diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst index 4110ce845..e23020d49 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti index a03c287ec..d4014e6a8 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst index 98c34da43..5cf54bf43 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index e597dd2fd..4b6ebb714 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-ml-dsa/cg.yaml b/libcrux-ml-dsa/cg.yaml index 8989a1168..5ea47625a 100644 --- a/libcrux-ml-dsa/cg.yaml +++ b/libcrux-ml-dsa/cg.yaml @@ -53,7 +53,8 @@ files: include_in_h: - '"intrinsics/libcrux_intrinsics_avx2.h"' api: - patterns: + patterns: + - [libcrux_ml_dsa, samplex4, avx2, "*"] - [libcrux_ml_dsa, simd, avx2, "*"] - [libcrux_ml_dsa, hash_functions, simd256, "*"] - [libcrux_ml_dsa, ml_dsa_65, avx2, "*"] @@ -76,6 +77,7 @@ files: api: patterns: - [libcrux_ml_dsa, "*"] + - [libcrux_ml_dsa, samplex4, portable, "*"] - [libcrux_ml_dsa, simd, "*"] - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_65, portable, "*"] diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index ff59781b4..cd71b6131 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 +Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 17dad08f7..c0b53bd40 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index ed839622f..cb97a4566 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ #ifndef __libcrux_core_H @@ -139,11 +139,11 @@ typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature_s { This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} */ /** -A monomorphic instance of libcrux_ml_dsa.types.as_raw_8f +A monomorphic instance of libcrux_ml_dsa.types.as_ref_8f with const generics - SIZE= 3309 */ -static inline uint8_t *libcrux_ml_dsa_types_as_raw_8f_fa( +static inline uint8_t *libcrux_ml_dsa_types_as_ref_8f_fa( libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *self) { return self->value; } @@ -216,11 +216,11 @@ This function found in impl {libcrux_ml_dsa::types::MLDSAVerificationKey#2} */ /** -A monomorphic instance of libcrux_ml_dsa.types.as_raw_66 +A monomorphic instance of libcrux_ml_dsa.types.as_ref_66 with const generics - SIZE= 1952 */ -static inline uint8_t *libcrux_ml_dsa_types_as_raw_66_97( +static inline uint8_t *libcrux_ml_dsa_types_as_ref_66_97( libcrux_ml_dsa_types_MLDSAVerificationKey_ea *self) { return self->value; } @@ -369,11 +369,11 @@ typedef struct libcrux_ml_dsa_types_MLDSASigningKey_22_s { This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey} */ /** -A monomorphic instance of libcrux_ml_dsa.types.as_raw_9b +A monomorphic instance of libcrux_ml_dsa.types.as_ref_9b with const generics - SIZE= 4032 */ -static inline uint8_t *libcrux_ml_dsa_types_as_raw_9b_09( +static inline uint8_t *libcrux_ml_dsa_types_as_ref_9b_09( libcrux_ml_dsa_types_MLDSASigningKey_22 *self) { return self->value; } diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 4cd046ed1..a79e5a218 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ #ifndef __libcrux_mldsa65_avx2_H @@ -3230,6 +3230,9 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2( memcpy(ret, ret0, (size_t)32U * sizeof(__m256i)); } +typedef struct libcrux_ml_dsa_samplex4_avx2_AVX2Sampler_s { +} libcrux_ml_dsa_samplex4_avx2_AVX2Sampler; + /** A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit @@ -3289,14 +3292,6 @@ libcrux_ml_dsa_polynomial_ZERO_ff_ea(void) { return lit; } -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 thd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4; - /** A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types @@ -3331,6 +3326,20 @@ libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( return done; } +/** +A monomorphic instance of libcrux_ml_dsa.sample.update_matrix +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_sample_update_matrix_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*m)[5U], size_t i, + size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 v) { + m[i][j] = v; +} + /** This function found in impl {libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, @@ -3361,18 +3370,38 @@ libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) { } /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_four_ring_elements -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics + Sample and write out up to four ring elements. + If i <= `elements_requested`, a field element with domain separated + seed according to the provided index is generated in + `tmp_stack[i]`. After successful rejection sampling in + `tmp_stack[i]`, the ring element is written to `matrix` at the + provided index in `indices[i]`. + `rand_stack` is a working buffer that holds initial Shake output. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 -libcrux_ml_dsa_sample_sample_four_ring_elements_ea(uint8_t seed0[34U], - uint16_t domain_separator0, - uint16_t domain_separator1, - uint16_t domain_seperator2, - uint16_t domain_separator3) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + uint8_t seed0[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U], + uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, + uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, + size_t elements_requested) { + uint16_t domain_separator0 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]); + uint16_t domain_separator1 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]); + uint16_t domain_separator2 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]); + uint16_t domain_separator3 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]); seed0[32U] = (uint8_t)domain_separator0; seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); uint8_t seed1[34U]; @@ -3381,48 +3410,48 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ea(uint8_t seed0[34U], seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); uint8_t seed2[34U]; memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); - seed2[32U] = (uint8_t)domain_seperator2; - seed2[33U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + seed2[32U] = (uint8_t)domain_separator2; + seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U); uint8_t seed3[34U]; memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); seed3[32U] = (uint8_t)domain_separator3; seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); - libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = - libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( + libcrux_sha3_avx2_x4_incremental_KeccakState state = + libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b( Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); - uint8_t randomness0[840U] = {0U}; - uint8_t randomness1[840U] = {0U}; - uint8_t randomness2[840U] = {0U}; - uint8_t randomness3[840U] = {0U}; - libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( - &state, randomness0, randomness1, randomness2, randomness3); - int32_t coefficients0[263U] = {0U}; - int32_t coefficients1[263U] = {0U}; - int32_t coefficients2[263U] = {0U}; - int32_t coefficients3[263U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks_7b( + &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3); size_t sampled0 = (size_t)0U; size_t sampled1 = (size_t)0U; size_t sampled2 = (size_t)0U; size_t sampled3 = (size_t)0U; bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( - Eurydice_array_to_slice((size_t)840U, randomness0, uint8_t), - &sampled0, coefficients0); + Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( - Eurydice_array_to_slice((size_t)840U, randomness1, uint8_t), - &sampled1, coefficients1); + Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( - Eurydice_array_to_slice((size_t)840U, randomness2, uint8_t), - &sampled2, coefficients2); + Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( - Eurydice_array_to_slice((size_t)840U, randomness3, uint8_t), - &sampled3, coefficients3); + Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); while (true) { if (done0) { if (done1) { @@ -3431,437 +3460,192 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ea(uint8_t seed0[34U], break; } else { uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b( &state); if (!done0) { done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b( &state); if (!done0) { done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( - &state); + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state); if (!done0) { done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state); + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state); if (!done0) { done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, coefficients0, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, coefficients1, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, coefficients2, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - lit; - lit.fst = uu____0; - lit.snd = uu____1; - lit.thd = uu____2; - lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, coefficients3, int32_t)); - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.update_matrix -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_samplex4_update_matrix_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*m)[5U], size_t i, - size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 v) { - m[i][j] = v; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_4_by_4 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_4_by_4_fe( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) { + size_t k = i0; + size_t uu____0 = k; + uint8_t i = indices[uu____0].fst; + uint8_t j = indices[uu____0].snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____1)[5U] = matrix; + size_t uu____2 = (size_t)i; + size_t uu____3 = (size_t)j; + libcrux_ml_dsa_sample_update_matrix_fe( + uu____1, uu____2, uu____3, + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_array_to_slice( + (size_t)263U, + Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]), + int32_t))); } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, - four_ring_elements0.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, - four_ring_elements1.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, - four_ring_elements2.f3); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); } /** A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_fe( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)4U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, - four_ring_elements0.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)4U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, - four_ring_elements1.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)4U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, - four_ring_elements2.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[34U]; - memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed3, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, - four_ring_elements3.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, - four_ring_elements3.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, - four_ring_elements3.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)4U, - four_ring_elements3.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed4[34U]; - memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed4, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)0U, - four_ring_elements4.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)1U, - four_ring_elements4.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)2U, - four_ring_elements4.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)3U, - four_ring_elements4.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed5[34U]; - memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed5, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)4U, - four_ring_elements5.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)0U, - four_ring_elements5.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)1U, - four_ring_elements5.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)2U, - four_ring_elements5.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed6[34U]; - memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed6, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)3U, - four_ring_elements6.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)4U, - four_ring_elements6.snd); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_8_by_7 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_fe( +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4( uint8_t seed[34U], libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; @@ -3872,296 +3656,117 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_fe( A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); } + uint8_t rand_stack0[840U] = {0U}; + uint8_t rand_stack1[840U] = {0U}; + uint8_t rand_stack2[840U] = {0U}; + uint8_t rand_stack3[840U] = {0U}; + int32_t tmp_stack[4U][263U] = {{0U}}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed[34U]; memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); + uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed0[34U]; memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)4U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)5U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)6U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, - four_ring_elements0.f3); + uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed1[34U]; memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)4U, - four_ring_elements1.f3); + uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed2[34U]; memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)5U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)6U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, - four_ring_elements2.f3); + uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed3[34U]; memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed3, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 5U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, - four_ring_elements3.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, - four_ring_elements3.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)4U, - four_ring_elements3.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)5U, - four_ring_elements3.f3); + uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed4[34U]; memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed4, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)6U, - four_ring_elements4.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, - four_ring_elements4.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, - four_ring_elements4.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, - four_ring_elements4.f3); + uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed5[34U]; memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed5, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, - four_ring_elements5.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)4U, - four_ring_elements5.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)5U, - four_ring_elements5.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)6U, - four_ring_elements5.f3); + uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed6[34U]; memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed6, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)0U, - four_ring_elements6.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)1U, - four_ring_elements6.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)2U, - four_ring_elements6.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)3U, - four_ring_elements6.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed7[34U]; - memcpy(copy_of_seed7, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements7 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed7, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)4U, - four_ring_elements7.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)5U, - four_ring_elements7.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)6U, - four_ring_elements7.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)0U, - four_ring_elements7.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed8[34U]; - memcpy(copy_of_seed8, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements8 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed8, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)1U, - four_ring_elements8.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)2U, - four_ring_elements8.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)3U, - four_ring_elements8.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)4U, - four_ring_elements8.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed9[34U]; - memcpy(copy_of_seed9, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements9 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed9, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)5U, - four_ring_elements9.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)6U, - four_ring_elements9.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)0U, - four_ring_elements9.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)1U, - four_ring_elements9.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed10[34U]; - memcpy(copy_of_seed10, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements10 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed10, - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 5U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)2U, - four_ring_elements10.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)3U, - four_ring_elements10.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)4U, - four_ring_elements10.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)5U, - four_ring_elements10.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed11[34U]; - memcpy(copy_of_seed11, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements11 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed11, - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)6U, - four_ring_elements11.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)0U, - four_ring_elements11.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)1U, - four_ring_elements11.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)2U, - four_ring_elements11.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed12[34U]; - memcpy(copy_of_seed12, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four_ring_elements12 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( - copy_of_seed12, - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)3U, - four_ring_elements12.fst); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)4U, - four_ring_elements12.snd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)5U, - four_ring_elements12.thd); - libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)6U, - four_ring_elements12.f3); + uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( + copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, + (size_t)2U); memcpy(ret, A, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_avx2 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_fe( +static inline void libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe( uint8_t seed[34U], libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; switch (uu____0.fst) { - case 4U: { - switch (uu____0.snd) { - case 4U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_4_by_4_fe(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); - return; - } - default: { - } - } - break; - } case 6U: { switch (uu____0.snd) { case 5U: { @@ -4169,27 +3774,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_fe( uint8_t copy_of_seed[34U]; memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_6_by_5_fe(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); - return; - } - default: { - } - } - break; - } - case 8U: { - switch (uu____0.snd) { - case 7U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_8_by_7_fe(copy_of_seed, ret0); + libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4(copy_of_seed, ret0); memcpy( ret, ret0, (size_t)6U * @@ -4210,6 +3795,31 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_fe( KRML_HOST_EXIT(255U); } +/** +This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for +libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_b8 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; + libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe(copy_of_seed, ret0); + memcpy(ret, ret0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); +} + /** A monomorphic instance of K. with types libcrux_ml_dsa_polynomial_PolynomialRingElement @@ -4223,6 +3833,14 @@ typedef struct tuple_ce0_s { libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; } tuple_ce0; +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 thd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4; + /** A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types @@ -5134,6 +4752,7 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -5147,7 +4766,7 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_bc(uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) { uint8_t seed_expanded0[128U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); @@ -5172,7 +4791,7 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_bc(uint8_t randomness[32U]) { libcrux_ml_dsa_polynomial_PolynomialRingElement_24 a_as_ntt[6U][5U]; uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); - libcrux_ml_dsa_samplex4_matrix_A_fe(ret, a_as_ntt); + libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, a_as_ntt); uint8_t ret0[66U]; libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); tuple_ce0 uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(ret0); @@ -5270,7 +4889,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_bc(copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(copy_of_randomness); } /** @@ -6806,6 +6425,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_cc( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -6826,7 +6446,7 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( uint8_t *signing_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t randomness[32U]) { tuple_f00 uu____0 = @@ -6853,7 +6473,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6( Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_matrix_A_fe(ret, A_as_ntt); + libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt); uint8_t message_representative[64U] = {0U}; uint8_t uu____1[64U]; memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); @@ -7122,6 +6742,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -7142,7 +6763,7 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_6b( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -7158,7 +6779,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( uu____2, uu____3, uu____4, copy_of_randomness); } else { uu____1 = (CLITERAL(Result_2e){ @@ -7201,7 +6822,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_ea(uu____0, uu____1, uu____2, + return libcrux_ml_dsa_ml_dsa_generic_sign_6b(uu____0, uu____1, uu____2, copy_of_randomness); } @@ -7252,7 +6873,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ @@ -7265,6 +6886,7 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, @@ -7289,7 +6911,7 @@ libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e(uint8_t *signing_key, +libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { @@ -7320,7 +6942,7 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e(uint8_t *signing_key, /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( uu____3, uu____4, uu____5, copy_of_randomness); } else { uu____0 = (CLITERAL(Result_2e){ @@ -7364,7 +6986,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_s /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e( + return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7( uu____0, uu____1, uu____2, copy_of_randomness); } @@ -7416,7 +7038,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ @@ -7453,9 +7075,11 @@ static inline void libcrux_ml_dsa_encoding_t1_deserialize_ea( __m256i); i++) { size_t i0 = i; - __m256i uu____0 = libcrux_ml_dsa_simd_avx2_t1_deserialize_a2( - Eurydice_slice_subslice2(serialized, i0 * (size_t)10U, - (i0 + (size_t)1U) * (size_t)10U, uint8_t)); + __m256i uu____0 = + libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, + (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, + uint8_t)); result->simd_units[i0] = uu____0; } } @@ -8000,6 +7624,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_fe( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics @@ -8019,7 +7644,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( +libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( uint8_t *verification_key_serialized, Eurydice_slice message, Option_84 domain_separation_context, uint8_t *signature_serialized) { tuple_930 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_fe( @@ -8050,7 +7675,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6( Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_matrix_A_fe(ret, A_as_ntt); + libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24( Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, @@ -8132,6 +7757,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics @@ -8150,7 +7776,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics - MAX_ONES_IN_HINT= 55 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_44( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -8160,7 +7786,7 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( verification_key_serialized, message, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); @@ -8198,7 +7824,7 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_d1(verification_key, message, + return libcrux_ml_dsa_ml_dsa_generic_verify_44(verification_key, message, context, signature); } @@ -8244,13 +7870,14 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify( Eurydice_slice message, Eurydice_slice context, libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( - libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_raw_8f_fa(signature)); + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, @@ -8273,7 +7900,7 @@ libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( +libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { uint8_t pre_hashed_message[256U]; @@ -8290,7 +7917,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( verification_key_serialized, Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), @@ -8329,7 +7956,7 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( + return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8( verification_key, message, context, signature); } @@ -8377,8 +8004,8 @@ libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128( Eurydice_slice message, Eurydice_slice context, libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( - libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_raw_8f_fa(signature)); + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } KRML_ATTRIBUTE_TARGET("avx2") diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index 7c1e075a3..13e99f9fc 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ #ifndef __libcrux_mldsa65_portable_H @@ -71,6 +71,8 @@ extern "C" { #define LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT ((size_t)13U) +#define LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW ((size_t)10U) + #define LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ ((size_t)10U) @@ -512,16 +514,23 @@ typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) / \ (size_t)8U) -static KRML_MUSTINLINE uint16_t -libcrux_ml_dsa_samplex4_generate_domain_separator(uint8_t row, uint8_t column) { - return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; -} - #define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) #define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ (58728449ULL) +typedef struct uint8_t_x2_s { + uint8_t fst; + uint8_t snd; +} uint8_t_x2; + +static KRML_MUSTINLINE uint16_t +libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { + uint8_t row = _.fst; + uint8_t column = _.snd; + return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; +} + typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { Eurydice_slice context; Option_30 pre_hash_oid; @@ -645,6 +654,8 @@ static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { (size_t)11U * sizeof(uint8_t)); } +typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { +} libcrux_ml_dsa_pre_hash_SHAKE128_PH; typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s { int32_t coefficients[8U]; @@ -4152,10 +4163,8 @@ static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36( sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); } -typedef struct uint8_t_x2_s { - uint8_t fst; - uint8_t snd; -} uint8_t_x2; +typedef struct libcrux_ml_dsa_samplex4_portable_PortableSampler_s { +} libcrux_ml_dsa_samplex4_portable_PortableSampler; /** A monomorphic instance of K. @@ -4225,14 +4234,6 @@ libcrux_ml_dsa_polynomial_ZERO_ff_ba(void) { return lit; } -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b thd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4; - /** A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types @@ -4266,6 +4267,19 @@ libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( return done; } +/** +A monomorphic instance of libcrux_ml_dsa.sample.update_matrix +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static inline void libcrux_ml_dsa_sample_update_matrix_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*m)[5U], size_t i, + size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b v) { + m[i][j] = v; +} + /** This function found in impl {libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, @@ -4298,17 +4312,37 @@ libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) { } /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_four_ring_elements -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics + Sample and write out up to four ring elements. + If i <= `elements_requested`, a field element with domain separated + seed according to the provided index is generated in + `tmp_stack[i]`. After successful rejection sampling in + `tmp_stack[i]`, the ring element is written to `matrix` at the + provided index in `indices[i]`. + `rand_stack` is a working buffer that holds initial Shake output. */ -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 -libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], - uint16_t domain_separator0, - uint16_t domain_separator1, - uint16_t domain_seperator2, - uint16_t domain_separator3) { +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + uint8_t seed0[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U], + uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, + uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, + size_t elements_requested) { + uint16_t domain_separator0 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]); + uint16_t domain_separator1 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]); + uint16_t domain_separator2 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]); + uint16_t domain_separator3 = + libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]); seed0[32U] = (uint8_t)domain_separator0; seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); uint8_t seed1[34U]; @@ -4317,8 +4351,8 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); uint8_t seed2[34U]; memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); - seed2[32U] = (uint8_t)domain_seperator2; - seed2[33U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + seed2[32U] = (uint8_t)domain_separator2; + seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U); uint8_t seed3[34U]; memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); seed3[32U] = (uint8_t)domain_separator3; @@ -4329,36 +4363,36 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); - uint8_t randomness0[840U] = {0U}; - uint8_t randomness1[840U] = {0U}; - uint8_t randomness2[840U] = {0U}; - uint8_t randomness3[840U] = {0U}; libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( - &state, randomness0, randomness1, randomness2, randomness3); - int32_t coefficients0[263U] = {0U}; - int32_t coefficients1[263U] = {0U}; - int32_t coefficients2[263U] = {0U}; - int32_t coefficients3[263U] = {0U}; + &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3); size_t sampled0 = (size_t)0U; size_t sampled1 = (size_t)0U; size_t sampled2 = (size_t)0U; size_t sampled3 = (size_t)0U; bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, randomness0, uint8_t), - &sampled0, coefficients0); + Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, randomness1, uint8_t), - &sampled1, coefficients1); + Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, randomness2, uint8_t), - &sampled2, coefficients2); + Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, randomness3, uint8_t), - &sampled3, coefficients3); + Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); while (true) { if (done0) { if (done1) { @@ -4374,28 +4408,36 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { @@ -4407,28 +4449,36 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { @@ -4440,28 +4490,36 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } else { @@ -4472,328 +4530,63 @@ libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), - &sampled0, coefficients0); + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); } if (!done1) { done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), - &sampled1, coefficients1); + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); } if (!done2) { done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), - &sampled2, coefficients2); + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); } if (!done3) { done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, coefficients3); + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); } } } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, coefficients0, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, coefficients1, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, coefficients2, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - lit; - lit.fst = uu____0; - lit.snd = uu____1; - lit.thd = uu____2; - lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, coefficients3, int32_t)); - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.update_matrix -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -static inline void libcrux_ml_dsa_samplex4_update_matrix_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*m)[5U], size_t i, - size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b v) { - m[i][j] = v; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_4_by_4 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_4_by_4_2f( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) { + size_t k = i0; + size_t uu____0 = k; + uint8_t i = indices[uu____0].fst; + uint8_t j = indices[uu____0].snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____1)[5U] = matrix; + size_t uu____2 = (size_t)i; + size_t uu____3 = (size_t)j; + libcrux_ml_dsa_sample_update_matrix_2f( + uu____1, uu____2, uu____3, + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_array_to_slice( + (size_t)263U, + Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]), + int32_t))); } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, - four_ring_elements0.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, - four_ring_elements1.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, - four_ring_elements2.f3); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); } /** A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_2f( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)4U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, - four_ring_elements0.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)4U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, - four_ring_elements1.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)4U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, - four_ring_elements2.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[34U]; - memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed3, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, - four_ring_elements3.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, - four_ring_elements3.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, - four_ring_elements3.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)4U, - four_ring_elements3.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed4[34U]; - memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed4, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)0U, - four_ring_elements4.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)1U, - four_ring_elements4.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)2U, - four_ring_elements4.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)3U, - four_ring_elements4.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed5[34U]; - memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed5, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)4U, - four_ring_elements5.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)0U, - four_ring_elements5.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)1U, - four_ring_elements5.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)2U, - four_ring_elements5.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed6[34U]; - memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed6, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)3U, - four_ring_elements6.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)4U, - four_ring_elements6.snd); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_8_by_7 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_2f( +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49( uint8_t seed[34U], libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; @@ -4804,295 +4597,116 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_2f( A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); } + uint8_t rand_stack0[840U] = {0U}; + uint8_t rand_stack1[840U] = {0U}; + uint8_t rand_stack2[840U] = {0U}; + uint8_t rand_stack3[840U] = {0U}; + int32_t tmp_stack[4U][263U] = {{0U}}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed[34U]; memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, - four_ring_elements.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, - four_ring_elements.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, - four_ring_elements.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, - four_ring_elements.f3); + uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed0[34U]; memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed0, - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)4U, - four_ring_elements0.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)5U, - four_ring_elements0.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)6U, - four_ring_elements0.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, - four_ring_elements0.f3); + uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed1[34U]; memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed1, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, - four_ring_elements1.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, - four_ring_elements1.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, - four_ring_elements1.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)4U, - four_ring_elements1.f3); + uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed2[34U]; memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed2, - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)5U, - four_ring_elements2.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)6U, - four_ring_elements2.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, - four_ring_elements2.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, - four_ring_elements2.f3); + uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed3[34U]; memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed3, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 5U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, - four_ring_elements3.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, - four_ring_elements3.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)4U, - four_ring_elements3.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)5U, - four_ring_elements3.f3); + uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed4[34U]; memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed4, - libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)6U, - four_ring_elements4.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, - four_ring_elements4.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, - four_ring_elements4.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, - four_ring_elements4.f3); + uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed5[34U]; memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed5, - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, - four_ring_elements5.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)4U, - four_ring_elements5.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)5U, - four_ring_elements5.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)6U, - four_ring_elements5.f3); + uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, + (size_t)4U); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_seed6[34U]; memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed6, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)0U, - four_ring_elements6.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)1U, - four_ring_elements6.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)2U, - four_ring_elements6.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)3U, - four_ring_elements6.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed7[34U]; - memcpy(copy_of_seed7, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements7 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed7, - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)4U, - four_ring_elements7.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)5U, - four_ring_elements7.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)6U, - four_ring_elements7.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)0U, - four_ring_elements7.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed8[34U]; - memcpy(copy_of_seed8, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements8 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed8, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)1U, - four_ring_elements8.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)2U, - four_ring_elements8.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)3U, - four_ring_elements8.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)4U, - four_ring_elements8.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed9[34U]; - memcpy(copy_of_seed9, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements9 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed9, - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 1U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)5U, - four_ring_elements9.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)6U, - four_ring_elements9.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)0U, - four_ring_elements9.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)1U, - four_ring_elements9.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed10[34U]; - memcpy(copy_of_seed10, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements10 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed10, - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 2U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 5U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)2U, - four_ring_elements10.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)3U, - four_ring_elements10.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)4U, - four_ring_elements10.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)5U, - four_ring_elements10.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed11[34U]; - memcpy(copy_of_seed11, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements11 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed11, - libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 6U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 0U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 1U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 2U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)6U, - four_ring_elements11.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)0U, - four_ring_elements11.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)1U, - four_ring_elements11.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)2U, - four_ring_elements11.f3); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed12[34U]; - memcpy(copy_of_seed12, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four_ring_elements12 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( - copy_of_seed12, - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 3U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 4U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 5U), - libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 6U)); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)3U, - four_ring_elements12.fst); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)4U, - four_ring_elements12.snd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)5U, - four_ring_elements12.thd); - libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)6U, - four_ring_elements12.f3); + uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( + copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, + (size_t)2U); memcpy(ret, A, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_generic +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_2f( +static inline void libcrux_ml_dsa_samplex4_matrix_A_generic_49( uint8_t seed[34U], libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; switch (uu____0.fst) { - case 4U: { - switch (uu____0.snd) { - case 4U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_4_by_4_2f(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); - return; - } - default: { - } - } - break; - } case 6U: { switch (uu____0.snd) { case 5U: { @@ -5100,27 +4714,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_2f( uint8_t copy_of_seed[34U]; memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_6_by_5_2f(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); - return; - } - default: { - } - } - break; - } - case 8U: { - switch (uu____0.snd) { - case 7U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_8_by_7_2f(copy_of_seed, ret0); + libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49(copy_of_seed, ret0); memcpy( ret, ret0, (size_t)6U * @@ -5141,6 +4735,30 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_2f( KRML_HOST_EXIT(255U); } +/** +This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for +libcrux_ml_dsa::samplex4::portable::PortableSampler)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_A_36 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_generic_49(copy_of_seed, ret0); + memcpy(ret, ret0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); +} + /** A monomorphic instance of K. with types libcrux_ml_dsa_polynomial_PolynomialRingElement @@ -5154,6 +4772,14 @@ typedef struct tuple_ce_s { libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; } tuple_ce; +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b thd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4; + /** A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types @@ -6075,6 +5701,7 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -6087,7 +5714,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - VERIFICATION_KEY_SIZE= 1952 */ static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_5a(uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) { uint8_t seed_expanded0[128U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); @@ -6112,7 +5739,7 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_5a(uint8_t randomness[32U]) { libcrux_ml_dsa_polynomial_PolynomialRingElement_9b a_as_ntt[6U][5U]; uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); - libcrux_ml_dsa_samplex4_matrix_A_2f(ret, a_as_ntt); + libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, a_as_ntt); uint8_t ret0[66U]; libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); tuple_ce uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(ret0); @@ -6209,7 +5836,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_5a(copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(copy_of_randomness); } /** @@ -7775,6 +7402,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_76( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -7794,7 +7422,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - SIGNING_KEY_SIZE= 4032 - SIGNATURE_SIZE= 3309 */ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( uint8_t *signing_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t randomness[32U]) { tuple_f0 uu____0 = @@ -7821,7 +7449,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6( Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_matrix_A_2f(ret, A_as_ntt); + libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt); uint8_t message_representative[64U] = {0U}; uint8_t uu____1[64U]; memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); @@ -8090,6 +7718,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, @@ -8109,7 +7738,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - SIGNING_KEY_SIZE= 4032 - SIGNATURE_SIZE= 3309 */ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_3f( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -8125,7 +7754,7 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( uu____2, uu____3, uu____4, copy_of_randomness); } else { uu____1 = (CLITERAL(Result_2e){ @@ -8166,7 +7795,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_05(uu____0, uu____1, uu____2, + return libcrux_ml_dsa_ml_dsa_generic_sign_3f(uu____0, uu____1, uu____2, copy_of_randomness); } @@ -8180,7 +7809,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ @@ -8236,6 +7865,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_bd_54( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, @@ -8259,7 +7889,7 @@ libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics - SIGNATURE_SIZE= 3309 */ static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d(uint8_t *signing_key, +libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { @@ -8290,7 +7920,7 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d(uint8_t *signing_key, /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( uu____3, uu____4, uu____5, copy_of_randomness); } else { uu____0 = (CLITERAL(Result_2e){ @@ -8333,7 +7963,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d( + return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da( uu____0, uu____1, uu____2, copy_of_randomness); } @@ -8348,7 +7978,7 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ @@ -8387,9 +8017,10 @@ static inline void libcrux_ml_dsa_encoding_t1_deserialize_ba( i++) { size_t i0 = i; libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_t1_deserialize_36( - Eurydice_slice_subslice2(serialized, i0 * (size_t)10U, - (i0 + (size_t)1U) * (size_t)10U, uint8_t)); + libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, + (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, + uint8_t)); result->simd_units[i0] = uu____0; } } @@ -8963,6 +8594,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_2f( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics @@ -8981,7 +8613,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics - MAX_ONES_IN_HINT= 55 */ static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( +libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( uint8_t *verification_key_serialized, Eurydice_slice message, Option_84 domain_separation_context, uint8_t *signature_serialized) { tuple_93 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_2f( @@ -9012,7 +8644,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( uint8_t ret[34U]; libcrux_ml_dsa_utils_into_padded_array_b6( Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_matrix_A_2f(ret, A_as_ntt); + libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_portable_shake256_5c_24( Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, @@ -9094,6 +8726,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics @@ -9111,7 +8744,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics - ONES_IN_VERIFIER_CHALLENGE= 49 - MAX_ONES_IN_HINT= 55 */ -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_51( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -9121,7 +8754,7 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( verification_key_serialized, message, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); @@ -9157,7 +8790,7 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_99(verification_key, message, + return libcrux_ml_dsa_ml_dsa_generic_verify_51(verification_key, message, context, signature); } @@ -9173,13 +8806,14 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify( Eurydice_slice message, Eurydice_slice context, libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( - libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_raw_8f_fa(signature)); + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, @@ -9201,7 +8835,7 @@ libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics - MAX_ONES_IN_HINT= 55 */ static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( +libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { uint8_t pre_hashed_message[256U]; @@ -9218,7 +8852,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( verification_key_serialized, Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), @@ -9256,7 +8890,7 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( + return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( verification_key, message, context, signature); } @@ -9273,8 +8907,8 @@ libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( Eurydice_slice message, Eurydice_slice context, libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( - libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_raw_8f_fa(signature)); + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } #define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) @@ -9318,6 +8952,9 @@ typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; +typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { +} libcrux_ml_dsa_hash_functions_portable_Shake128; + #if defined(__cplusplus) } #endif diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index ed58cea67..876ec6f9b 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index dabbeb171..ebba16495 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 + * Libcrux: 00424f6ff03ac7c79f2922ed628bf6a5b8723be3 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst index 3ae7a4680..c1553434f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -11,6 +11,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in let open Libcrux_ml_dsa.Simd.Avx2 in let open Libcrux_ml_dsa.Simd.Traits in () @@ -21,7 +23,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -37,7 +39,7 @@ let sign (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -56,7 +58,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -77,7 +79,7 @@ let verify (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 @@ -95,7 +97,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti index d24fb5ad1..aaa4d5643 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -11,6 +11,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in let open Libcrux_ml_dsa.Simd.Avx2 in let open Libcrux_ml_dsa.Simd.Traits in () diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index bc44352c6..c81b51ec3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -11,6 +11,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () @@ -21,7 +23,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -37,7 +39,7 @@ let sign (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -56,7 +58,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -77,7 +79,7 @@ let verify (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 @@ -95,7 +97,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti index 93c40dc34..45fac8db0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -11,6 +11,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index 581a147b8..fba006d14 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -10,6 +10,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () @@ -20,6 +22,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -36,6 +39,7 @@ let sign (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -55,6 +59,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -76,6 +81,7 @@ let verify (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A @@ -94,6 +100,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti index 1e4399d64..9bd1f00f2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -10,6 +10,8 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 0bf89311c..1fec04ec9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -9,6 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in let open Libcrux_ml_dsa.Simd.Traits in () @@ -109,26 +110,311 @@ let derive_message_representative let _:Prims.unit = () in message_representative +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let seed_for_A, t1:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + verification_key_serialized + in + match + Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + signature_serialized + with + | Core.Result.Result_Ok s -> + let signature:Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A = + s + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response + ((2l < + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #v_PH_DIGEST_LEN + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + let sign_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message: t_Slice u8) @@ -154,7 +440,9 @@ let sign_internal let v_A_as_ntt:t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) v_ROWS_IN_A = - Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) @@ -480,354 +768,67 @@ let sign_internal ({ Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash = commitment_hash; Libcrux_ml_dsa.Encoding.Signature.f_signer_response = signer_response; - Libcrux_ml_dsa.Encoding.Signature.f_hint = hint - } - <: - Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) - in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new v_SIGNATURE_SIZE signature) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError - ) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let sign - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let sign_pre_hashed - (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - else - let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #v_PH_DIGEST_LEN - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let verify_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - let seed_for_A, t1:(t_Array u8 (sz 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - verification_key_serialized - in - match - Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A - v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE - v_MAX_ONES_IN_HINT - v_SIGNATURE_SIZE - signature_serialized - with - | Core.Result.Result_Ok s -> - let signature:Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A = - s - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - v_COLUMNS_IN_A - signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response - ((2l < + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let w_approx:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - v_A_as_ntt - signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response - verifier_challenge_as_ntt - t1 - in - let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - v_ROWS_IN_A - v_GAMMA2 - signature.Libcrux_ml_dsa.Encoding.Signature.f_hint - w_approx - in - let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_ROWS_IN_A - v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE - commitment - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash - in - let shake:v_Shake256Xof = tmp0 in - let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - if signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash =. commitment_hash - then - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - Libcrux_ml_dsa.Types.t_VerificationError) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError -let verify - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + (randomness: t_Array u8 (sz 32)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -835,102 +836,115 @@ let verify with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError -let verify_pre_hashed - (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + (randomness: t_Array u8 (sz 32)) = - let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #v_PH_DIGEST_LEN - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized - (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err _ -> + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + else + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #v_PH_DIGEST_LEN + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError let generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (randomness: t_Array u8 (sz 32)) = @@ -977,7 +991,9 @@ let generate_key_pair let a_as_ntt:t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) v_ROWS_IN_A = - Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index b333cdc66..a1ac213b3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -9,6 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in let open Libcrux_ml_dsa.Simd.Traits in () @@ -39,82 +40,21 @@ val derive_message_representative (message_representative: t_Array u8 (sz 64)) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -/// The internal signing API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. -val sign_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. val verify_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message: t_Slice u8) (domain_separation_context: @@ -125,16 +65,17 @@ val verify_internal (fun _ -> Prims.l_True) val verify - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) @@ -143,18 +84,19 @@ val verify (fun _ -> Prims.l_True) val verify_pre_hashed - (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) @@ -162,16 +104,83 @@ val verify_pre_hashed Prims.l_True (fun _ -> Prims.l_True) +/// The internal signing API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + /// Generate a key pair. val generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index 288d73ebd..da6c38417 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -6,12 +6,14 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Simd.Traits in () +let generate_domain_separator (row, column: (u8 & u8)) = + (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <>! 8l <: u16) <: u8) - in - let seed1:t_Array u8 (sz 34) = seed0 in - let seed1:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 32) - (cast (domain_separator1 <: u16) <: u8) - in - let seed1:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 33) - (cast (domain_separator1 >>! 8l <: u16) <: u8) - in - let seed2:t_Array u8 (sz 34) = seed0 in - let seed2:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 32) - (cast (domain_seperator2 <: u16) <: u8) - in - let seed2:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 33) - (cast (domain_seperator2 >>! 8l <: u16) <: u8) - in - let seed3:t_Array u8 (sz 34) = seed0 in - let seed3:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 32) - (cast (domain_separator3 <: u16) <: u8) - in - let seed3:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 33) - (cast (domain_separator3 >>! 8l <: u16) <: u8) - in - let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 = - Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #FStar.Tactics.Typeclasses.solve - (seed0 <: t_Slice u8) - (seed1 <: t_Slice u8) - (seed2 <: t_Slice u8) - (seed3 <: t_Slice u8) - in - let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #FStar.Tactics.Typeclasses.solve - state - randomness0 - randomness1 - randomness2 - randomness3 - in - let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 = tmp0 in - let randomness0:t_Array u8 (sz 840) = tmp1 in - let randomness1:t_Array u8 (sz 840) = tmp2 in - let randomness2:t_Array u8 (sz 840) = tmp3 in - let randomness3:t_Array u8 (sz 840) = tmp4 in - let _:Prims.unit = () in - let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let sampled0:usize = sz 0 in - let sampled1:usize = sz 0 in - let sampled2:usize = sz 0 in - let sampled3:usize = sz 0 in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomness0 <: t_Slice u8) - sampled0 - coefficients0 - in - let sampled0:usize = tmp0 in - let coefficients0:t_Array i32 (sz 263) = tmp1 in - let done0:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomness1 <: t_Slice u8) - sampled1 - coefficients1 - in - let sampled1:usize = tmp0 in - let coefficients1:t_Array i32 (sz 263) = tmp1 in - let done1:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomness2 <: t_Slice u8) - sampled2 - coefficients2 - in - let sampled2:usize = tmp0 in - let coefficients2:t_Array i32 (sz 263) = tmp1 in - let done2:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomness3 <: t_Slice u8) - sampled3 - coefficients3 - in - let sampled3:usize = tmp0 in - let coefficients3:t_Array i32 (sz 263) = tmp1 in - let done3:bool = out in - let - coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let - coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) = - temp_0_ - in - (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) - (coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state - <: - (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4)) - (fun temp_0_ -> - let - coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) = - temp_0_ - in - let tmp0, out:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) - = - Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #FStar.Tactics.Typeclasses.solve - state - in - let state:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 = tmp0 in - let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & - t_Array u8 (sz 168)) = - out - in - let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) = - if ~.done0 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._1 <: t_Slice u8) - sampled0 - coefficients0 - in - let sampled0:usize = tmp0 in - let coefficients0:t_Array i32 (sz 263) = tmp1 in - let done0:bool = out in - coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) - else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) - in - let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) = - if ~.done1 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._2 <: t_Slice u8) - sampled1 - coefficients1 - in - let sampled1:usize = tmp0 in - let coefficients1:t_Array i32 (sz 263) = tmp1 in - let done1:bool = out in - coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) - else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) - in - let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) = - if ~.done2 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._3 <: t_Slice u8) - sampled2 - coefficients2 - in - let sampled2:usize = tmp0 in - let coefficients2:t_Array i32 (sz 263) = tmp1 in - let done2:bool = out in - coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) - else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) - in - if ~.done3 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._4 <: t_Slice u8) - sampled3 - coefficients3 - in - let sampled3:usize = tmp0 in - let coefficients3:t_Array i32 (sz 263) = tmp1 in - let done3:bool = out in - coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state - <: - (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4) - else - coefficients0, - coefficients1, - coefficients2, - coefficients3, - done0, - done1, - done2, - done3, - sampled0, - sampled1, - sampled2, - sampled3, - state - <: - (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4)) - in - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients0 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients1 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients2 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients3 <: t_Slice i32) - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - let sample_mask_ring_element (#v_SIMDUnit #v_Shake256: Type0) (v_GAMMA1_EXPONENT: usize) @@ -1317,3 +989,324 @@ let sample_mask_vector domain_separator, hax_temp_output <: (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let sample_up_to_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) + (seed0: t_Array u8 (sz 34)) + (matrix: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) + (tmp_stack: t_Slice (t_Array i32 (sz 263))) + (indices: t_Array (u8 & u8) (sz 4)) + (elements_requested: usize) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in + () + in + let domain_separator0:u16 = generate_domain_separator (indices.[ sz 0 ] <: (u8 & u8)) in + let domain_separator1:u16 = generate_domain_separator (indices.[ sz 1 ] <: (u8 & u8)) in + let domain_separator2:u16 = generate_domain_separator (indices.[ sz 2 ] <: (u8 & u8)) in + let domain_separator3:u16 = generate_domain_separator (indices.[ sz 3 ] <: (u8 & u8)) in + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 32) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 33) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = seed0 in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 32) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 33) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = seed0 in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 32) + (cast (domain_separator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 33) + (cast (domain_separator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = seed0 in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 32) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 33) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake128 = + Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + rand_stack0 + rand_stack1 + rand_stack2 + rand_stack3 + in + let state:v_Shake128 = tmp0 in + let rand_stack0:t_Array u8 (sz 840) = tmp1 in + let rand_stack1:t_Array u8 (sz 840) = tmp2 in + let rand_stack2:t_Array u8 (sz 840) = tmp3 in + let rand_stack3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack0 <: t_Slice u8) + sampled0 + (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) + in + let sampled0:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 + in + let done0:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack1 <: t_Slice u8) + sampled1 + (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) + in + let sampled1:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 + in + let done1:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack2 <: t_Slice u8) + sampled2 + (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) + in + let sampled2:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 + in + let done2:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack3 <: t_Slice u8) + sampled3 + (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) + in + let sampled3:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 + in + let done3:bool = out in + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack + <: + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263)))) + (fun temp_0_ -> + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = + temp_0_ + in + let tmp0, out:(v_Shake128 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake128 = tmp0 in + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out + in + let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = + if ~.done0 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._1 <: t_Slice u8) + sampled0 + (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) + in + let sampled0:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 + in + let done0:bool = out in + done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + in + let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = + if ~.done1 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._2 <: t_Slice u8) + sampled1 + (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) + in + let sampled1:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 + in + let done1:bool = out in + done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + in + let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = + if ~.done2 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._3 <: t_Slice u8) + sampled2 + (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) + in + let sampled2:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 + in + let done2:bool = out in + done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + in + if ~.done3 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._4 <: t_Slice u8) + sampled3 + (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) + in + let sampled3:usize = tmp0 in + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 + in + let done3:bool = out in + done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack + <: + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263))) + else + done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack + <: + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263)))) + in + let matrix:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + elements_requested + (fun matrix temp_1_ -> + let matrix:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + matrix + in + let _:usize = temp_1_ in + true) + matrix + (fun matrix k -> + let matrix:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + matrix + in + let k:usize = k in + let i, j:(u8 & u8) = indices.[ k ] in + let matrix:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + update_matrix #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + matrix + (cast (i <: u8) <: usize) + (cast (j <: u8) <: usize) + (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (tmp_stack.[ k ] <: t_Slice i32) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + matrix) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack + <: + (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Slice (t_Array i32 (sz 263))) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 9cab11744..5e6082b9b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -6,15 +6,31 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Simd.Traits in () +val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) + val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) +val update_matrix + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (m: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (i j: usize) + (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + val rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -80,19 +96,6 @@ val sample_four_error_ring_elements Prims.l_True (fun _ -> Prims.l_True) -val sample_four_ring_elements - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (seed0: t_Array u8 (sz 34)) - (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) - : Prims.Pure - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - val sample_mask_ring_element (#v_SIMDUnit #v_Shake256: Type0) (v_GAMMA1_EXPONENT: usize) @@ -116,3 +119,34 @@ val sample_mask_vector (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) Prims.l_True (fun _ -> Prims.l_True) + +/// Sample and write out up to four ring elements. +/// If i <= `elements_requested`, a field element with domain separated +/// seed according to the provided index is generated in +/// `tmp_stack[i]`. After successful rejection sampling in +/// `tmp_stack[i]`, the ring element is written to `matrix` at the +/// provided index in `indices[i]`. +/// `rand_stack` is a working buffer that holds initial Shake output. +val sample_up_to_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} + (seed0: t_Array u8 (sz 34)) + (matrix: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) + (tmp_stack: t_Slice (t_Array i32 (sz 263))) + (indices: t_Array (u8 & u8) (sz 4)) + (elements_requested: usize) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst new file mode 100644 index 000000000..96cf97528 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst @@ -0,0 +1,92 @@ +module Libcrux_ml_dsa.Samplex4.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let matrix_A_avx2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + = + match + (cast (v_ROWS_IN_A <: usize) <: u8), (cast (v_COLUMNS_IN_A <: usize) <: u8) <: (u8 & u8) + with + | 4uy, 4uy -> + Libcrux_ml_dsa.Samplex4.matrix_A_4_by_4_ #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + v_ROWS_IN_A + v_COLUMNS_IN_A + seed + | 6uy, 5uy -> + Libcrux_ml_dsa.Samplex4.matrix_A_6_by_5_ #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + v_ROWS_IN_A + v_COLUMNS_IN_A + seed + | 8uy, 7uy -> + Libcrux_ml_dsa.Samplex4.matrix_A_8_by_7_ #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + v_ROWS_IN_A + v_COLUMNS_IN_A + seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler = + { + f_matrix_A_pre + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + true); + f_matrix_A_post + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + (out: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + -> + true); + f_matrix_A + = + fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + matrix_A_avx2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti new file mode 100644 index 000000000..618fe2e20 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Samplex4.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +type t_AVX2Sampler = | AVX2Sampler : t_AVX2Sampler + +val matrix_A_avx2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst new file mode 100644 index 000000000..9d975149f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst @@ -0,0 +1,61 @@ +module Libcrux_ml_dsa.Samplex4.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_NeonSampler = + { + f_matrix_A_pre + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + true); + f_matrix_A_post + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + (out: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + -> + true); + f_matrix_A + = + fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + v_ROWS_IN_A + v_COLUMNS_IN_A + seed + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti new file mode 100644 index 000000000..3a407290f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fsti @@ -0,0 +1,17 @@ +module Libcrux_ml_dsa.Samplex4.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +type t_NeonSampler = | NeonSampler : t_NeonSampler + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_NeonSampler diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst new file mode 100644 index 000000000..47473f479 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst @@ -0,0 +1,61 @@ +module Libcrux_ml_dsa.Samplex4.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_PortableSampler = + { + f_matrix_A_pre + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + true); + f_matrix_A_post + = + (fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + (out: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + -> + true); + f_matrix_A + = + fun + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A: usize) + (v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed: t_Array u8 (sz 34)) + -> + Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + seed + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti new file mode 100644 index 000000000..8764f68b8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fsti @@ -0,0 +1,17 @@ +module Libcrux_ml_dsa.Samplex4.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +type t_PortableSampler = | PortableSampler : t_PortableSampler + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_PortableSampler diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst index 06a86b638..e4e0c4571 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -6,47 +6,20 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Simd.Traits in () -let generate_domain_separator (row column: u8) = - (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < matrix_A_4_by_4_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed - | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed - | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed + | 4uy, 4uy -> matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti index e1b9a56dc..13aa21421 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -6,31 +6,49 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Simd.Traits in () -val generate_domain_separator (row column: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) - -val update_matrix - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (m: - t_Array +/// The x4 sampling implementation that is selected during multiplexing. +class t_X4Sampler (v_Self: Type0) = { + f_matrix_A_pre: + #v_SIMDUnit: Type0 -> + v_ROWS_IN_A: usize -> + v_COLUMNS_IN_A: usize -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + t_Array u8 (sz 34) + -> Type0; + f_matrix_A_post: + #v_SIMDUnit: Type0 -> + v_ROWS_IN_A: usize -> + v_COLUMNS_IN_A: usize -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + t_Array u8 (sz 34) -> + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A + -> Type0; + f_matrix_A: + #v_SIMDUnit: Type0 -> + v_ROWS_IN_A: usize -> + v_COLUMNS_IN_A: usize -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + x0: t_Array u8 (sz 34) + -> Prims.Pure + (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) v_ROWS_IN_A) - (i j: usize) - (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + (f_matrix_A_pre #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0) + (fun result -> f_matrix_A_post #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0 result) +} val matrix_A_4_by_4_ - (#v_SIMDUnit: Type0) + (#v_SIMDUnit #v_Shake128: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array @@ -38,9 +56,10 @@ val matrix_A_4_by_4_ v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) val matrix_A_6_by_5_ - (#v_SIMDUnit: Type0) + (#v_SIMDUnit #v_Shake128: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array @@ -48,19 +67,21 @@ val matrix_A_6_by_5_ v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) val matrix_A_8_by_7_ - (#v_SIMDUnit: Type0) + (#v_SIMDUnit #v_Shake128: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) -val matrix_A - (#v_SIMDUnit: Type0) +val matrix_A_generic + (#v_SIMDUnit #v_Shake128: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index c58a1b46f..1100fb11b 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -103,7 +103,7 @@ pub(crate) mod portable { /// Portable SHAKE 128 x4 state. /// /// We're using a portable implementation so this is actually sequential. - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake128X4 { state0: KeccakState, state1: KeccakState, @@ -199,7 +199,7 @@ pub(crate) mod portable { } /// Portable SHAKE 128 state - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake128 {} #[inline(always)] @@ -215,7 +215,7 @@ pub(crate) mod portable { } /// Portable SHAKE 256 state - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256 { state: KeccakState, } @@ -271,7 +271,7 @@ pub(crate) mod portable { /// Portable SHAKE 256 x4 state. /// /// We're using a portable implementation so this is actually sequential. - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256X4 { state0: libcrux_sha3::portable::KeccakState, state1: libcrux_sha3::portable::KeccakState, @@ -391,7 +391,7 @@ pub(crate) mod portable { } } - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256Xof { state: incremental::Shake256Xof, } @@ -428,7 +428,7 @@ pub(crate) mod simd256 { /// /// This only implements the XofX4 API. For the single Xof, the portable /// version is used. - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake128x4 { state: libcrux_sha3::avx2::x4::incremental::KeccakState, } @@ -514,7 +514,7 @@ pub(crate) mod simd256 { } /// AVX2 SHAKE 256 state - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256 { state: libcrux_sha3::portable::KeccakState, } @@ -575,7 +575,7 @@ pub(crate) mod simd256 { } /// AVX2 SHAKE 256 x4 state. - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256x4 { state: libcrux_sha3::avx2::x4::incremental::KeccakState, } @@ -701,10 +701,10 @@ pub(crate) mod neon { use super::{shake128, shake256}; use libcrux_sha3::neon::x2; - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) type KeccakState = x2::incremental::KeccakState; - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake128x4 { state: [KeccakState; 2], } @@ -775,7 +775,7 @@ pub(crate) mod neon { } /// Neon SHAKE 256 x4 state - #[cfg_attr(hax, hax_lib::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque)] pub(crate) struct Shake256x4 { state: [KeccakState; 2], } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 717861772..a5bde6d4a 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -12,7 +12,7 @@ use crate::{ ntt::ntt, pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, - samplex4, + samplex4::{self, X4Sampler}, simd::traits::Operations, types::{SigningError, VerificationError}, utils::into_padded_array, @@ -28,6 +28,7 @@ pub(crate) mod multiplexing; #[inline(always)] pub(crate) fn generate_key_pair< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -55,7 +56,7 @@ pub(crate) fn generate_key_pair< seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); let a_as_ntt = - samplex4::matrix_A::(into_padded_array(seed_for_a)); + Sampler::matrix_A::(into_padded_array(seed_for_a)); let (s1, s2) = samplex4::sample_s1_and_s2::( into_padded_array(seed_for_error_vectors), @@ -95,6 +96,7 @@ pub(crate) fn generate_key_pair< #[inline(always)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128: shake128::Xof, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, @@ -132,6 +134,7 @@ pub(crate) fn sign_pre_hashed< }; sign_internal::< SIMDUnit, + Sampler, Shake128X4, Shake256, Shake256Xof, @@ -162,6 +165,7 @@ pub(crate) fn sign_pre_hashed< #[inline(always)] pub(crate) fn sign< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -192,6 +196,7 @@ pub(crate) fn sign< }; sign_internal::< SIMDUnit, + Sampler, Shake128X4, Shake256, Shake256Xof, @@ -226,6 +231,7 @@ pub(crate) fn sign< #[inline(always)] pub(crate) fn sign_internal< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -261,7 +267,7 @@ pub(crate) fn sign_internal< >(signing_key); let A_as_ntt = - samplex4::matrix_A::(into_padded_array(&seed_for_A)); + Sampler::matrix_A::(into_padded_array(&seed_for_A)); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( @@ -468,6 +474,7 @@ fn derive_message_representative( #[inline(always)] pub(crate) fn verify_internal< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -515,7 +522,7 @@ pub(crate) fn verify_internal< return Err(VerificationError::SignerResponseExceedsBoundError); } let A_as_ntt = - samplex4::matrix_A::(into_padded_array(&seed_for_A)); + Sampler::matrix_A::(into_padded_array(&seed_for_A)); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256::( @@ -572,6 +579,7 @@ pub(crate) fn verify_internal< #[inline(always)] pub(crate) fn verify< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -601,6 +609,7 @@ pub(crate) fn verify< }; verify_internal::< SIMDUnit, + Sampler, Shake128X4, Shake256, Shake256Xof, @@ -629,6 +638,7 @@ pub(crate) fn verify< #[inline(always)] pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, + Sampler: X4Sampler, Shake128: shake128::Xof, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, @@ -662,6 +672,7 @@ pub(crate) fn verify_pre_hashed< verify_internal::< SIMDUnit, + Sampler, Shake128X4, Shake256, Shake256Xof, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 07920de39..a3f240793 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -1,5 +1,5 @@ macro_rules! instantiate { - ($modp:ident, $simdunit:path, $shake128:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path) => { + ($modp:ident, $simdunit:path, $shake128:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path, $sampler:path) => { pub mod $modp { use crate::{ constants::*, @@ -21,6 +21,7 @@ macro_rules! instantiate { ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { crate::ml_dsa_generic::generate_key_pair::< $simdunit, + $sampler, $shake128x4, $shake256, $shake256xof, @@ -58,6 +59,7 @@ macro_rules! instantiate { ) -> Result, SigningError> { crate::ml_dsa_generic::sign::< $simdunit, + $sampler, $shake128x4, $shake256, $shake256xof, @@ -103,6 +105,7 @@ macro_rules! instantiate { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_internal::< $simdunit, + $sampler, $shake128x4, $shake256, $shake256xof, @@ -148,6 +151,7 @@ macro_rules! instantiate { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_pre_hashed::< $simdunit, + $sampler, $shake128, $shake128x4, $shake256, @@ -195,6 +199,7 @@ macro_rules! instantiate { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify::< $simdunit, + $sampler, $shake128x4, $shake256, $shake256xof, @@ -237,6 +242,7 @@ macro_rules! instantiate { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_internal::< $simdunit, + $sampler, $shake128x4, $shake256, $shake256xof, @@ -279,6 +285,7 @@ macro_rules! instantiate { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_pre_hashed::< $simdunit, + $sampler, $shake128, $shake128x4, $shake256, @@ -311,7 +318,8 @@ instantiate! {portable, crate::hash_functions::portable::Shake128X4, crate::hash_functions::portable::Shake256, crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::portable::Shake256X4 + crate::hash_functions::portable::Shake256X4, + crate::samplex4::portable::PortableSampler } // AVX2 generic implementation. @@ -326,5 +334,6 @@ instantiate! {neon, crate::hash_functions::neon::Shake128x4, crate::hash_functions::portable::Shake256, crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::neon::Shake256x4 + crate::hash_functions::neon::Shake256x4, + crate::samplex4::neon::NeonSampler } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index a6d3c85b5..2c8c599ba 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -23,6 +23,7 @@ mod avx2_feature { ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { crate::ml_dsa_generic::generate_key_pair::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, // We use the portable version here. @@ -64,6 +65,7 @@ mod avx2_feature { ) -> Result, SigningError> { crate::ml_dsa_generic::sign::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, // We use the portable version here. @@ -113,6 +115,7 @@ mod avx2_feature { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_internal::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, // We use the portable version here. @@ -162,6 +165,7 @@ mod avx2_feature { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, // We use the portable version here. // It doesn' make sense to do these in parallel. crate::hash_functions::portable::Shake128, @@ -215,6 +219,7 @@ mod avx2_feature { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, // We use the portable version here. @@ -261,6 +266,7 @@ mod avx2_feature { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_internal::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, // We use the portable version here. @@ -307,6 +313,7 @@ mod avx2_feature { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, // We use the portable version here. // It doesn' make sense to do these in parallel. crate::hash_functions::portable::Shake128, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 96ab1655f..ea7f49291 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -34,19 +34,57 @@ fn rejection_sample_less_than_field_modulus( done } -pub(crate) fn sample_four_ring_elements( +#[inline(always)] +fn generate_domain_separator((row, column): (u8, u8)) -> u16 { + (column as u16) | ((row as u16) << 8) +} + +pub(crate) type Matrix = + [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; + +// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* +// https://github.com/hacspec/hax/issues/1098 +// So we are instead using a matrix abstraction with a custom update function here. +fn update_matrix( + m: &mut Matrix, + i: usize, + j: usize, + v: PolynomialRingElement, +) { + m[i][j] = v; +} + +/// Sample and write out up to four ring elements. +/// +/// If i <= `elements_requested`, a field element with domain separated +/// seed according to the provided index is generated in +/// `tmp_stack[i]`. After successful rejection sampling in +/// `tmp_stack[i]`, the ring element is written to `matrix` at the +/// provided index in `indices[i]`. +/// `rand_stack` is a working buffer that holds initial Shake output. +#[inline(always)] +pub(crate) fn sample_up_to_four_ring_elements< + SIMDUnit: Operations, + Shake128: shake128::XofX4, + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, +>( mut seed0: [u8; 34], - domain_separator0: u16, - domain_separator1: u16, - domain_seperator2: u16, - domain_separator3: u16, -) -> ( - PolynomialRingElement, - PolynomialRingElement, - PolynomialRingElement, - PolynomialRingElement, + matrix: &mut Matrix, + rand_stack0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + rand_stack1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + rand_stack2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + rand_stack3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + tmp_stack: &mut [[i32; 263]], + indices: &[(u8, u8); 4], + elements_requested: usize, ) { - use crate::hash_functions::shake128::XofX4; + debug_assert!(elements_requested <= 4); + + let domain_separator0 = generate_domain_separator(indices[0]); + let domain_separator1 = generate_domain_separator(indices[1]); + let domain_separator2 = generate_domain_separator(indices[2]); + let domain_separator3 = generate_domain_separator(indices[3]); // Prepare the seeds seed0[32] = domain_separator0 as u8; @@ -57,30 +95,16 @@ pub(crate) fn sample_four_ring_elements( seed1[33] = (domain_separator1 >> 8) as u8; let mut seed2 = seed0; - seed2[32] = domain_seperator2 as u8; - seed2[33] = (domain_seperator2 >> 8) as u8; + seed2[32] = domain_separator2 as u8; + seed2[33] = (domain_separator2 >> 8) as u8; let mut seed3 = seed0; seed3[32] = domain_separator3 as u8; seed3[33] = (domain_separator3 >> 8) as u8; - // FIXME: We use the portable implementation here, since the - // compiler has an easier time optimizing it, compared to the AVX2 - // version, which actually results in faster code (except for key - // generation), even in the AVX2 instantiation of ML-DSA. - let mut state = - crate::hash_functions::portable::Shake128X4::init_absorb(&seed0, &seed1, &seed2, &seed3); - - let mut randomness0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut randomness1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut randomness2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut randomness3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - state.squeeze_first_five_blocks( - &mut randomness0, - &mut randomness1, - &mut randomness2, - &mut randomness3, - ); + let mut state = Shake128::init_absorb(&seed0, &seed1, &seed2, &seed3); + + state.squeeze_first_five_blocks(rand_stack0, rand_stack1, rand_stack2, rand_stack3); // Every call to |rejection_sample_less_than_field_modulus| // will result in a call to |PortableSIMDUnit::rejection_sample_less_than_field_modulus|; @@ -90,35 +114,30 @@ pub(crate) fn sample_four_ring_elements( // // To ensure we don't overflow the buffer in this case, we allocate 255 + 8 // = 263 elements. - let mut coefficients0 = [0i32; 263]; - let mut coefficients1 = [0i32; 263]; - let mut coefficients2 = [0i32; 263]; - let mut coefficients3 = [0i32; 263]; - let mut sampled0 = 0; let mut sampled1 = 0; let mut sampled2 = 0; let mut sampled3 = 0; let mut done0 = rejection_sample_less_than_field_modulus::( - &randomness0, + rand_stack0, &mut sampled0, - &mut coefficients0, + &mut tmp_stack[0], ); let mut done1 = rejection_sample_less_than_field_modulus::( - &randomness1, + rand_stack1, &mut sampled1, - &mut coefficients1, + &mut tmp_stack[1], ); let mut done2 = rejection_sample_less_than_field_modulus::( - &randomness2, + rand_stack2, &mut sampled2, - &mut coefficients2, + &mut tmp_stack[2], ); let mut done3 = rejection_sample_less_than_field_modulus::( - &randomness3, + rand_stack3, &mut sampled3, - &mut coefficients3, + &mut tmp_stack[3], ); while !done0 || !done1 || !done2 || !done3 { @@ -127,38 +146,43 @@ pub(crate) fn sample_four_ring_elements( done0 = rejection_sample_less_than_field_modulus::( &randomnesses.0, &mut sampled0, - &mut coefficients0, + &mut tmp_stack[0], ); } if !done1 { done1 = rejection_sample_less_than_field_modulus::( &randomnesses.1, &mut sampled1, - &mut coefficients1, + &mut tmp_stack[1], ); } if !done2 { done2 = rejection_sample_less_than_field_modulus::( &randomnesses.2, &mut sampled2, - &mut coefficients2, + &mut tmp_stack[2], ); } if !done3 { done3 = rejection_sample_less_than_field_modulus::( &randomnesses.3, &mut sampled3, - &mut coefficients3, + &mut tmp_stack[3], ); } } - ( - PolynomialRingElement::::from_i32_array(&coefficients0), - PolynomialRingElement::::from_i32_array(&coefficients1), - PolynomialRingElement::::from_i32_array(&coefficients2), - PolynomialRingElement::::from_i32_array(&coefficients3), - ) + for k in 0..elements_requested { + let (i, j) = indices[k]; + update_matrix( + matrix, + i as usize, + j as usize, + PolynomialRingElement::::from_i32_array(&tmp_stack[k]), + ); + } + + () } #[inline(always)] @@ -497,20 +521,45 @@ mod tests { simd::{self, traits::Operations}, }; - // This is just a wrapper around sample_four_ring_elements, for testing - // purposes. - fn sample_ring_element_uniform( + fn sample_ring_element_uniform( seed: [u8; 34], ) -> PolynomialRingElement { - let four_ring_elements = sample_four_ring_elements::( - seed, - ((seed[33] as u16) << 8) | (seed[32] as u16), - 0, - 0, - 0, + let mut rand_stack = ( + [0u8; shake128::FIVE_BLOCKS_SIZE], + [0u8; shake128::FIVE_BLOCKS_SIZE], + [0u8; shake128::FIVE_BLOCKS_SIZE], + [0u8; shake128::FIVE_BLOCKS_SIZE], ); - four_ring_elements.0 + let dummy_input = [0u8; 34]; + let mut state = Shake128::init_absorb(&seed, &dummy_input, &dummy_input, &dummy_input); + state.squeeze_first_five_blocks( + &mut rand_stack.0, + &mut rand_stack.1, + &mut rand_stack.2, + &mut rand_stack.3, + ); + let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; + let mut sampled = 0; + + let mut done = rejection_sample_less_than_field_modulus::( + &mut rand_stack.0, + &mut sampled, + &mut tmp_stack[0], + ); + + while !done { + let randomnesses = state.squeeze_next_block(); + if !done { + done = rejection_sample_less_than_field_modulus::( + &randomnesses.0, + &mut sampled, + &mut tmp_stack[0], + ); + } + } + + PolynomialRingElement::::from_i32_array(&tmp_stack[0]) } // This is just a wrapper around sample_four_ring_elements, for testing @@ -570,7 +619,7 @@ mod tests { ]; assert_eq!( - sample_ring_element_uniform::(seed).to_i32_array(), + sample_ring_element_uniform::(seed).to_i32_array(), expected_coefficients ); @@ -584,7 +633,8 @@ mod tests { 0xB1, 0x83, 0x9B, 0x86, 0x06, 0xF5, 0x94, 0x8B, 0x9D, 0x72, 0xA9, 0x56, 0xDC, 0xF1, 0x01, 0x16, 0xDA, 0x9E, 0x01, 0x00, ]; - let actual_coefficients = sample_ring_element_uniform::(seed).to_i32_array(); + let actual_coefficients = + sample_ring_element_uniform::(seed).to_i32_array(); assert_eq!(actual_coefficients[0], 1_165_602); assert_eq!( diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index edf06d13c..ddcf0ac40 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -1,35 +1,25 @@ use crate::{ - hash_functions::shake256, + hash_functions::{shake128, shake256}, polynomial::PolynomialRingElement, - sample::{sample_four_error_ring_elements, sample_four_ring_elements}, + sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements, Matrix}, simd::traits::Operations, }; -#[inline(always)] -fn generate_domain_separator(row: u8, column: u8) -> u16 { - (column as u16) | ((row as u16) << 8) -} - -// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* -// https://github.com/hacspec/hax/issues/1098 -// So we are instead using a matrix abstraction with a custom update function here. - -type Matrix = - [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; - -fn update_matrix( - m: &mut Matrix, - i: usize, - j: usize, - v: PolynomialRingElement, -) { - m[i][j] = v; +/// The x4 sampling implementation that is selected during multiplexing. +pub(crate) trait X4Sampler { + /// Sample the matrix A using platform specific implementation. + #[allow(non_snake_case)] + fn matrix_A( + seed: [u8; 34], + ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; } #[allow(non_snake_case)] #[inline(always)] +#[cfg(feature = "mldsa44")] pub(crate) fn matrix_A_4_by_4< SIMDUnit: Operations, + Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( @@ -38,61 +28,66 @@ pub(crate) fn matrix_A_4_by_4< let mut A: Matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - let four_ring_elements = sample_four_ring_elements::( + let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; + + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(0, 0), - generate_domain_separator(0, 1), - generate_domain_separator(0, 2), - generate_domain_separator(0, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(0, 0), (0, 1), (0, 2), (0, 3)], + 4, ); - update_matrix(&mut A, 0, 0, four_ring_elements.0); - update_matrix(&mut A, 0, 1, four_ring_elements.1); - update_matrix(&mut A, 0, 2, four_ring_elements.2); - update_matrix(&mut A, 0, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(1, 0), - generate_domain_separator(1, 1), - generate_domain_separator(1, 2), - generate_domain_separator(1, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(1, 0), (1, 1), (1, 2), (1, 3)], + 4, ); - update_matrix(&mut A, 1, 0, four_ring_elements.0); - update_matrix(&mut A, 1, 1, four_ring_elements.1); - update_matrix(&mut A, 1, 2, four_ring_elements.2); - update_matrix(&mut A, 1, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(2, 0), - generate_domain_separator(2, 1), - generate_domain_separator(2, 2), - generate_domain_separator(2, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(2, 0), (2, 1), (2, 2), (2, 3)], + 4, ); - update_matrix(&mut A, 2, 0, four_ring_elements.0); - update_matrix(&mut A, 2, 1, four_ring_elements.1); - update_matrix(&mut A, 2, 2, four_ring_elements.2); - update_matrix(&mut A, 2, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(3, 0), - generate_domain_separator(3, 1), - generate_domain_separator(3, 2), - generate_domain_separator(3, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(3, 0), (3, 1), (3, 2), (3, 3)], + 4, ); - update_matrix(&mut A, 3, 0, four_ring_elements.0); - update_matrix(&mut A, 3, 1, four_ring_elements.1); - update_matrix(&mut A, 3, 2, four_ring_elements.2); - update_matrix(&mut A, 3, 3, four_ring_elements.3); A } #[allow(non_snake_case)] #[inline(always)] +#[cfg(feature = "mldsa65")] pub(crate) fn matrix_A_6_by_5< SIMDUnit: Operations, + Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( @@ -100,107 +95,112 @@ pub(crate) fn matrix_A_6_by_5< ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - let four_ring_elements = sample_four_ring_elements::( + let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; + + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(0, 0), - generate_domain_separator(0, 1), - generate_domain_separator(0, 2), - generate_domain_separator(0, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(0, 0), (0, 1), (0, 2), (0, 3)], + 4, ); - update_matrix(&mut A, 0, 0, four_ring_elements.0); - update_matrix(&mut A, 0, 1, four_ring_elements.1); - update_matrix(&mut A, 0, 2, four_ring_elements.2); - update_matrix(&mut A, 0, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(0, 4), - generate_domain_separator(1, 0), - generate_domain_separator(1, 1), - generate_domain_separator(1, 2), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(0, 4), (1, 0), (1, 1), (1, 2)], + 4, ); - update_matrix(&mut A, 0, 4, four_ring_elements.0); - update_matrix(&mut A, 1, 0, four_ring_elements.1); - update_matrix(&mut A, 1, 1, four_ring_elements.2); - update_matrix(&mut A, 1, 2, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(1, 3), - generate_domain_separator(1, 4), - generate_domain_separator(2, 0), - generate_domain_separator(2, 1), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(1, 3), (1, 4), (2, 0), (2, 1)], + 4, ); - update_matrix(&mut A, 1, 3, four_ring_elements.0); - update_matrix(&mut A, 1, 4, four_ring_elements.1); - update_matrix(&mut A, 2, 0, four_ring_elements.2); - update_matrix(&mut A, 2, 1, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(2, 2), - generate_domain_separator(2, 3), - generate_domain_separator(2, 4), - generate_domain_separator(3, 0), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(2, 2), (2, 3), (2, 4), (3, 0)], + 4, ); - update_matrix(&mut A, 2, 2, four_ring_elements.0); - update_matrix(&mut A, 2, 3, four_ring_elements.1); - update_matrix(&mut A, 2, 4, four_ring_elements.2); - update_matrix(&mut A, 3, 0, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(3, 1), - generate_domain_separator(3, 2), - generate_domain_separator(3, 3), - generate_domain_separator(3, 4), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(3, 1), (3, 2), (3, 3), (3, 4)], + 4, ); - update_matrix(&mut A, 3, 1, four_ring_elements.0); - update_matrix(&mut A, 3, 2, four_ring_elements.1); - update_matrix(&mut A, 3, 3, four_ring_elements.2); - update_matrix(&mut A, 3, 4, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(4, 0), - generate_domain_separator(4, 1), - generate_domain_separator(4, 2), - generate_domain_separator(4, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(4, 0), (4, 1), (4, 2), (4, 3)], + 4, ); - update_matrix(&mut A, 4, 0, four_ring_elements.0); - update_matrix(&mut A, 4, 1, four_ring_elements.1); - update_matrix(&mut A, 4, 2, four_ring_elements.2); - update_matrix(&mut A, 4, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(4, 4), - generate_domain_separator(5, 0), - generate_domain_separator(5, 1), - generate_domain_separator(5, 2), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(4, 4), (5, 0), (5, 1), (5, 2)], + 4, ); - update_matrix(&mut A, 4, 4, four_ring_elements.0); - update_matrix(&mut A, 5, 0, four_ring_elements.1); - update_matrix(&mut A, 5, 1, four_ring_elements.2); - update_matrix(&mut A, 5, 2, four_ring_elements.3); - // The the last 2 sampled ring elements are discarded here. - let four_ring_elements = sample_four_ring_elements::( + // The last 2 sampled ring elements are discarded here. + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(5, 3), - generate_domain_separator(5, 4), - generate_domain_separator(5, 5), - generate_domain_separator(5, 6), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(5, 3), (5, 4), (5, 5), (5, 6)], + 2, ); - update_matrix(&mut A, 5, 3, four_ring_elements.0); - update_matrix(&mut A, 5, 4, four_ring_elements.1); A } + #[allow(non_snake_case)] #[inline(always)] +#[cfg(feature = "mldsa87")] pub(crate) fn matrix_A_8_by_7< SIMDUnit: Operations, + Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( @@ -208,185 +208,277 @@ pub(crate) fn matrix_A_8_by_7< ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - let four_ring_elements = sample_four_ring_elements::( + let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; + + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(0, 0), - generate_domain_separator(0, 1), - generate_domain_separator(0, 2), - generate_domain_separator(0, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(0, 0), (0, 1), (0, 2), (0, 3)], + 4, ); - update_matrix(&mut A, 0, 0, four_ring_elements.0); - update_matrix(&mut A, 0, 1, four_ring_elements.1); - update_matrix(&mut A, 0, 2, four_ring_elements.2); - update_matrix(&mut A, 0, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(0, 4), - generate_domain_separator(0, 5), - generate_domain_separator(0, 6), - generate_domain_separator(1, 0), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(0, 4), (0, 5), (0, 6), (1, 0)], + 4, ); - update_matrix(&mut A, 0, 4, four_ring_elements.0); - update_matrix(&mut A, 0, 5, four_ring_elements.1); - update_matrix(&mut A, 0, 6, four_ring_elements.2); - update_matrix(&mut A, 1, 0, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(1, 1), - generate_domain_separator(1, 2), - generate_domain_separator(1, 3), - generate_domain_separator(1, 4), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(1, 1), (1, 2), (1, 3), (1, 4)], + 4, ); - update_matrix(&mut A, 1, 1, four_ring_elements.0); - update_matrix(&mut A, 1, 2, four_ring_elements.1); - update_matrix(&mut A, 1, 3, four_ring_elements.2); - update_matrix(&mut A, 1, 4, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(1, 5), - generate_domain_separator(1, 6), - generate_domain_separator(2, 0), - generate_domain_separator(2, 1), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(1, 5), (1, 6), (2, 0), (2, 1)], + 4, ); - update_matrix(&mut A, 1, 5, four_ring_elements.0); - update_matrix(&mut A, 1, 6, four_ring_elements.1); - update_matrix(&mut A, 2, 0, four_ring_elements.2); - update_matrix(&mut A, 2, 1, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(2, 2), - generate_domain_separator(2, 3), - generate_domain_separator(2, 4), - generate_domain_separator(2, 5), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(2, 2), (2, 3), (2, 4), (2, 5)], + 4, ); - update_matrix(&mut A, 2, 2, four_ring_elements.0); - update_matrix(&mut A, 2, 3, four_ring_elements.1); - update_matrix(&mut A, 2, 4, four_ring_elements.2); - update_matrix(&mut A, 2, 5, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(2, 6), - generate_domain_separator(3, 0), - generate_domain_separator(3, 1), - generate_domain_separator(3, 2), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(2, 6), (3, 0), (3, 1), (3, 2)], + 4, ); - update_matrix(&mut A, 2, 6, four_ring_elements.0); - update_matrix(&mut A, 3, 0, four_ring_elements.1); - update_matrix(&mut A, 3, 1, four_ring_elements.2); - update_matrix(&mut A, 3, 2, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(3, 3), - generate_domain_separator(3, 4), - generate_domain_separator(3, 5), - generate_domain_separator(3, 6), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(3, 3), (3, 4), (3, 5), (3, 6)], + 4, ); - update_matrix(&mut A, 3, 3, four_ring_elements.0); - update_matrix(&mut A, 3, 4, four_ring_elements.1); - update_matrix(&mut A, 3, 5, four_ring_elements.2); - update_matrix(&mut A, 3, 6, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(4, 0), - generate_domain_separator(4, 1), - generate_domain_separator(4, 2), - generate_domain_separator(4, 3), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(4, 0), (4, 1), (4, 2), (4, 3)], + 4, ); - update_matrix(&mut A, 4, 0, four_ring_elements.0); - update_matrix(&mut A, 4, 1, four_ring_elements.1); - update_matrix(&mut A, 4, 2, four_ring_elements.2); - update_matrix(&mut A, 4, 3, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(4, 4), - generate_domain_separator(4, 5), - generate_domain_separator(4, 6), - generate_domain_separator(5, 0), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(4, 4), (4, 5), (4, 6), (5, 0)], + 4, ); - update_matrix(&mut A, 4, 4, four_ring_elements.0); - update_matrix(&mut A, 4, 5, four_ring_elements.1); - update_matrix(&mut A, 4, 6, four_ring_elements.2); - update_matrix(&mut A, 5, 0, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(5, 1), - generate_domain_separator(5, 2), - generate_domain_separator(5, 3), - generate_domain_separator(5, 4), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(5, 1), (5, 2), (5, 3), (5, 4)], + 4, ); - update_matrix(&mut A, 5, 1, four_ring_elements.0); - update_matrix(&mut A, 5, 2, four_ring_elements.1); - update_matrix(&mut A, 5, 3, four_ring_elements.2); - update_matrix(&mut A, 5, 4, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(5, 5), - generate_domain_separator(5, 6), - generate_domain_separator(6, 0), - generate_domain_separator(6, 1), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(5, 5), (5, 6), (6, 0), (6, 1)], + 4, ); - update_matrix(&mut A, 5, 5, four_ring_elements.0); - update_matrix(&mut A, 5, 6, four_ring_elements.1); - update_matrix(&mut A, 6, 0, four_ring_elements.2); - update_matrix(&mut A, 6, 1, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(6, 2), - generate_domain_separator(6, 3), - generate_domain_separator(6, 4), - generate_domain_separator(6, 5), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(6, 2), (6, 3), (6, 4), (6, 5)], + 4, ); - update_matrix(&mut A, 6, 2, four_ring_elements.0); - update_matrix(&mut A, 6, 3, four_ring_elements.1); - update_matrix(&mut A, 6, 4, four_ring_elements.2); - update_matrix(&mut A, 6, 5, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(6, 6), - generate_domain_separator(7, 0), - generate_domain_separator(7, 1), - generate_domain_separator(7, 2), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(6, 6), (7, 0), (7, 1), (7, 2)], + 4, ); - update_matrix(&mut A, 6, 6, four_ring_elements.0); - update_matrix(&mut A, 7, 0, four_ring_elements.1); - update_matrix(&mut A, 7, 1, four_ring_elements.2); - update_matrix(&mut A, 7, 2, four_ring_elements.3); - - let four_ring_elements = sample_four_ring_elements::( + sample_up_to_four_ring_elements::( seed, - generate_domain_separator(7, 3), - generate_domain_separator(7, 4), - generate_domain_separator(7, 5), - generate_domain_separator(7, 6), + &mut A, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(7, 3), (7, 4), (7, 5), (7, 6)], + 4, ); - update_matrix(&mut A, 7, 3, four_ring_elements.0); - update_matrix(&mut A, 7, 4, four_ring_elements.1); - update_matrix(&mut A, 7, 5, four_ring_elements.2); - update_matrix(&mut A, 7, 6, four_ring_elements.3); A } + +pub(crate) mod portable { + use super::*; + + pub(crate) struct PortableSampler {} + impl X4Sampler for PortableSampler { + #[inline(always)] + fn matrix_A( + seed: [u8; 34], + ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + matrix_A_generic::< + SIMDUnit, + crate::hash_functions::portable::Shake128X4, + ROWS_IN_A, + COLUMNS_IN_A, + >(seed) + } + } +} + +#[cfg(feature = "simd128")] +pub(crate) mod neon { + use super::*; + + pub(crate) struct NeonSampler {} + impl X4Sampler for NeonSampler { + #[inline(always)] + fn matrix_A( + seed: [u8; 34], + ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + matrix_A_generic::< + SIMDUnit, + crate::hash_functions::neon::Shake128x4, + ROWS_IN_A, + COLUMNS_IN_A, + >(seed) + } + } +} + +#[cfg(feature = "simd256")] +pub(crate) mod avx2 { + use super::*; + + pub(crate) struct AVX2Sampler {} + impl X4Sampler for AVX2Sampler { + #[inline(always)] + #[allow(unsafe_code)] + fn matrix_A( + seed: [u8; 34], + ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + unsafe { matrix_A_avx2(seed) } + } + } + + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + #[allow(non_snake_case)] + pub(crate) unsafe fn matrix_A_avx2< + SIMDUnit: Operations, + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + >( + seed: [u8; 34], + ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { + #[cfg(feature = "mldsa44")] + (4, 4) => matrix_A_4_by_4::< + SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + ROWS_IN_A, + COLUMNS_IN_A, + >(seed), + #[cfg(feature = "mldsa65")] + (6, 5) => matrix_A_6_by_5::< + SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + ROWS_IN_A, + COLUMNS_IN_A, + >(seed), + #[cfg(feature = "mldsa87")] + (8, 7) => matrix_A_8_by_7::< + SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + ROWS_IN_A, + COLUMNS_IN_A, + >(seed), + _ => unreachable!(), + } + } +} + #[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn matrix_A( +pub(crate) fn matrix_A_generic< + SIMDUnit: Operations, + Shake128: shake128::XofX4, + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, +>( seed: [u8; 34], ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { - (4, 4) => matrix_A_4_by_4::(seed), - (6, 5) => matrix_A_6_by_5::(seed), - (8, 7) => matrix_A_8_by_7::(seed), + #[cfg(feature = "mldsa44")] + (4, 4) => matrix_A_4_by_4::(seed), + #[cfg(feature = "mldsa65")] + (6, 5) => matrix_A_6_by_5::(seed), + #[cfg(feature = "mldsa87")] + (8, 7) => matrix_A_8_by_7::(seed), _ => unreachable!(), } } diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst index 0451136c0..a740de583 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti index e8713dad5..95dad6932 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst index 4284c4102..2ddf180ff 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index d7c15a880..0c9c90e71 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul