869e1fb52b0cb645fe221a79b2a46e41980d34671ccc58d8756054b2cca7b13715a05f3925355cca838ab8d2425255f61135727167ad6bcb0632ebf86384b950ad21088c292b4a4fcc0e59c42d3f77fac85cd9f5cb049b3a29505a984c4c6ac98ca3d0a8f30d2b1bd9815b94b27051b40ffc3455a668b9e141428611b280c1b8f2b55f6eb04e10c68f1340ef1582115f10ee2b785b7ebb0ec3a0c61670cf48107b594cd6e238e0d68961b47983b87879771519d2b7c21681cd494b420f03d004bb06eeb54f9c080c2f2aff6759074d5b3a3b11c73f1af6dc874eeec254d5409fceaa90ff66d90b6930a540fd1d9be1844af1d861ff96a611a414a6c61a78fb2a78e74383ab05ebc73855a818a627242d523a3e2a35ab4285b4a2564f76772aaf8cdc9f87c65f1b4b5819905fb4f9ea59166fbbdb201c5eefc0df7418ca211b5b079a511b8b94429847b537fbed82d57632d63e815d8212d8a280d43328604a6c4d2c1887e7ab061f120a0168db2f4735369b193780f0aeb381ff2653f3b46e206afe77a7e814c7716a1b166727dd2a0b9a7d8aeace425da63977f8103457c9f438a2676c10e3a9c630b855873288ee560ca05c37cc7329e9e502cfac918b9420544445d4cfa93f56ee922c7d660937b5937c3074d62968f006d1211c60296685953e5def3804c2dad5c36180137c1df12f31385b670fde5cfe76447f6c4b5b50083553c3cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2e56f17576740ce2a32fc5145030145cfb97e63e0e41d354274a079d3e6fb2e15",
+        "pk": "1bc331b659a61a04883d0c5ebbc0772754a4c33b6a90e52e0678ce06a0453ba8a188b15a496bae6a24177b636d12fbb088f2cd9504ac200231473031a31a5c62e46288fb3edb858b21bc0ea59a212fd1c6dba09e920712d068a2be7abcf4f2a3533443ee1780dd419681a960cd90af5fcaab8c1552ef25572f157a2bbb934a18a5c57a761b54a45d774ac6bc593583a1bcfc4dcd0cca87ab9cff463dc5e80ebbb501d18c8b39e324dbd07ca06cbf75ba33297abcc7aabdd5b308401ba387f533f3927b51e91380f5a59b119e354835ab182db62c76d6d85fa63241743a52012aac281222bc0037e2c493b4777a99cb5929aba155a006bc9b461c365fa3583fac5414b403af9135079b33a10df8819cb462f067253f92b3c45a7fb1c1478d4091e39010ba44071019010daa15c0f43d14641a8fa3a94cfaa2a877ae8113bbf8221ee13223376494fb128b825952d5105ae4157dd6d70f71d5bd48f34d469976629bce6c12931c88ca0882965e27538f272b19796b251226075b131b38564f90159583cd9c4c3c098c8f06a267b262b8731b9e962976c41152a76c30b502d0425635357b43cd3a3ecef5bc9910bb89ca9e91ba75e8121d53c2329b5222df12560d242724523ff60b6ead310d99954d483b91383a726a937f1b60b474b22ea5b81954580339d81c9f47bab44a3fe0c833a7dba1f5b33a5a2a459812645c6537c2317163d71b7bd7a4a5459a28a1c28659aad9a1ca9a99a363062d453355108445a673438e77624e73757c1a84d031cf0fb24b1187aafbe6738e9abaf5b42b004b1fa0d96426d3c5324235dd871e7a89364d335ebb6718ad098154208b143b2b43eb9e5fd8816c5225d494b40809b2459903c6486a1db9ac3414945e1867b5869c2f88cf9edc0a216681804578d34923e5a353babba923db907725b384e74e66987292e007e05c6766f267f839b7617c55e28b0fa2121da2d037d6830af9d869e1fb52b0cb645fe221a79b2a46e41980d34671ccc58d8756054b2cca7b13715a05f3925355cca838ab8d2425255f61135727167ad6bcb0632ebf86384b950ad21088c292b4a4fcc0e59c42d3f77fac85cd9f5cb049b3a29505a984c4c6ac98ca3d0a8f30d2b1bd9815b94b27051b40ffc3455a668b9e141428611b280c1b8f2b55f6eb04e10c68f1340ef1582115f10ee2b785b7ebb0ec3a0c61670cf48107b594cd6e238e0d68961b47983b87879771519d2b7c21681cd494b420f03d004bb06eeb54f9c080c2f2aff6759074d5b3a3b11c73f1af6dc874eeec254d5409fceaa90ff66d90b6930a540fd1d9be1844af1d861ff96a611a414a6c61a78fb2a78e74383ab05ebc73855a818a627242d523a3e2a35ab4285b4a2564f76772aaf8cdc9f87c65f1b4b5819905fb4f9ea59166fbbdb201c5eefc0df7418ca211b5b079a511b8b94429847b537fbed82d57632d63e815d8212d8a280d43328604a6c4d2c1887e7ab061f120a0168db2f4735369b193780f0aeb381ff2653f3b46e206afe77a7e814c7716a1b166727dd2a0b9a7d8aeace425da63977f8103457c9f438a2676c10e3a9c630b855873288ee560ca05c37cc7329e9e502cfac918b9420544445d4cfa93f56ee922c7d660937b5937c3074d62968f006d1211c60296685953e5dee56f17576740ce2a32fc5145030145cfb97e63e0e41d354274a079d3e6fb2e15",
+        "ct": "718ad10318b367fc4390f63147fa5250ef61b65384a563f2c7951b2d45881fcf9f446ddd4443417eed0c001e635a994cda366f118bdd1cf0be0417abd1b615cc669e1b949280e28f52d3d5035c6420ff6c943421ee7589e681828c95942d4f9968f32b9ad30cccff0d98fa84b187164530dc83f9cde75ab1958c22dbff8af921c9ebc678a658b69663f72e7c1632b6ac8ddcbc6c8a06c3316b1aefdd07989ef944fc51406e12db6865344e03f447520d50c93fab1513d80cbc836950e2b52f424bb46155ba4c2e21ec5dff762bf7e92e54e0fb7618e73072607ba03b1de16f109e22dd5832a7eadfeb2ef00244bbaf930106cbcd2ab008f468de6d98632e9e225091a010e361ce751d633e6c37ba2530bca6fbe9d2e5348e4e168e154922992aef45a265ec649ce21480504b609ad5f1b0b094b74d55aaea60b8f71398cd9340802e91415937ffaa482c6678f8421c63583e8acd8d00bf285b52a26fa577aed109acd94ef7559554aa378f87283a7ee94af98e21a6fbac8802336ff980e15e498042a8148b69e1d8aab0b7126d0b885f9a57c1ea83efcce8dccfee076dbc2f9c074525ed4e7472c3e09a9f1c50ff511150159c1be7730686c04e46368e37f2e8c82b8436463445b0edaefab876731497abcc563b1978eac34cf73b5b213549d1f74271d48f6a085155acd8d7db739ce6e70ad25ee636231e4151725d55ea781d483e54850e1ebda401276616e7a62b22efa2e3098a006dfacaa1fca54ade6a119f3a215b523210164a7f299d2c7b8ad8a637bc1fba56de28ffa800b522246dbec7148ced56ed292c7d92004065598bc573dd30259d84b6d923d2769ce260cdab0ad17673ef7388c020b8e8bcd055232a7240fe2fa4fcbeadbc46366aa47729f5502dbfee8a623ab8ec6f6020013aeff975f255b597a11eed1335457b9903da42a27a39fdb0edbb11742e4e521c833b7952d3fd28f428eecb6f78b99ff0a5eb097793f78f1a70612811766fcbe0f9aa3ca4afd8a364f5584333d8a4cdc096a3762ea6cce70dfa42967f5a7c2dbef688b37885fa26220dc800bcb1ae83d35ffca54a6dabba730764d60b1a4a506206efa380d7d1d89069778b082bb92396af4547024797797e01c927c78c9f70750ef2002dfe1516baa4f165a3176942d35d9527f4b33505484130cd573f9d4a1f1e6656aff881aab482fb3d6151ab02f76267033f3feb9718fbfed05a9b69a8d817a7e4a41efbe3ffeb355d1013778f14d4c30c92a386190fa23b388feddc635b22d8fa4998b65d483cd3b595553092123e144c49d91ddc2f7a88f3ef1ad2b0b19636bc3f50f61ea5157c73a1a5b956349b6cdf3ff50ec9ef7cbc1137b27d7839276a3ed4e778c505206669686ef038b5808117fedf60ef3598e8ed1db1e5ad64f04af38e60e82fe04bc75594fd9fcd8bb79237adb9c9ffd3dc2c907345f874aec7055576a32263486120ff62ad690a988919e941d33ed93706f6984032e205084cc46585b5aef035c22ddbb3b0ba04e83f80c1b06b4975f00207b357550d24405189412ea6a83ad56c4873f499fdbdc761aa72"
+    },
+    {
+        "seed": "aee7eef47cb0fca9767be1fda69419dfb927e9df07348b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619",
+        "eseed": "f90b0cdf8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc09631b10958f464d889f31ba010250fda7f",
+        "ss": "d482dd1a592f072109a0d8a86991ca6bd5bab25f13e788377fc34506f508ffdd",
+        "sk": "89722dd1c8829af93f6e5405ecd93a5aaabcb9264aafc363d731bb4f276021b0c06826363022ae1e85acc6679ccb583a37ba4d30e0564ae6421ab1b5c2374a058cb6bca4050ce15ed5c51bcc90be82454b332aa21069623d8a8b393a2c2b6cb5bffc55ae369614a77d9bc982d47496ab21239bb7691ac65494225889b7b45ba10b0aac10c3c41fa7a4a51fa14d3e92bbd364be59ba7d9d4592944968e97a2d947868a0624a97a9c8ad226d81a12a17777eafaa6de30436a5c743003078d830734ec97e6a625f6d9c10f9da3f956b5583578478e6311f27789d6188ede84510442c9f556696378faa622b1e935be62c733da96b023c31b2ba6abfbc5c748088251042d46559bf132d2a43b7690cb4666722ebc53849843125f9a900aa476af424b7b410f18300f048ce26dc7f35b50f7eb5bccf23c95b7c0064e92662eb22927359df1b9ace43ce014384ae68822f4c3f64583643355c6746290d224a70c818158884e2aa8f15e18709100848255c277144f051ab8b40775c297cafb238cdb70e8ce687c9e195d0823b390341e245852ca99c079211161a79409247ae721a59b358ef097ed8dc386f982d36a9220c3511eacb3674f671f171afb0d14f0890c0c7f77d06f7c61ca83a15974083e72678f180f35c1aaa633166d429432599f9d9432fe791318ab14a3988496a14c2417e03990136e91aa3a817085abbc4aa0c38a45e7e009f3577739172396f7b7e61734eaacc5b484971e9a9384b58aadff9307a98222a3813f9269fe793b7ef582ab8c36feaf447d3136285f76d5f463141356773650441e092dc73bcf483cb1f2944016936db2a34b743830cb890e85660acd077ea51c07e664df7ab803c9b0c96e143b4f5788311a841b76be728aea60270104564575bb723f51dacaab5e379c3cdd97bdac84ad6738587bcbbdf1c66a0da65f87a673f840e1d7c5a722a265568429ae36cdde9cd54ac3d4a94c4c6508361984e1c211771998641816fa392a4ffb97664381a84900eb52502f04816a3d70090b55ee2d3b7f3d459af4008ec8c1b19c08d1284b6fdc81508647ecb9b45e65c084d456f9fa87a68f26bc05b4e8415887b602ff28b28e412637ff9019a90ac21c7c4ae9670a538a2bd2604616689b034c33cb1cc9d634eb37c8d4d46bc40e335582b539d3215bf70960cc1c0b11011449c2a09265101f55366dc0213a64112885176c3a223b19cf6951b5968452aa7b839370646db5eee1893346a58c116133dbc8fc1c5ac34e04cda171b041c0133563a682855a9cb18896c6179ac2eac83c70547942e54b2e133a6f68450f4f4b14bda3af5f129b3e292c6a676aa0b7a045c7251e315ca3707ff23bec349a950d49718560b2ff66cbd49c848b4036c2186a0315c4e6a32f3035207a48651891f50ec6c0eb19d13e90457611e0c7ccdf012a3e19412d8c1563f1ab22b39859b27a7bcac72cbf2c83c666deb401e4239603645872b997673b6205d97cdd68b0a782742e62c24ad746261085de3c95f49dbb8172c05f3f2414e63652c3b358d603e867173e03203af06a26bb0bfc0b521118b6fd99613a160829b04475374b8214859bcc316f4e06a84f264ec3cb513f66b71ac3a3d135aa589198cb02113cc17e13a0f15fc1d3d734966c3751a74ac27c781323043e36389dca9a2af6508bdba0260662691426d1d8899cd77736c21b17eb3a31fc118154264e2b10e22c506b7803b1f4b25d178b688b641d0943185107eed18b228e8b68753a8d75a77f29b5b5e97abd028354ce4cd6961797a757c4ff44aeea2c0a16cbfdcb07314fb3e64d7c26a4c9e5782a2ee198d73e7bf05eb85bd420cee20ac24c36613d6bd0c53133443527c32bd0f8b3b3be9918c7caea71748de6bacfa27710845ad0b528c087349e9faa3c83869e1d0ac9267974dba1dc3434976f60b59d443bad51e87d974c9f747b76017bd17021c24246a9987db1b318562bf665b41fb153c0ba675cac593b990ce595a7851fa18ea345bf20c3524862532544e05e5c69daa0dc4f2b24704338e29144d653657d47a20f39ed2b1174cb3120ed1590e4ac932579dc2da9f12f6c07ec7a31963208faa5c758615713965b9d5661860cfe5652d74231d2ce9b696ea9e45305a28d84c082709d2238bbc849b6b3cac64b78b532995af6b4ce9880f9149a5ae083320624e3b54851d48a6f24266258a0a14d342e4ca3133c33c5e16ad91b22d521100076527cefc5f0417b332463c5c5c52dc4b00a2d29959109244d2810839a310cb1df282503d5cbf3f0cbe3e68873407b7e5e960ca214709919b65301da2b3a7e488205a3a9c5f24cd61d18c757040b14a4e80e8c09e74a9a71265ed213a91da6d7a8655de3b4a83125ee2e66cb673733e3717d99023a6683712767ab2da9b54a26dd3b695a80b54226a1a967b08c3f76e679914470803bc6805a6b4b1b78261259acd8f703dd10ba6e8e1a00dd94e774113d13103253cb70edab948c38072629b949261b7c439445bc498444e86b6a9a7da8b1530380bf2939532a8e7ea84ea0b5c6db5335e826aa0325b536ccc21d943890b2c2a5c44f337682355867be87965175f2dbbb0aba89f9311b0873a15db6a4128682a8bca019a04a351a0ce646868f9bbb6f8d0bea3db0865f1239b16c93ca09d19857d747abfc846b27dd77ee5d405fab5ce949635e7d34ec1b9546aea75df571cfed74b7112218e4153e7f6a7a3a910ec4c111576b3bb27c29852746e645fa501b0642678aefa2209c745939a2ab000033862b88e7011e7e25ec1e3cd379b54bc457a85d9af0680160c57b3a4e90308bc28b8da13ac0c563c55b39a88bd90b51f691525e50a260a0507a2174447ea93f5d5acec6c16a5d7909e275f612c9f283310e8124d28f18000f811fb929e03f30d1472644851bcb73c4af6b095acd7328a072be9187a836a15307c6076210c9b410493505bc4814e3c327386796c5932c8cab7a695b97cac24561b2a9657c3157531ba3cba699b6424fda24cc6c72edac1a6bf091b87c3c594c917d24a1126f998aee120ae372a27a268a0c76ab8f84957f461e7c04dd2d59f0f217d9e07008990533b16bbc125b2737a1a7e1cc1ed7c47e8f8464ba78c5d3298f2dc7d0be944ad29907ec774ad1b1f1485b114a9a9b93c488c89c0c7609f2bf9533c2929f667bca8b68999e34054597cf83ba7450b237188c3364172c1351bd349a699672d31b9598bab79a18b3d8cb25f5f53c0b22bfa065690a16184db4f9731cea1a08f5876ec187e7b1ae79c593415d068838e5ce0bf2c28b1e389ae4a768f871b2761a29178a51845eb0b939f0ee9ef58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619c7dd2bf4e3b5b93f77f4576d55d300739e75e14084b0bc85620499bf468ae161",
+        "pk": "3d135aa589198cb02113cc17e13a0f15fc1d3d734966c3751a74ac27c781323043e36389dca9a2af6508bdba0260662691426d1d8899cd77736c21b17eb3a31fc118154264e2b10e22c506b7803b1f4b25d178b688b641d0943185107eed18b228e8b68753a8d75a77f29b5b5e97abd028354ce4cd6961797a757c4ff44aeea2c0a16cbfdcb07314fb3e64d7c26a4c9e5782a2ee198d73e7bf05eb85bd420cee20ac24c36613d6bd0c53133443527c32bd0f8b3b3be9918c7caea71748de6bacfa27710845ad0b528c087349e9faa3c83869e1d0ac9267974dba1dc3434976f60b59d443bad51e87d974c9f747b76017bd17021c24246a9987db1b318562bf665b41fb153c0ba675cac593b990ce595a7851fa18ea345bf20c3524862532544e05e5c69daa0dc4f2b24704338e29144d653657d47a20f39ed2b1174cb3120ed1590e4ac932579dc2da9f12f6c07ec7a31963208faa5c758615713965b9d5661860cfe5652d74231d2ce9b696ea9e45305a28d84c082709d2238bbc849b6b3cac64b78b532995af6b4ce9880f9149a5ae083320624e3b54851d48a6f24266258a0a14d342e4ca3133c33c5e16ad91b22d521100076527cefc5f0417b332463c5c5c52dc4b00a2d29959109244d2810839a310cb1df282503d5cbf3f0cbe3e68873407b7e5e960ca214709919b65301da2b3a7e488205a3a9c5f24cd61d18c757040b14a4e80e8c09e74a9a71265ed213a91da6d7a8655de3b4a83125ee2e66cb673733e3717d99023a6683712767ab2da9b54a26dd3b695a80b54226a1a967b08c3f76e679914470803bc6805a6b4b1b78261259acd8f703dd10ba6e8e1a00dd94e774113d13103253cb70edab948c38072629b949261b7c439445bc498444e86b6a9a7da8b1530380bf2939532a8e7ea84ea0b5c6db5335e826aa0325b536ccc21d943890b2c2a5c44f337682355867be87965175f2dbbb0aba89f9311b0873a15db6a4128682a8bca019a04a351a0ce646868f9bbb6f8d0bea3db0865f1239b16c93ca09d19857d747abfc846b27dd77ee5d405fab5ce949635e7d34ec1b9546aea75df571cfed74b7112218e4153e7f6a7a3a910ec4c111576b3bb27c29852746e645fa501b0642678aefa2209c745939a2ab000033862b88e7011e7e25ec1e3cd379b54bc457a85d9af0680160c57b3a4e90308bc28b8da13ac0c563c55b39a88bd90b51f691525e50a260a0507a2174447ea93f5d5acec6c16a5d7909e275f612c9f283310e8124d28f18000f811fb929e03f30d1472644851bcb73c4af6b095acd7328a072be9187a836a15307c6076210c9b410493505bc4814e3c327386796c5932c8cab7a695b97cac24561b2a9657c3157531ba3cba699b6424fda24cc6c72edac1a6bf091b87c3c594c917d24a1126f998aee120ae372a27a268a0c76ab8f84957f461e7c04dd2d59f0f217d9e07008990533b16bbc125b2737a1a7e1cc1ed7c47e8f8464ba78c5d3298f2dc7d0be944ad29907ec774ad1b1f1485b114a9a9b93c488c89c0c7609f2bf9533c2929f667bca8b68999e34054597cf83ba7450b237188c3364172c1351bd349a699672d31b9598bab79a18b3d8cb25f5f53c0b22bfa065690a16184db4f9731cea1a08f5876ec187e7b1ae79c593415c7dd2bf4e3b5b93f77f4576d55d300739e75e14084b0bc85620499bf468ae161",
+        "ct": "f98f274dc74db1798915be81f089fbf792116ec03539b6c02cfbe649267f100df0ef51ec6e51fd4a9b75cc2f1806d470b56984df3d368e4d09be4b4ffd59907e11b2d4497b7dd2b61afb3cc52a6ea661f2c6495a7f5fbef3dfac143f65bc9f6eb48d548df01d6a0bb52dab84fda5e92f7a223289ec4e45cf76d47ab3a79086481f4bb4e95cd69bfdf388762e775bf63b9694f72ca5a90883be5b8ac08c1737d5eced830466e9426fe5bec61bc63f1962358b66cb3d8fdd5dfa887b0da5f15c8868bafce3d998b85ab34ced43ac9b9869c84c59fb2f094ddca1dee97db9a941c3cc319401d9db08569d8eb248ec2ff51e7e18c22d810bf512c28d5d719c4bf5237bac6d14ec33b673453cb0129f31a0b532240ac257d7813370c7addd3ec957a1034b8e4c539506c7827a82e37f5b2405236c914783c35a8aaeaacdea194d699dcfd6d04027cbfcac58e3157a16c20b11dfaf6256ae3037252baac3a25f3d1f7e3f14dd231fc50db2f8788575799e6be241717e9634456be9eb04989cdf312dddd8a24939ebb90de0f5b006d59b2b19350dce76a415230f49374fa45ced3eed165cc92ed1d6e17c233f36030a61cb610b93a55d939c9c7e964f9086ccdb41b8638f14f9202cdb9f1e3ffac235ccda32a92a71e85188297cdba4a309e085c56826bb6121462ac6ee36beb9ee72c824294b6026c60d478f17dd082cca6d6d7a3e86dbe5f7fc9bbc2a07873c686e53f9040aa60dce89b179643741457f5de371c8aaf41eceee8e1a1b324666572322499731242ee48134eb6dfb8961b06b5a04c586c6a9113a9c161f36806a284e03b01940286b2de59689607b2b64b46d6fc2ba044c9a42c5cb600cfd6ca0bdf4915a47fe02d71b8fcc27f0f17c78a300c6345ccc2f77a438772f4297f7b2160aec93e4c8c72c0dbe67868753c18491861a1c1b96eaae07023436602fbb6f2bfb161a5f778bb3086c2255423a8c51052833f6b63ed2cc732a7e2c4d36123471b451b640830421fd4edc83a9527d91203aa7e41867e3a7dfd5610aa20646738754883935af2b09cb24d93a332c9671e6a00cc29a6346de406f5fb28fe84f0b0d3a43c98213bfc2eb2802f1ca071c560a705edceb262c44c2fd2e9e5caf0bf9eafc6be84c8a00d4bfd57e2468254e4560aa6e8d62ff72c55c403ce5a8e8c87cb4d7f693344918138a8f1621107492d8c0a8c74ae77323f7e1fa84220da14a9ae978b207aa692e2ba13ee5ed924c75e472e1b77cc496519704ab87bde2ac15fdde0184d799288b60873b7f85a113b5b8d76a5237f26586ef2cb5cb940c9c5a4789267575ed223fdb9d7ed57a390076857d3c0207360a3d039e4f7961dfe25d8e7c034df6ec0503b5589a89911e54d4831b5cc9ed0abc66143b5482d35dec97ed94e65ba7d013126348960804ec2f19463b8daaa9927c05eecae3bb58b2575fcec762c14cd7d27f51e05aec3ddf00e90dafcf91d31ac09eaad73d675504798170b703667d2175a37b40e4b7809056b1c1ca3062cdb98b0ba79b61c1c3f692b6e75940077ab7aea8649f38e34406282704f1080208a15c"
+    },
+    {
+        "seed": "1368ec2967fc84ef2ae9aff268e0b1700affc6820b523a3d917135f2dff2ee06bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec2",
+        "eseed": "e770d01efde86e721a3f7c6cce275dabe6e2143f1af18da7efddc4c7b70b5e345db93cc936bea323491ccb38a388f546a9ff00dd4e1300b9b2153d2041d205b4",
+        "ss": "1e037823ddbf1875756d86a3374b2d2347d5b7f3c84d229ecc5960523cdaa8b4",
+        "sk": "f58497af7a5854c214be50bd9694011740619f4042d1a9b5e3d813bf419c9e70b6b6e33917644378d7a097047c1be007b9973f3ec7c2c1c7af23726160db834503bc5381625ab08ec831b60a04c54a360d2222ab0918358e84a038c41775456f7c6c1de0f27d5b538a9e80911484cb96d17b52825410661cc43a576669a92cb7b97b97aa0e7b55a0589bc1295000a09bdfa5236a737a95a7029d2a5f4429494ee4b1299613fb76a573092915f6c37d472beea0b93b082eb546b4ad268fc0fa9eedc8a19faab8a857ad09e24b042374ce9566e3b3ba33bc06441781f74421d00bcf0598103d9620fe0b35ab904c3676c3e970525c7507917850ff99ae4eb57eeaf4b0615097a1e970de6aa9ba609fe8ac11fdfa4e7c4cb90a30c03cb8baeb5033cb6ba6c755bdaca4c9448bcc24188991a659adfbc219b3ca16258f3c0b8791846cd9e8b17ed33f97b1bfebeaa93628421a348596a72ed8a248219779cedb38f9fb0f064a4bf89a0c5dd485564c30ab16bc83d19fc9257467598ef713cff3a0470f4983db6540e52a7667fc2785c031e989601972b2ca61c97218c6470498679523c5957ccd0b4f30836429287d47204d8a32ad0c3c01c38611537a417e28284d58b1dc415f8cc6025ba1603073206e9372bcd125d94311eb2966fa9ac48ea68fb889c292585901796118949545a77ad8129d3c989f0f044977d35ce9b715695b61e46aaf74fb9b753a489842592514c2c41b1e3a22621a5369ff4a196702b2805cba6f945209a22613ec254937bc65fb40371b26f808cac5fa66437603fe175f4f039ebef88e2e3757692718229a7167780f032666e9f35a1f316c278270891057390a1b552b9b53e92ce6325b12a8475768a5eaba388b5b4740a4b4867705c74caa54eb139d47b16b845fd6c97a01138509aa3cb34232504a4609850f464b27d3a6c792a2a326f78ea750837ffb36349405442bcb7914be2bd482f4686cebf96c38fa67db608953039eb5446a26968aa0f023499261bc29356547612a472d9dd135e8744649656995178ad2b38d80850b180b6e6c255a0aba7e8c656fe782a63f48bde8cc5899351e308a3d48e5322a7b8b48ec1c99395d9cc39d381146846567ed0143c6c1682cd06faa64467a00919c53a374281b86e6744569c0eb1b099bea5b5c8a9e8024498ad70fc2cab20bd67a72073901a3bae643619342aa01071c3992428dea1755d870cbb86315b2bea4a6753359216e939f7d1aaaf0903b82fba7228a4a15f0779de2a19056c4e0b066e98b2a99865df3825caca00a1313c2e8a66cb8165fbebbc7fefb9e2e0916f4d753bb354b1cdb0ec61840ae14a0b0a6b89419cbcd4c2cc9fa8df8da7bef4a829e17b996461b499ca051b5989b17738b158057342454745051e7b01aa5a8971181c4d44e20f3950873aa1a436cf7255328dc73f312119395213ec852dcbc9d0634c722b2593e154746402a3d289b3abb14a8d70494b761c3f66242f06cc534a761c19cee82a41ea7a308fb580a19762ea34f2f931cc3fca3a7484b0c0023ea2285dc1b04a46489ea5a673a5a4d5db5745b72704670487c1c1c61f06184d1be1fb8c770857cfb03c5c3575181cb7f54eb8b8c8b6a200a0ef6b66eec364c0015ceb802081800ab5bd1150ba20e5d2c6012d70fe700a56c101752242397627c89156f667a28ffc32c56d20abe3834d2a05a0390c7f2a893d64127fb772ae12468a1f6260af39066ab7ecf694db179436c54a707092a87aa22a274691ee0083e7a98a6d2c633d6c0f13a1542b094e7505d8dd92063b3972dd036a2e68ca9d2af000da328b27fb55178b3794d41755a4dd32abde2cf2d93a5c59605e372114bfbbbc44304536533d1aaad9d385f82278576840cb1f340c0d53db7b0c8cf3794d2f0ba99267ef5d01064c99f3aca71aaa2cbb85011c6687472e20419680441cb0c7bc70aaf1361797b1c2f5a5c60c10086d981299bbfc2c15d77f4077c40500938bbb2e52aef37c3d516148d5ac84e216e0568616ea476fde89685578f8df91281b648d1359bbd53768f27596f3b3845293d698b3a1ae2785e0190be513cf950234399a51487073671736a0c4479672595b2b07a7c3b1143a2fa46cf383a183e0880e580793e5892349600cd6c3adb903e078c31d7d50a90c5734537784267578d35a6982b61098190befc3185020d2c175df7b1acec91c3d5fc6f7cd298f878bd2ab814e7ca340ae21377f79a2f73cf219c7f9e85649d089356cc082f655d72e8035128b910b44ce7833abc11348305943b049a9d6b7df1f98af6c5bf9a6214f073ab28f1492748574881cdf160139e60307d32086515bb93c502e6c20106801c095380d82467b9d56b72f566830a7472aaaba8dbbd755c262704af12475febf3cb6268289bdaab09997b8c309dfb436927e7347dcbba3f772b85e753493417cb134c3604410399238da584d1c495c0793fc5e9583f8797e97c9d45e63c1fd42ee7c5aaf9cc901748c87438c91d6964fcab436c6c0b74b34c6a35aaf688ace32a869411ca57cc3bb0455d981a16b655984ad90bf7c3add506b6821248cc52215da27310fb57738254c8730241e2281c3b18728a12c458b8af8c2c3b500bed5c749e9979b4c44f116aa971b043a8b77b62f7a2fc9621ae71763fb0a43758b40e09aae6f574f932661372a7bc120331c34800ed2113203eeb180905d89a88a4cc48d8c3acf19f44ba00b8466e1ddc0fe1e3554ac059a9fa2b11807173f1190dea271119c087c605dc8b945fb069bfb159c464a28758c1822b2c1e5a8ba0779833c6937c9c02ca61285c67557dd958e00840fd1c599095409dc6caf13360a8d5a1d864a903c429b3054ee83448a1f71beb70a93dccae8e69a0485b47df44202d931e2c99316a23a4e396b7c704b832a0b855106f29c20c3c447ad39176b77186cfb94b3e973d415636a0950284f50efa9248bb1643e793cc7a6c343395a8a245b669b32821f2b80214481ca4416d9009dd3174c4cbb29da7386a7404b21a72ce5a295deb62712a3fb01c927b9b2e73d95aa65c3e92169c72662d7ccab10c8a369d50b90a74c41d590dbc4ac104a147855131b1da730116bc17e430599a8d64999d9450b237002fa1021237dbbfa096a95ea0542ca7937b7c1971b53ce82087d7e114e446b81265cfd540176cd069deb9886fa45bd2f3464e7cc908cac220e642fd3610f18aac2b594192bb7a72a64ffe156e77ac8f576a0511b9768798c79590d8d37f58628ef69837335bfa984cde027d87d45cf83e597b705d3130d6210e9d974bab5643cdf4d1cc7c8282ffe68f827e0cac9926bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec241c2f9459a0447d7f7ae5f1e8dc1cf4e76cdd9add2eba7768b4ac7abb269b07e",
+        "pk": "8c8b6a200a0ef6b66eec364c0015ceb802081800ab5bd1150ba20e5d2c6012d70fe700a56c101752242397627c89156f667a28ffc32c56d20abe3834d2a05a0390c7f2a893d64127fb772ae12468a1f6260af39066ab7ecf694db179436c54a707092a87aa22a274691ee0083e7a98a6d2c633d6c0f13a1542b094e7505d8dd92063b3972dd036a2e68ca9d2af000da328b27fb55178b3794d41755a4dd32abde2cf2d93a5c59605e372114bfbbbc44304536533d1aaad9d385f82278576840cb1f340c0d53db7b0c8cf3794d2f0ba99267ef5d01064c99f3aca71aaa2cbb85011c6687472e20419680441cb0c7bc70aaf1361797b1c2f5a5c60c10086d981299bbfc2c15d77f4077c40500938bbb2e52aef37c3d516148d5ac84e216e0568616ea476fde89685578f8df91281b648d1359bbd53768f27596f3b3845293d698b3a1ae2785e0190be513cf950234399a51487073671736a0c4479672595b2b07a7c3b1143a2fa46cf383a183e0880e580793e5892349600cd6c3adb903e078c31d7d50a90c5734537784267578d35a6982b61098190befc3185020d2c175df7b1acec91c3d5fc6f7cd298f878bd2ab814e7ca340ae21377f79a2f73cf219c7f9e85649d089356cc082f655d72e8035128b910b44ce7833abc11348305943b049a9d6b7df1f98af6c5bf9a6214f073ab28f1492748574881cdf160139e60307d32086515bb93c502e6c20106801c095380d82467b9d56b72f566830a7472aaaba8dbbd755c262704af12475febf3cb6268289bdaab09997b8c309dfb436927e7347dcbba3f772b85e753493417cb134c3604410399238da584d1c495c0793fc5e9583f8797e97c9d45e63c1fd42ee7c5aaf9cc901748c87438c91d6964fcab436c6c0b74b34c6a35aaf688ace32a869411ca57cc3bb0455d981a16b655984ad90bf7c3add506b6821248cc52215da27310fb57738254c8730241e2281c3b18728a12c458b8af8c2c3b500bed5c749e9979b4c44f116aa971b043a8b77b62f7a2fc9621ae71763fb0a43758b40e09aae6f574f932661372a7bc120331c34800ed2113203eeb180905d89a88a4cc48d8c3acf19f44ba00b8466e1ddc0fe1e3554ac059a9fa2b11807173f1190dea271119c087c605dc8b945fb069bfb159c464a28758c1822b2c1e5a8ba0779833c6937c9c02ca61285c67557dd958e00840fd1c599095409dc6caf13360a8d5a1d864a903c429b3054ee83448a1f71beb70a93dccae8e69a0485b47df44202d931e2c99316a23a4e396b7c704b832a0b855106f29c20c3c447ad39176b77186cfb94b3e973d415636a0950284f50efa9248bb1643e793cc7a6c343395a8a245b669b32821f2b80214481ca4416d9009dd3174c4cbb29da7386a7404b21a72ce5a295deb62712a3fb01c927b9b2e73d95aa65c3e92169c72662d7ccab10c8a369d50b90a74c41d590dbc4ac104a147855131b1da730116bc17e430599a8d64999d9450b237002fa1021237dbbfa096a95ea0542ca7937b7c1971b53ce82087d7e114e446b81265cfd540176cd069deb9886fa45bd2f3464e7cc908cac220e642fd3610f18aac2b594192bb7a72a64ffe156e77ac8f576a0511b9768798c79590d8d37f58628ef69837335bfa984cde027d87d45cf841c2f9459a0447d7f7ae5f1e8dc1cf4e76cdd9add2eba7768b4ac7abb269b07e",
+        "ct": "137d93a41362f50229305c688633ded3c474cf399858d60e668ca77d04fd869168a235d5e177eed970cd8c4b8a8bcad3ba1bdf3cef0d697b2c1a1e9a4259cce54248d5f47b59e93fca20799888ec7ee44efd7414bfc71a543648bea1edd9da0234a3af27dcfe4854792caae46a3dcce1eb31cf4d5d8b85855fe1ba7dd94b188ffec719354d43c445960766e26f17561a5ec3872bfa9cfa370a00ac6bb9e196bb57a9f1fd0577d664077b81558565e50b0f2964c8e0093353618de2f2f6d5999c1d27279032f788cb3cf59c127e7c7e029787111226454355d06c81b2affbd099493c34704bb8f0759c4ce568cf721239014b1f00e808b5dc76ea4fe120408c7e510e27832921b022000f9dabdac2e5bcb47060efd1a169e4eefa80ed6fbd1f94473c2038d742df4e286bbcb854281aa28c283f81d8d8c0324b5d354e8b6e2c5e28d5b39a88a790f926c7b5270630c5087990f7ce5afe2fc9e327ed33f760c8d3ea520d9c01960dd360566647820c98c859052ea770c5efbed12b0e7536a409562e2fbb0cd6ce67011f6233c623239f1ed44035963ca9470c439a7e588226307be4cf7a6e27766a28730843a6865c9a8d53f66e8ab121ff234fa3dd0cfc9736b40fb8bb3e64919ec4a5de20282928f60260c63a81439e0658339437b3f1735f38c9481d7edc344ef6dd34d93e0ee013a93cdc8a7207b9d79665bee8a768934c2b386f47d85891fd316aaa378af13c8892099075b75cc8d9ce0419ce57f0f55ea0aeea03fcce14e3a4c766ed09fe4577c6cb9372d00e95c86b41989d6e6ff2359a579b66f76a5a1bf41b2c1f53db1e8b49d822455ea4afe8198b5e7f039263e10885d38d3bfa0ee727cc4ff2769f9ed0abc08a3e77f8bc65a7a75b7b0fc74c2a9027e94f1757acaff4ee5e6e28c0b0238a5435712ea1c055d79e0558a2d149ecfb8d129e19c2d9aef804b3e49e6f60ab43c5254f81a9cccbb3bed13a67f436159b0cf5c7134d6d5a577bcea4f8648eb07b728b0864ec8751576c6fc302a76831d1672daaa2e17c5991efca743cf55d64ca59e8feeda59ec52099d7bfb00a3ccde4084825145f022d89a126519f7904eb7ec4db0b08e70d7d67bf18e537476b4ce97b2ad1c84c0630ba053a13affff42ecea695c080942df74369a23f93a1f397f14dce28acbedb6a90e7a0a6423c277254b71be2d887386915e5924e85f1c652182f8c0db076364a97d7acaf0f238c912fd56403593a8b2526884737790a887d9a8382fab3d2967803d0a1e62b610289af4ea26c66ef29c4832a4b48ffa225d5be2401656753a9ed00c45a057efc666abaecfaeef972643de281f5d6a6ef43ed2fbba963a95c8d36461323d51d18f92e58e4de1b4edd1d93ba14ea6adc3b8b63e71d0edc92555f3f962e68fbf42a0fc04cb7da107203468589655f1b3b979ccc2efee6f10f0ec631c040e4436b8acaa4716708bf96d2db8108a36117d10664cb2a3e3af672a10b0de5c2a284e6b9de37533bd181bc14fa049035d5050b5526ba59f893a1778103b6e2d946090c0eba049e5c1ad843a3121d539564866af5647437"
+    }
+]